alex-isv
GitHub
commit
61d688b08e
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
|
@ -1,7 +1,7 @@
|
|||
annotations:
|
||||
artifacthub.io/changes: |
|
||||
- kind: added
|
||||
description: Add new bitbucket cloud SSH key to configs.ssh.knownHosts
|
||||
- kind: fixed
|
||||
description: Allow to disable containerSecurityContext
|
||||
artifacthub.io/signKey: |
|
||||
fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
|
||||
url: https://argoproj.github.io/argo-helm/pgp_keys.asc
|
||||
|
|
@ -32,4 +32,4 @@ name: argo-cd
|
|||
sources:
|
||||
- https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
|
||||
- https://github.com/argoproj/argo-cd
|
||||
version: 5.34.1
|
||||
version: 5.34.4
|
||||
|
|
|
|||
|
|
@ -255,8 +255,10 @@ spec:
|
|||
failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
|
||||
resources:
|
||||
{{- toYaml .Values.controller.resources | nindent 10 }}
|
||||
{{- with .Values.controller.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.controller.containerSecurityContext | nindent 10 }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
workingDir: /home/argocd
|
||||
volumeMounts:
|
||||
{{- with .Values.controller.volumeMounts }}
|
||||
|
|
|
|||
|
|
@ -182,8 +182,10 @@ spec:
|
|||
{{- end }}
|
||||
resources:
|
||||
{{- toYaml .Values.applicationSet.resources | nindent 12 }}
|
||||
{{- with .Values.applicationSet.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.applicationSet.containerSecurityContext | nindent 12 }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
{{- with .Values.applicationSet.extraVolumeMounts }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
|
|
|
|||
|
|
@ -80,8 +80,10 @@ spec:
|
|||
protocol: TCP
|
||||
resources:
|
||||
{{- toYaml .Values.notifications.resources | nindent 12 }}
|
||||
{{- with .Values.notifications.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.notifications.containerSecurityContext | nindent 12 }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
workingDir: /app
|
||||
volumeMounts:
|
||||
- name: tls-certs
|
||||
|
|
|
|||
|
|
@ -273,8 +273,10 @@ spec:
|
|||
failureThreshold: {{ .Values.repoServer.readinessProbe.failureThreshold }}
|
||||
resources:
|
||||
{{- toYaml .Values.repoServer.resources | nindent 10 }}
|
||||
{{- with .Values.repoServer.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.repoServer.containerSecurityContext | nindent 10 }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.repoServer.lifecycle }}
|
||||
lifecycle:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
|
|
|
|||
|
|
@ -334,8 +334,10 @@ spec:
|
|||
failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }}
|
||||
resources:
|
||||
{{- toYaml .Values.server.resources | nindent 10 }}
|
||||
{{- with .Values.server.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.server.containerSecurityContext | nindent 10 }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.server.lifecycle }}
|
||||
lifecycle:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
|
|
@ -346,8 +348,10 @@ spec:
|
|||
imagePullPolicy: {{ .Values.server.extensions.image.imagePullPolicy }}
|
||||
resources:
|
||||
{{- toYaml .Values.server.extensions.resources | nindent 10 }}
|
||||
{{- with .Values.server.extensions.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.server.extensions.containerSecurityContext | nindent 10 }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: extensions
|
||||
mountPath: /tmp/extensions/
|
||||
|
|
|
|||
|
|
@ -23,7 +23,9 @@ rules:
|
|||
- argoproj.io
|
||||
resources:
|
||||
- applications
|
||||
{{- if .Values.applicationSet.enabled }}
|
||||
- applicationsets
|
||||
{{- end }}
|
||||
- appprojects
|
||||
{{- if .Values.server.extensions.enabled }}
|
||||
- argocdextensions
|
||||
|
|
|
|||
|
|
@ -117,8 +117,10 @@ spec:
|
|||
{{- end }}
|
||||
resources:
|
||||
{{- toYaml .Values.dex.resources | nindent 10 }}
|
||||
{{- with .Values.dex.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.dex.containerSecurityContext | nindent 10 }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
{{- with .Values.dex.volumeMounts }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
|
|
@ -136,7 +138,7 @@ spec:
|
|||
- name: copyutil
|
||||
image: {{ default .Values.global.image.repository .Values.dex.initImage.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.dex.initImage.tag }}
|
||||
imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.dex.initImage.imagePullPolicy }}
|
||||
args:
|
||||
command:
|
||||
- /bin/cp
|
||||
- -n
|
||||
- /usr/local/bin/argocd
|
||||
|
|
@ -148,8 +150,10 @@ spec:
|
|||
name: dexconfig
|
||||
resources:
|
||||
{{- toYaml .Values.dex.resources | nindent 10 }}
|
||||
{{- with .Values.dex.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.dex.containerSecurityContext | nindent 10 }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.dex.initContainers }}
|
||||
{{- tpl (toYaml .) $ | nindent 6 }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -75,8 +75,10 @@ spec:
|
|||
protocol: TCP
|
||||
resources:
|
||||
{{- toYaml .Values.redis.resources | nindent 10 }}
|
||||
{{- with .Values.redis.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.redis.containerSecurityContext | nindent 10 }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.redis.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
|
|
@ -99,8 +101,10 @@ spec:
|
|||
protocol: TCP
|
||||
resources:
|
||||
{{- toYaml .Values.redis.exporter.resources | nindent 10 }}
|
||||
{{- with .Values.redis.exporter.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.redis.exporter.containerSecurityContext | nindent 10 }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.redis.extraContainers }}
|
||||
{{- tpl (toYaml .) $ | nindent 6 }}
|
||||
|
|
|
|||
|
|
@ -31,4 +31,4 @@ maintainers:
|
|||
name: postgresql
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/postgresql
|
||||
version: 12.5.3
|
||||
version: 12.5.5
|
||||
|
|
|
|||
|
|
@ -98,7 +98,7 @@ kubectl delete pvc -l release=my-release
|
|||
| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
|
||||
| `image.registry` | PostgreSQL image registry | `docker.io` |
|
||||
| `image.repository` | PostgreSQL image repository | `bitnami/postgresql` |
|
||||
| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `15.3.0-debian-11-r3` |
|
||||
| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `15.3.0-debian-11-r4` |
|
||||
| `image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` |
|
||||
| `image.pullSecrets` | Specify image pull secrets | `[]` |
|
||||
|
|
|
|||
|
|
@ -218,7 +218,7 @@ spec:
|
|||
{{- if .Values.auth.enablePostgresUser }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_POSTGRES_PASSWORD_FILE
|
||||
value: "/opt/bitnami/postgresql/secrets/postgres-password"
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.adminPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
|
|
@ -230,7 +230,7 @@ spec:
|
|||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.userPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
|
|
@ -250,7 +250,7 @@ spec:
|
|||
value: {{ .Values.auth.replicationUsername | quote }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_REPLICATION_PASSWORD_FILE
|
||||
value: "/opt/bitnami/postgresql/secrets/replication-password"
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.replicationPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_REPLICATION_PASSWORD
|
||||
valueFrom:
|
||||
|
|
@ -498,7 +498,7 @@ spec:
|
|||
value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.service.port" .)) $database }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: DATA_SOURCE_PASS_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.userPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: DATA_SOURCE_PASS
|
||||
valueFrom:
|
||||
|
|
|
|||
|
|
@ -213,7 +213,7 @@ spec:
|
|||
{{- if and (not (empty $customUser)) (ne $customUser "postgres") .Values.auth.enablePostgresUser }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_POSTGRES_PASSWORD_FILE
|
||||
value: "/opt/bitnami/postgresql/secrets/postgres-password"
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.adminPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
|
|
@ -224,7 +224,7 @@ spec:
|
|||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.userPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
|
|
@ -239,7 +239,7 @@ spec:
|
|||
value: {{ .Values.auth.replicationUsername | quote }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_REPLICATION_PASSWORD_FILE
|
||||
value: "/opt/bitnami/postgresql/secrets/replication-password"
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.replicationPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_REPLICATION_PASSWORD
|
||||
valueFrom:
|
||||
|
|
@ -409,7 +409,7 @@ spec:
|
|||
value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.service.port" .)) $database }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: DATA_SOURCE_PASS_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.userPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: DATA_SOURCE_PASS
|
||||
valueFrom:
|
||||
|
|
|
|||
|
|
@ -95,7 +95,7 @@ diagnosticMode:
|
|||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/postgresql
|
||||
tag: 15.3.0-debian-11-r3
|
||||
tag: 15.3.0-debian-11-r4
|
||||
digest: ""
|
||||
## Specify a imagePullPolicy
|
||||
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
||||
|
|
|
|||
|
|
@ -1,12 +1,12 @@
|
|||
dependencies:
|
||||
- name: memcached
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 6.5.1
|
||||
version: 6.5.2
|
||||
- name: mariadb
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 12.2.3
|
||||
version: 12.2.4
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 2.4.0
|
||||
digest: sha256:f91611db01189c8aa9d44ef11478df1f5b9dd47289936ddfad8dbf50f29f9d08
|
||||
generated: "2023-05-21T17:08:37.275529069Z"
|
||||
digest: sha256:4be6e447ef427ae68dd94decc3295e3a1d1415a2bb9f455f2a3ff4ea33a4a101
|
||||
generated: "2023-05-23T08:42:16.375569322Z"
|
||||
|
|
|
|||
|
|
@ -40,4 +40,4 @@ maintainers:
|
|||
name: wordpress
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/wordpress
|
||||
version: 16.1.6
|
||||
version: 16.1.8
|
||||
|
|
|
|||
|
|
@ -80,7 +80,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| ------------------- | --------------------------------------------------------------------------------------------------------- | -------------------- |
|
||||
| `image.registry` | WordPress image registry | `docker.io` |
|
||||
| `image.repository` | WordPress image repository | `bitnami/wordpress` |
|
||||
| `image.tag` | WordPress image tag (immutable tags are recommended) | `6.2.2-debian-11-r0` |
|
||||
| `image.tag` | WordPress image tag (immutable tags are recommended) | `6.2.2-debian-11-r2` |
|
||||
| `image.digest` | WordPress image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `image.pullPolicy` | WordPress image pull policy | `IfNotPresent` |
|
||||
| `image.pullSecrets` | WordPress image pull secrets | `[]` |
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
dependencies:
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 2.2.5
|
||||
digest: sha256:318f438acfeaced11d9060877d615caf1985417d2865810defaa886d3496f8d3
|
||||
generated: "2023-05-03T08:30:13.051138201Z"
|
||||
version: 2.4.0
|
||||
digest: sha256:8c1a5dc923412d11d4d841420494b499cb707305c8b9f87f45ea1a8bf3172cb3
|
||||
generated: "2023-05-21T18:46:17.326179513Z"
|
||||
|
|
|
|||
|
|
@ -26,4 +26,4 @@ maintainers:
|
|||
name: mariadb
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/mariadb
|
||||
version: 12.2.3
|
||||
version: 12.2.4
|
||||
|
|
|
|||
|
|
@ -84,7 +84,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- |
|
||||
| `image.registry` | MariaDB image registry | `docker.io` |
|
||||
| `image.repository` | MariaDB image repository | `bitnami/mariadb` |
|
||||
| `image.tag` | MariaDB image tag (immutable tags are recommended) | `10.11.3-debian-11-r1` |
|
||||
| `image.tag` | MariaDB image tag (immutable tags are recommended) | `10.11.3-debian-11-r5` |
|
||||
| `image.digest` | MariaDB image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `image.pullPolicy` | MariaDB image pull policy | `IfNotPresent` |
|
||||
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
|
|
@ -306,7 +306,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` |
|
||||
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
|
||||
| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` |
|
||||
| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r114` |
|
||||
| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r118` |
|
||||
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
|
||||
| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
|
|
@ -320,7 +320,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `metrics.enabled` | Start a side-car prometheus exporter | `false` |
|
||||
| `metrics.image.registry` | Exporter image registry | `docker.io` |
|
||||
| `metrics.image.repository` | Exporter image repository | `bitnami/mysqld-exporter` |
|
||||
| `metrics.image.tag` | Exporter image tag (immutable tags are recommended) | `0.14.0-debian-11-r116` |
|
||||
| `metrics.image.tag` | Exporter image tag (immutable tags are recommended) | `0.14.0-debian-11-r119` |
|
||||
| `metrics.image.digest` | Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` |
|
||||
| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@ annotations:
|
|||
category: Infrastructure
|
||||
licenses: Apache-2.0
|
||||
apiVersion: v2
|
||||
appVersion: 2.2.5
|
||||
appVersion: 2.4.0
|
||||
description: A Library Helm Chart for grouping common logic between bitnami charts.
|
||||
This chart is not deployable by itself.
|
||||
home: https://github.com/bitnami/charts/tree/main/bitnami/common
|
||||
home: https://bitnami.com
|
||||
icon: https://bitnami.com/downloads/logos/bitnami-mark.png
|
||||
keywords:
|
||||
- common
|
||||
|
|
@ -14,11 +14,10 @@ keywords:
|
|||
- function
|
||||
- bitnami
|
||||
maintainers:
|
||||
- name: Bitnami
|
||||
- name: VMware, Inc.
|
||||
url: https://github.com/bitnami/charts
|
||||
name: common
|
||||
sources:
|
||||
- https://github.com/bitnami/charts
|
||||
- https://www.bitnami.com/
|
||||
type: library
|
||||
version: 2.2.5
|
||||
version: 2.4.0
|
||||
|
|
|
|||
|
|
@ -2,6 +2,8 @@
|
|||
|
||||
A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts.
|
||||
|
||||
Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog.
|
||||
|
||||
## TL;DR
|
||||
|
||||
```yaml
|
||||
|
|
|
|||
|
|
@ -48,6 +48,17 @@ Return the appropriate apiVersion for cronjob.
|
|||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for daemonset.
|
||||
*/}}
|
||||
{{- define "common.capabilities.daemonset.apiVersion" -}}
|
||||
{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "extensions/v1beta1" -}}
|
||||
{{- else -}}
|
||||
{{- print "apps/v1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for deployment.
|
||||
*/}}
|
||||
|
|
@ -141,6 +152,21 @@ Return the appropriate apiVersion for Horizontal Pod Autoscaler.
|
|||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for Vertical Pod Autoscaler.
|
||||
*/}}
|
||||
{{- define "common.capabilities.vpa.apiVersion" -}}
|
||||
{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
|
||||
{{- if .beta2 -}}
|
||||
{{- print "autoscaling/v2beta2" -}}
|
||||
{{- else -}}
|
||||
{{- print "autoscaling/v2beta1" -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- print "autoscaling/v2" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Returns true if the used Helm version is 3.3+.
|
||||
A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure.
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ Return the proper Docker Image Registry Secret Names (deprecated: use common.ima
|
|||
|
||||
{{- if (not (empty $pullSecrets)) }}
|
||||
imagePullSecrets:
|
||||
{{- range $pullSecrets }}
|
||||
{{- range $pullSecrets | uniq }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -73,7 +73,7 @@ Return the proper Docker Image Registry Secret Names evaluating values as templa
|
|||
|
||||
{{- if (not (empty $pullSecrets)) }}
|
||||
imagePullSecrets:
|
||||
{{- range $pullSecrets }}
|
||||
{{- range $pullSecrets | uniq }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -87,7 +87,7 @@ serviceBindings:
|
|||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/mariadb
|
||||
tag: 10.11.3-debian-11-r1
|
||||
tag: 10.11.3-debian-11-r5
|
||||
digest: ""
|
||||
## Specify a imagePullPolicy
|
||||
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
||||
|
|
@ -1001,7 +1001,7 @@ volumePermissions:
|
|||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/bitnami-shell
|
||||
tag: 11-debian-11-r114
|
||||
tag: 11-debian-11-r118
|
||||
digest: ""
|
||||
pullPolicy: IfNotPresent
|
||||
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
|
||||
|
|
@ -1037,7 +1037,7 @@ metrics:
|
|||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/mysqld-exporter
|
||||
tag: 0.14.0-debian-11-r116
|
||||
tag: 0.14.0-debian-11-r119
|
||||
digest: ""
|
||||
pullPolicy: IfNotPresent
|
||||
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
dependencies:
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 2.3.0
|
||||
digest: sha256:11bbe86be64062d37b725f4dbc909aba3585b4976624ee9d27522366d3f956ea
|
||||
generated: "2023-05-13T00:58:36.826773609Z"
|
||||
version: 2.4.0
|
||||
digest: sha256:8c1a5dc923412d11d4d841420494b499cb707305c8b9f87f45ea1a8bf3172cb3
|
||||
generated: "2023-05-21T18:31:06.275175617Z"
|
||||
|
|
|
|||
|
|
@ -23,4 +23,4 @@ maintainers:
|
|||
name: memcached
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/memcached
|
||||
version: 6.5.1
|
||||
version: 6.5.2
|
||||
|
|
|
|||
|
|
@ -78,7 +78,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| ----------------------------- | --------------------------------------------------------------------------------------------------------- | --------------------- |
|
||||
| `image.registry` | Memcached image registry | `docker.io` |
|
||||
| `image.repository` | Memcached image repository | `bitnami/memcached` |
|
||||
| `image.tag` | Memcached image tag (immutable tags are recommended) | `1.6.20-debian-11-r0` |
|
||||
| `image.tag` | Memcached image tag (immutable tags are recommended) | `1.6.20-debian-11-r3` |
|
||||
| `image.digest` | Memcached image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `image.pullPolicy` | Memcached image pull policy | `IfNotPresent` |
|
||||
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
|
|
@ -205,7 +205,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` |
|
||||
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
|
||||
| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` |
|
||||
| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r115` |
|
||||
| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r118` |
|
||||
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
|
||||
| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` |
|
||||
|
|
@ -215,7 +215,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| `metrics.enabled` | Start a side-car prometheus exporter | `false` |
|
||||
| `metrics.image.registry` | Memcached exporter image registry | `docker.io` |
|
||||
| `metrics.image.repository` | Memcached exporter image repository | `bitnami/memcached-exporter` |
|
||||
| `metrics.image.tag` | Memcached exporter image tag (immutable tags are recommended) | `0.11.3-debian-11-r10` |
|
||||
| `metrics.image.tag` | Memcached exporter image tag (immutable tags are recommended) | `0.11.3-debian-11-r12` |
|
||||
| `metrics.image.digest` | Memcached exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `metrics.image.pullPolicy` | Image pull policy | `IfNotPresent` |
|
||||
| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ annotations:
|
|||
category: Infrastructure
|
||||
licenses: Apache-2.0
|
||||
apiVersion: v2
|
||||
appVersion: 2.3.0
|
||||
appVersion: 2.4.0
|
||||
description: A Library Helm Chart for grouping common logic between bitnami charts.
|
||||
This chart is not deployable by itself.
|
||||
home: https://bitnami.com
|
||||
|
|
@ -20,4 +20,4 @@ name: common
|
|||
sources:
|
||||
- https://github.com/bitnami/charts
|
||||
type: library
|
||||
version: 2.3.0
|
||||
version: 2.4.0
|
||||
|
|
|
|||
|
|
@ -48,6 +48,17 @@ Return the appropriate apiVersion for cronjob.
|
|||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for daemonset.
|
||||
*/}}
|
||||
{{- define "common.capabilities.daemonset.apiVersion" -}}
|
||||
{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "extensions/v1beta1" -}}
|
||||
{{- else -}}
|
||||
{{- print "apps/v1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for deployment.
|
||||
*/}}
|
||||
|
|
@ -141,6 +152,21 @@ Return the appropriate apiVersion for Horizontal Pod Autoscaler.
|
|||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for Vertical Pod Autoscaler.
|
||||
*/}}
|
||||
{{- define "common.capabilities.vpa.apiVersion" -}}
|
||||
{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
|
||||
{{- if .beta2 -}}
|
||||
{{- print "autoscaling/v2beta2" -}}
|
||||
{{- else -}}
|
||||
{{- print "autoscaling/v2beta1" -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- print "autoscaling/v2" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Returns true if the used Helm version is 3.3+.
|
||||
A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure.
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ diagnosticMode:
|
|||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/memcached
|
||||
tag: 1.6.20-debian-11-r0
|
||||
tag: 1.6.20-debian-11-r3
|
||||
digest: ""
|
||||
## Specify a imagePullPolicy
|
||||
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
||||
|
|
@ -512,7 +512,7 @@ volumePermissions:
|
|||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/bitnami-shell
|
||||
tag: 11-debian-11-r115
|
||||
tag: 11-debian-11-r118
|
||||
digest: ""
|
||||
pullPolicy: IfNotPresent
|
||||
## Optionally specify an array of imagePullSecrets.
|
||||
|
|
@ -557,7 +557,7 @@ metrics:
|
|||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/memcached-exporter
|
||||
tag: 0.11.3-debian-11-r10
|
||||
tag: 0.11.3-debian-11-r12
|
||||
digest: ""
|
||||
pullPolicy: IfNotPresent
|
||||
## Optionally specify an array of imagePullSecrets.
|
||||
|
|
|
|||
|
|
@ -73,7 +73,7 @@ diagnosticMode:
|
|||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/wordpress
|
||||
tag: 6.2.2-debian-11-r0
|
||||
tag: 6.2.2-debian-11-r2
|
||||
digest: ""
|
||||
## Specify a imagePullPolicy
|
||||
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
||||
|
|
|
|||
|
|
@ -1,10 +1,10 @@
|
|||
annotations:
|
||||
catalog.cattle.io/certified: partner
|
||||
catalog.cattle.io/display-name: CrowdStrike Falcon Platform
|
||||
catalog.cattle.io/kube-version: '>1.15.0-0'
|
||||
catalog.cattle.io/kube-version: '>1.22.0-0'
|
||||
catalog.cattle.io/release-name: falcon-sensor
|
||||
apiVersion: v2
|
||||
appVersion: 1.19.0
|
||||
appVersion: 1.19.1
|
||||
description: A Helm chart to deploy CrowdStrike Falcon sensors into Kubernetes clusters.
|
||||
home: https://crowdstrike.com
|
||||
icon: https://raw.githubusercontent.com/CrowdStrike/falcon-helm/main/images/crowdstrike-logo.svg
|
||||
|
|
@ -16,7 +16,7 @@ keywords:
|
|||
- security
|
||||
- monitoring
|
||||
- alerting
|
||||
kubeVersion: '>1.15.0-0'
|
||||
kubeVersion: '>1.22.0-0'
|
||||
maintainers:
|
||||
- email: integrations@crowdstrike.com
|
||||
name: CrowdStrike Solutions Architecture
|
||||
|
|
@ -24,4 +24,4 @@ name: falcon-sensor
|
|||
sources:
|
||||
- https://github.com/CrowdStrike/falcon-helm
|
||||
type: application
|
||||
version: 1.19.0
|
||||
version: 1.19.1
|
||||
|
|
|
|||
|
|
@ -13,9 +13,8 @@ The Falcon Helm chart has been tested to deploy on the following Kubernetes dist
|
|||
* Daemonset (node) sensor supprt for EKS nodes
|
||||
* Container sensor support for EKS Fargate nodes
|
||||
* Azure Kubernetes Service (AKS)
|
||||
* Google Kubernetes Engine (GKE) - DaemonSet support for Ubuntu nodes only, Container sensor for GCOS nodes.
|
||||
* Google Kubernetes Engine (GKE)
|
||||
* Rancher K3s
|
||||
* Red Hat OpenShift Container Platform 4.6+
|
||||
|
||||
# Dependencies
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,9 @@
|
|||
# Changelog
|
||||
|
||||
## 1.0.3
|
||||
|
||||
* Add `list` and `watch` permissions of `customresourcedefinitions` for the KSM core check to collect CRD resources.
|
||||
|
||||
## 1.0.2
|
||||
|
||||
* Use `.Release.Name` for reference to conversion webhook certificate in datadog-operator deployment.yaml
|
||||
|
|
|
|||
|
|
@ -26,4 +26,4 @@ name: datadog-operator
|
|||
sources:
|
||||
- https://app.datadoghq.com/account/settings#agent/kubernetes
|
||||
- https://github.com/DataDog/datadog-agent
|
||||
version: 1.0.2
|
||||
version: 1.0.3
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Datadog Operator
|
||||
|
||||
 
|
||||
 
|
||||
|
||||
## Values
|
||||
|
||||
|
|
|
|||
|
|
@ -330,6 +330,13 @@ rules:
|
|||
verbs:
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- apiextensions.k8s.io
|
||||
resources:
|
||||
- customresourcedefinitions
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- autoscaling.k8s.io
|
||||
resources:
|
||||
|
|
|
|||
|
|
@ -1,5 +1,38 @@
|
|||
# Datadog changelog
|
||||
|
||||
## 3.30.7
|
||||
|
||||
* Fix Windows support of `agents.customAgentConfig` to avoid bind mount of a file.
|
||||
|
||||
## 3.30.6
|
||||
|
||||
* Adds `datadog.kubeStateMetricsCore.collectApiServicesMetrics` (`false` by default) to collect apiservices metrics in Kube State Metrics Core.
|
||||
Note: APIServices metrics collection requires Cluster Agent 7.45.0+.
|
||||
|
||||
## 3.30.5
|
||||
|
||||
* Add `list` and `watch` permissions of `apiservices` resources for the `kubernetes_state_core` check.
|
||||
|
||||
## 3.30.4
|
||||
|
||||
* Remove USM private beta comments.
|
||||
|
||||
## 3.30.3
|
||||
|
||||
* Remove resourceName field from `create` permission of `leases` in `cluster-agent-rbac`.
|
||||
|
||||
## 3.30.2
|
||||
|
||||
* Add `get`, `create`, `update` permissions of `leases` to `cluster-agent-rbac`.
|
||||
|
||||
## 3.30.1
|
||||
|
||||
* Remove guidance that users must manually convert tag syntax for `labelsAsTags`
|
||||
|
||||
## 3.30.0
|
||||
|
||||
* Add `datadog.dataStreamsMonitoring.enabled` parameter to enable Data Stream Monitoring.
|
||||
|
||||
## 3.29.3
|
||||
|
||||
* Add `inotify_add_watch`, `inotify_init`, `inotify_init1`, and `inotify_rm_watch` to the default seccomp profile of system-probe.
|
||||
|
|
|
|||
|
|
@ -19,4 +19,4 @@ name: datadog
|
|||
sources:
|
||||
- https://app.datadoghq.com/account/settings#agent/kubernetes
|
||||
- https://github.com/DataDog/datadog-agent
|
||||
version: 3.29.3
|
||||
version: 3.30.7
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Datadog
|
||||
|
||||
 
|
||||
 
|
||||
|
||||
[Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
|
||||
|
||||
|
|
@ -613,6 +613,7 @@ helm install <RELEASE_NAME> \
|
|||
| datadog.containerIncludeMetrics | string | `nil` | Include metrics in the Agent Autodiscovery, as a space-separated list |
|
||||
| datadog.containerRuntimeSupport.enabled | bool | `true` | Set this to false to disable agent access to container runtime. |
|
||||
| datadog.criSocketPath | string | `nil` | Path to the container runtime socket (if different from Docker) |
|
||||
| datadog.dataStreamsMonitoring.enabled | bool | `false` | Enable Data Streams Monitoring. |
|
||||
| datadog.dd_url | string | `nil` | The host of the Datadog intake server to send Agent data to, only set this option if you need the Agent to send data to a custom URL |
|
||||
| datadog.dockerSocketPath | string | `nil` | Path to the docker socket |
|
||||
| datadog.dogstatsd.hostSocketPath | string | `"/var/run/datadog/"` | Host path to the DogStatsD socket |
|
||||
|
|
@ -636,6 +637,7 @@ helm install <RELEASE_NAME> \
|
|||
| datadog.hostVolumeMountPropagation | string | `"None"` | Allow to specify the `mountPropagation` value on all volumeMounts using HostPath |
|
||||
| datadog.ignoreAutoConfig | list | `[]` | List of integration to ignore auto_conf.yaml. |
|
||||
| datadog.kubeStateMetricsCore.annotationsAsTags | object | `{}` | Extra annotations to collect from resources and to turn into datadog tag. |
|
||||
| datadog.kubeStateMetricsCore.collectApiServicesMetrics | bool | `false` | Enable watching apiservices objects and collecting their corresponding metrics kubernetes_state.apiservice.* (Requires Cluster Agent 7.45.0+) |
|
||||
| datadog.kubeStateMetricsCore.collectCrdMetrics | bool | `false` | Enable watching CRD objects and collecting their corresponding metrics kubernetes_state.crd.* |
|
||||
| datadog.kubeStateMetricsCore.collectSecretMetrics | bool | `true` | Enable watching secret objects and collecting their corresponding metrics kubernetes_state.secret.* |
|
||||
| datadog.kubeStateMetricsCore.collectVpaMetrics | bool | `false` | Enable watching VPA objects and collecting their corresponding metrics kubernetes_state.vpa.* |
|
||||
|
|
|
|||
|
|
@ -174,7 +174,7 @@
|
|||
{{- end }}
|
||||
{{- include "container-crisocket-volumemounts" . | nindent 4 }}
|
||||
{{- include "container-cloudinit-volumemounts" . | nindent 4 }}
|
||||
{{- if .Values.agents.useConfigMap }}
|
||||
{{- if and .Values.agents.useConfigMap (eq .Values.targetSystem "linux")}}
|
||||
- name: datadog-yaml
|
||||
mountPath: {{ template "datadog.confPath" . }}/datadog.yaml
|
||||
subPath: datadog.yaml
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@
|
|||
{{- end }}
|
||||
{{- include "container-crisocket-volumemounts" . | nindent 4 }}
|
||||
{{- include "container-cloudinit-volumemounts" . | nindent 4 }}
|
||||
{{- if .Values.agents.useConfigMap }}
|
||||
{{- if and .Values.agents.useConfigMap (eq .Values.targetSystem "linux")}}
|
||||
- name: datadog-yaml
|
||||
mountPath: {{ template "datadog.confPath" . }}/datadog.yaml
|
||||
subPath: datadog.yaml
|
||||
|
|
|
|||
|
|
@ -78,7 +78,7 @@
|
|||
{{- end }}
|
||||
{{- include "container-crisocket-volumemounts" . | nindent 4 }}
|
||||
{{- include "container-cloudinit-volumemounts" . | nindent 4 }}
|
||||
{{- if .Values.agents.useConfigMap }}
|
||||
{{- if and .Values.agents.useConfigMap (eq .Values.targetSystem "linux")}}
|
||||
- name: datadog-yaml
|
||||
mountPath: {{ template "datadog.confPath" . }}/datadog.yaml
|
||||
subPath: datadog.yaml
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@
|
|||
mountPath: {{ template "datadog.confPath" . }}
|
||||
readOnly: true
|
||||
{{- include "container-cloudinit-volumemounts" . | nindent 4 }}
|
||||
{{- if .Values.agents.useConfigMap }}
|
||||
{{- if and .Values.agents.useConfigMap (eq .Values.targetSystem "linux")}}
|
||||
- name: datadog-yaml
|
||||
mountPath: {{ template "datadog.confPath" . }}/datadog.yaml
|
||||
subPath: datadog.yaml
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@
|
|||
mountPath: {{ template "datadog.confPath" . }}/auth
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.agents.useConfigMap }}
|
||||
{{- if and .Values.agents.useConfigMap (eq .Values.targetSystem "linux")}}
|
||||
- name: datadog-yaml
|
||||
mountPath: {{ template "datadog.confPath" . }}/datadog.yaml
|
||||
subPath: datadog.yaml
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@
|
|||
- |
|
||||
Copy-Item -Recurse -Force {{ template "datadog.confPath" . }} C:/Temp
|
||||
Copy-Item -Force C:/Temp/install_info/install_info C:/Temp/Datadog/install_info
|
||||
{{- if .Values.agents.useConfigMap }}
|
||||
Copy-Item -Force C:/Temp/datadog_yaml/datadog.yaml C:/Temp/Datadog/datadog.yaml
|
||||
{{- end}}
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: C:/Temp/Datadog
|
||||
|
|
@ -14,6 +17,11 @@
|
|||
- name: installinfo
|
||||
mountPath: C:/Temp/install_info
|
||||
readOnly: true
|
||||
{{- if .Values.agents.useConfigMap }}
|
||||
- name: datadog-yaml
|
||||
mountPath: C:/Temp/datadog_yaml
|
||||
readOnly: true
|
||||
{{- end}}
|
||||
resources:
|
||||
{{ toYaml .Values.agents.containers.initContainers.resources | indent 4 }}
|
||||
- name: init-config
|
||||
|
|
|
|||
|
|
@ -275,7 +275,7 @@ Return a remote image path based on `.Values` (passed as root) and `.` (any `.im
|
|||
Return true if a system-probe feature is enabled.
|
||||
*/}}
|
||||
{{- define "system-probe-feature" -}}
|
||||
{{- if or .Values.datadog.securityAgent.runtime.enabled .Values.datadog.securityAgent.runtime.fimEnabled .Values.datadog.networkMonitoring.enabled .Values.datadog.systemProbe.enableTCPQueueLength .Values.datadog.systemProbe.enableOOMKill .Values.datadog.serviceMonitoring.enabled -}}
|
||||
{{- if or .Values.datadog.securityAgent.runtime.enabled .Values.datadog.securityAgent.runtime.fimEnabled .Values.datadog.networkMonitoring.enabled .Values.datadog.systemProbe.enableTCPQueueLength .Values.datadog.systemProbe.enableOOMKill .Values.datadog.serviceMonitoring.enabled .Values.datadog.dataStreamsMonitoring.enabled -}}
|
||||
true
|
||||
{{- else -}}
|
||||
false
|
||||
|
|
@ -632,7 +632,7 @@ Return the local service name
|
|||
Return true if runtime compilation is enabled in the system-probe
|
||||
*/}}
|
||||
{{- define "runtime-compilation-enabled" -}}
|
||||
{{- if or .Values.datadog.systemProbe.enableTCPQueueLength .Values.datadog.systemProbe.enableOOMKill .Values.datadog.serviceMonitoring.enabled -}}
|
||||
{{- if or .Values.datadog.systemProbe.enableTCPQueueLength .Values.datadog.systemProbe.enableOOMKill .Values.datadog.serviceMonitoring.enabled .Values.datadog.dataStreamsMonitoring.enabled -}}
|
||||
true
|
||||
{{- else -}}
|
||||
false
|
||||
|
|
|
|||
|
|
@ -12,6 +12,9 @@ kubernetes_state_core.yaml.default: |-
|
|||
{{- if .Values.datadog.kubeStateMetricsCore.collectVpaMetrics }}
|
||||
- verticalpodautoscalers
|
||||
{{- end }}
|
||||
{{- if .Values.datadog.kubeStateMetricsCore.collectApiServicesMetrics }}
|
||||
- apiservices
|
||||
{{- end }}
|
||||
{{- if .Values.datadog.kubeStateMetricsCore.collectCrdMetrics }}
|
||||
- customresourcedefinitions
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -66,6 +66,21 @@ rules:
|
|||
verbs:
|
||||
- get
|
||||
- update
|
||||
- apiGroups:
|
||||
- "coordination.k8s.io"
|
||||
resources:
|
||||
- leases
|
||||
resourceNames:
|
||||
- {{ template "datadog.fullname" . }}-leader-election # Leader election token
|
||||
verbs:
|
||||
- get
|
||||
- update
|
||||
- apiGroups:
|
||||
- "coordination.k8s.io"
|
||||
resources:
|
||||
- leases
|
||||
verbs:
|
||||
- create
|
||||
{{- if .Values.clusterAgent.metricsProvider.enabled }}
|
||||
- apiGroups:
|
||||
- ""
|
||||
|
|
@ -180,7 +195,7 @@ rules:
|
|||
- get
|
||||
- watch
|
||||
- apiGroups:
|
||||
- "apiextensions.k8s.io"
|
||||
- apiextensions.k8s.io
|
||||
resources:
|
||||
- customresourcedefinitions
|
||||
verbs:
|
||||
|
|
|
|||
|
|
@ -98,6 +98,15 @@ rules:
|
|||
verbs:
|
||||
- list
|
||||
- watch
|
||||
{{- if .Values.datadog.kubeStateMetricsCore.collectApiServicesMetrics }}
|
||||
- apiGroups:
|
||||
- apiregistration.k8s.io
|
||||
resources:
|
||||
- apiservices
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
{{- end }}
|
||||
---
|
||||
apiVersion: {{ template "rbac.apiVersion" . }}
|
||||
kind: ClusterRoleBinding
|
||||
|
|
|
|||
|
|
@ -43,6 +43,8 @@ data:
|
|||
conntrack_init_timeout: {{ $.Values.datadog.systemProbe.conntrackInitTimeout }}
|
||||
service_monitoring_config:
|
||||
enabled: {{ $.Values.datadog.serviceMonitoring.enabled }}
|
||||
data_streams_config:
|
||||
enabled: {{ $.Values.datadog.dataStreamsMonitoring.enabled }}
|
||||
runtime_security_config:
|
||||
enabled: {{ $.Values.datadog.securityAgent.runtime.enabled }}
|
||||
fim_enabled: {{ $.Values.datadog.securityAgent.runtime.fimEnabled }}
|
||||
|
|
|
|||
|
|
@ -161,6 +161,11 @@ datadog:
|
|||
## Configuring this field will change the default kubernetes_state_core check configuration to run the kubernetes_state_core check.
|
||||
collectCrdMetrics: false
|
||||
|
||||
# datadog.kubeStateMetricsCore.collectApiServicesMetrics -- Enable watching apiservices objects and collecting their corresponding metrics kubernetes_state.apiservice.* (Requires Cluster Agent 7.45.0+)
|
||||
|
||||
## Configuring this field will change the default kubernetes_state_core check configuration and the RBACs granted to Datadog Cluster Agent to run the kubernetes_state_core check.
|
||||
collectApiServicesMetrics: false
|
||||
|
||||
# datadog.kubeStateMetricsCore.useClusterCheckRunners -- For large clusters where the Kubernetes State Metrics Check Core needs to be distributed on dedicated workers.
|
||||
|
||||
## Configuring this field will create a separate deployment which will run Cluster Checks, including Kubernetes State Metrics Core.
|
||||
|
|
@ -178,8 +183,6 @@ datadog:
|
|||
## <resource2>:
|
||||
## <label3>: <tag3>
|
||||
##
|
||||
## Warning: the label must match the transformation done by kube-state-metrics,
|
||||
## for example tags.datadoghq.com/version becomes tags_datadoghq_com_version.
|
||||
labelsAsTags: {}
|
||||
# pod:
|
||||
# app: app
|
||||
|
|
@ -646,13 +649,14 @@ datadog:
|
|||
# datadog.networkMonitoring.enabled -- Enable network performance monitoring
|
||||
enabled: false
|
||||
|
||||
## Universal Service Monitoring is currently in private beta.
|
||||
|
||||
## See https://www.datadoghq.com/blog/universal-service-monitoring-datadog/ for more details and private beta signup.
|
||||
serviceMonitoring:
|
||||
# datadog.serviceMonitoring.enabled -- Enable Universal Service Monitoring
|
||||
enabled: false
|
||||
|
||||
dataStreamsMonitoring:
|
||||
# datadog.dataStreamsMonitoring.enabled -- Enable Data Streams Monitoring.
|
||||
enabled: false
|
||||
|
||||
## Enable security agent and provide custom configs
|
||||
securityAgent:
|
||||
compliance:
|
||||
|
|
|
|||
|
|
@ -2,10 +2,60 @@
|
|||
documentation](doc/development/changelog.md) for instructions on adding your own
|
||||
entry.
|
||||
|
||||
## 6.11.5 (2023-05-19)
|
||||
## 7.0.1 (2023-05-22)
|
||||
|
||||
No changes.
|
||||
|
||||
## 7.0.0 (2023-05-18)
|
||||
|
||||
### Added (5 changes)
|
||||
|
||||
- [Registry; add support for database discovery for primary records](gitlab-org/charts/gitlab@02618c9b63bfac6c6baf257bc020439a45d3f220) ([merge request](gitlab-org/charts/gitlab!3142))
|
||||
- [Add SMTP read and write timeout values](gitlab-org/charts/gitlab@843467c988f90f358d58ace7c6514634443b384f) ([merge request](gitlab-org/charts/gitlab!3156))
|
||||
- [Add annotations to upgradeCheck ConfigMap](gitlab-org/charts/gitlab@9bd462052cc3ca33994ff262c66208ec8d70a7c8) by @LukasAuerbeck ([merge request](gitlab-org/charts/gitlab!3116))
|
||||
- [ Adding containerSecurityContext logic to geo chart](gitlab-org/charts/gitlab@10d9b8c945f10f9e84f1b280e88a040e33586f5b) ([merge request](gitlab-org/charts/gitlab!3127))
|
||||
- [Allow configuring an embedding database](gitlab-org/charts/gitlab@6a923ec7421e814add2fef3069320c13f28f354c) ([merge request](gitlab-org/charts/gitlab!3107))
|
||||
|
||||
### Fixed (7 changes)
|
||||
|
||||
- [Fix backup spec navigation](gitlab-org/charts/gitlab@76a7ce992586471bfb6c99efb58be1dc1cfce373) ([merge request](gitlab-org/charts/gitlab!3183))
|
||||
- [Mount the microsoft_graph_mailer client secret in the backup-job pod](gitlab-org/charts/gitlab@fe175620908510f3b1eb3728bc164cc4bad68e81) ([merge request](gitlab-org/charts/gitlab!3168))
|
||||
- [Geo: add geo psql SSL mounts](gitlab-org/charts/gitlab@0ed7ea60b8e3d37e1b9b71977c23f085a8df6250) ([merge request](gitlab-org/charts/gitlab!3170))
|
||||
- [Skip pages backup on database upgrade](gitlab-org/charts/gitlab@5efab9266397750252a457a230cddffee87c9143) ([merge request](gitlab-org/charts/gitlab!3167))
|
||||
- [Validate that SMTP settings do not enable both TLS and STARTTLS](gitlab-org/charts/gitlab@aefcfb104aaa871a70203fc04a07686d935761f5) ([merge request](gitlab-org/charts/gitlab!3158))
|
||||
- [Support configuring proxy_download for each object store type](gitlab-org/charts/gitlab@4db1b9b2b5c0e8da53bb43439d267343be34b447) ([merge request](gitlab-org/charts/gitlab!3154))
|
||||
- [Fix possessive](gitlab-org/charts/gitlab@68f0f088cdc7b3be96d92e65c8b21a3ed8104c2f) ([merge request](gitlab-org/charts/gitlab!3097))
|
||||
|
||||
### Changed (14 changes)
|
||||
|
||||
- [Update gitlab-org/container-registry from 3.73.0-gitlab to 3.73.1-gitlab](gitlab-org/charts/gitlab@5f160022cc68e214ea083189649f8332bdc5df34) ([merge request](gitlab-org/charts/gitlab!3185))
|
||||
- [Update bundled Redis sub-chart and add upgrade docs](gitlab-org/charts/gitlab@6e07c473134100d7b63b92d2eac8a369179e9d98) ([merge request](gitlab-org/charts/gitlab!3140))
|
||||
- [Use PostgreSQL Chart 11.9.13](gitlab-org/charts/gitlab@5b1febf0757464eac61744a3388acd14667d0d1b) ([merge request](gitlab-org/charts/gitlab!3143))
|
||||
- [Enable Sidekiq JSON logs by default](gitlab-org/charts/gitlab@92bb399c4fd13321c51114b2529171cbf71c8e24) ([merge request](gitlab-org/charts/gitlab!3169))
|
||||
- [Switch gitlab-shell logs to JSON by default](gitlab-org/charts/gitlab@59a722892c5421621e5a0af640a732ef0cbc8504) ([merge request](gitlab-org/charts/gitlab!3171))
|
||||
- [Update gitlab-org/gitlab-exporter from 12.1.1 to 13.0.0](gitlab-org/charts/gitlab@6e9477a65a963a5ae8e3197e76920b21193287ba) ([merge request](gitlab-org/charts/gitlab!3166))
|
||||
- [Update gitlab-org/container-registry from 3.72.0-gitlab to 3.73.0-gitlab](gitlab-org/charts/gitlab@aa8116c54b4014647c21044113b02043462c87f4) ([merge request](gitlab-org/charts/gitlab!3165))
|
||||
- [Default GitLab chart to have main, and ci connections](gitlab-org/charts/gitlab@f42289a275cb6886c5978c0546dcdb50ee04d991) ([merge request](gitlab-org/charts/gitlab!3132))
|
||||
- [Bump certmanager to 1.11.1](gitlab-org/charts/gitlab@e4f2bf7d6d7ed7ff02174957fa8408ebbca63322) ([merge request](gitlab-org/charts/gitlab!3108))
|
||||
- [Ensure upgrade path to 7.0](gitlab-org/charts/gitlab@0cdbf193e90b67c30a0cb6b6d02b0a9e8f8562ee) ([merge request](gitlab-org/charts/gitlab!3104))
|
||||
- [Unpin mail_room version](gitlab-org/charts/gitlab@ec946052deae64dea6cb7d49b34c26361874a233) ([merge request](gitlab-org/charts/gitlab!3075))
|
||||
- [Update gitlab-org/charts/gitlab-runner from 0.51.1 to 0.52.0](gitlab-org/charts/gitlab@7d54b3f3539b63ee661418f0a519c4509b5e1a2a) ([merge request](gitlab-org/charts/gitlab!3121))
|
||||
- [NGINX: tweak NGINX upstream configuration](gitlab-org/charts/gitlab@9cf76a7bf6c4c3487820103cb1bb48ef2bca2dbb) ([merge request](gitlab-org/charts/gitlab!3090))
|
||||
- [Bump default image to ubuntu:22.04](gitlab-org/charts/gitlab@70452769e698e6187e625cdc7db4d60555b07f4b) by @tlindsay42 ([merge request](gitlab-org/charts/gitlab!2986))
|
||||
|
||||
### Removed (4 changes)
|
||||
|
||||
- [Remove registry compatibility section](gitlab-org/charts/gitlab@b4a3e47b96a2ddc3b1c0250510f875e114d02445) ([merge request](gitlab-org/charts/gitlab!3117))
|
||||
- [Remove bundled Grafana chart and related configuration](gitlab-org/charts/gitlab@24d6c76d54e7800fd8fee20ee5fbba2180d36aae) ([merge request](gitlab-org/charts/gitlab!3112))
|
||||
- [Remove deprecated KAS `metrics.port` config](gitlab-org/charts/gitlab@b1bf1b4686c74015b8d93bd24dcef350490fac1b) ([merge request](gitlab-org/charts/gitlab!3040))
|
||||
- [Remove 'default_can_create_group' setting](gitlab-org/charts/gitlab@0d58ba1ea5b7d29da3891d6643afe2e72e1480a8) ([merge request](gitlab-org/charts/gitlab!3105))
|
||||
|
||||
### Other (3 changes)
|
||||
|
||||
- [Consolidate webservice TLS configuration](gitlab-org/charts/gitlab@7412c984cda3683c60ba3c3e48bf2474ec88209e) ([merge request](gitlab-org/charts/gitlab!3135))
|
||||
- [Update extraEnvFrom docs](gitlab-org/charts/gitlab@994ab9824f518701ed7059e28c7fdf1b2c97e446) ([merge request](gitlab-org/charts/gitlab!3025))
|
||||
- [Add tests for Webservice ConfigMap name](gitlab-org/charts/gitlab@6d51d3fe5475a84166f23d5c5a0f23a1b38ce489) ([merge request](gitlab-org/charts/gitlab!3091))
|
||||
|
||||
## 6.11.4 (2023-05-16)
|
||||
|
||||
### Added (1 change)
|
||||
|
|
@ -60,6 +110,22 @@ No changes.
|
|||
- [Remove references to unused 'fullnameOverride' key](gitlab-org/charts/gitlab@34b9c0d5d1f5227b8bb1b2496e3be6f9ff3a9ec0) ([merge request](gitlab-org/charts/gitlab!3092))
|
||||
- [checkConfig: verify format of omniauth provider content](gitlab-org/charts/gitlab@f419b34386799a83587eeecfea142070477e8029) ([merge request](gitlab-org/charts/gitlab!3054))
|
||||
|
||||
## 6.10.7 (2023-05-10)
|
||||
|
||||
No changes.
|
||||
|
||||
## 6.10.6 (2023-05-03)
|
||||
|
||||
No changes.
|
||||
|
||||
## 6.10.5 (2023-05-01)
|
||||
|
||||
No changes.
|
||||
|
||||
## 6.10.4 (2023-04-21)
|
||||
|
||||
No changes.
|
||||
|
||||
## 6.10.3 (2023-04-14)
|
||||
|
||||
No changes.
|
||||
|
|
@ -105,6 +171,22 @@ No changes.
|
|||
- [Add more context to sidekiq pod deprecation notices](gitlab-org/charts/gitlab@fdaef9d08c68beac06b0bcff16d0ec6b1bc274aa) ([merge request](gitlab-org/charts/gitlab!2966))
|
||||
- [Add more context to sidekiq pod deprecation notices](gitlab-org/charts/gitlab@378fd9116dc5147d9d4c23d81a72e0e8089f138e) ([merge request](gitlab-org/charts/gitlab!2972))
|
||||
|
||||
## 6.9.8 (2023-05-10)
|
||||
|
||||
No changes.
|
||||
|
||||
## 6.9.7 (2023-05-03)
|
||||
|
||||
No changes.
|
||||
|
||||
## 6.9.6 (2023-05-01)
|
||||
|
||||
No changes.
|
||||
|
||||
## 6.9.5 (2023-04-21)
|
||||
|
||||
No changes.
|
||||
|
||||
## 6.9.4 (2023-03-30)
|
||||
|
||||
No changes.
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ annotations:
|
|||
catalog.cattle.io/display-name: GitLab
|
||||
catalog.cattle.io/release-name: gitlab
|
||||
apiVersion: v1
|
||||
appVersion: v15.11.5
|
||||
appVersion: v16.0.1
|
||||
description: The One DevOps Platform
|
||||
home: https://about.gitlab.com/
|
||||
icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.png
|
||||
|
|
@ -15,4 +15,4 @@ maintainers:
|
|||
name: gitlab
|
||||
sources:
|
||||
- https://gitlab.com/gitlab-org/charts/gitlab
|
||||
version: 6.11.5
|
||||
version: 7.0.1
|
||||
|
|
|
|||
|
|
@ -1,19 +1,24 @@
|
|||
annotations:
|
||||
artifacthub.io/prerelease: "false"
|
||||
artifacthub.io/signKey: |
|
||||
fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
|
||||
url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
|
||||
apiVersion: v1
|
||||
appVersion: v1.5.4
|
||||
appVersion: v1.11.1
|
||||
description: A Helm chart for cert-manager
|
||||
home: https://github.com/jetstack/cert-manager
|
||||
icon: https://raw.githubusercontent.com/jetstack/cert-manager/master/logo/logo.png
|
||||
home: https://github.com/cert-manager/cert-manager
|
||||
icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png
|
||||
keywords:
|
||||
- cert-manager
|
||||
- kube-lego
|
||||
- letsencrypt
|
||||
- tls
|
||||
kubeVersion: '>= 1.21.0-0'
|
||||
maintainers:
|
||||
- email: cert-manager-maintainers@googlegroups.com
|
||||
name: cert-manager-maintainers
|
||||
url: https://cert-manager.io
|
||||
name: cert-manager
|
||||
sources:
|
||||
- https://github.com/jetstack/cert-manager
|
||||
version: v1.5.4
|
||||
- https://github.com/cert-manager/cert-manager
|
||||
version: v1.11.1
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ to renew certificates at an appropriate time before expiry.
|
|||
|
||||
## Prerequisites
|
||||
|
||||
- Kubernetes 1.16+
|
||||
- Kubernetes 1.20+
|
||||
|
||||
## Installing the Chart
|
||||
|
||||
|
|
@ -19,7 +19,7 @@ Before installing the chart, you must first install the cert-manager CustomResou
|
|||
This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources.
|
||||
|
||||
```bash
|
||||
$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.crds.yaml
|
||||
$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.1/cert-manager.crds.yaml
|
||||
```
|
||||
|
||||
To install the chart with the release name `my-release`:
|
||||
|
|
@ -29,7 +29,7 @@ To install the chart with the release name `my-release`:
|
|||
$ helm repo add jetstack https://charts.jetstack.io
|
||||
|
||||
## Install the cert-manager helm chart
|
||||
$ helm install my-release --namespace cert-manager --version v1.5.4 jetstack/cert-manager
|
||||
$ helm install my-release --namespace cert-manager --version v1.11.1 jetstack/cert-manager
|
||||
```
|
||||
|
||||
In order to begin issuing certificates, you will need to set up a ClusterIssuer
|
||||
|
|
@ -65,7 +65,7 @@ If you want to completely uninstall cert-manager from your cluster, you will als
|
|||
delete the previously installed CustomResourceDefinition resources:
|
||||
|
||||
```console
|
||||
$ kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.crds.yaml
|
||||
$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.1/cert-manager.crds.yaml
|
||||
```
|
||||
|
||||
## Configuration
|
||||
|
|
@ -75,6 +75,7 @@ The following table lists the configurable parameters of the cert-manager chart
|
|||
| Parameter | Description | Default |
|
||||
| --------- | ----------- | ------- |
|
||||
| `global.imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` |
|
||||
| `global.commonLabels` | Labels to apply to all resources | `{}` |
|
||||
| `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` |
|
||||
| `global.priorityClassName`| Priority class name for cert-manager and webhook pods | `""` |
|
||||
| `global.podSecurityPolicy.enabled` | If `true`, create and use PodSecurityPolicy (includes sub-charts) | `false` |
|
||||
|
|
@ -85,11 +86,11 @@ The following table lists the configurable parameters of the cert-manager chart
|
|||
| `global.leaderElection.retryPeriod` | The duration the clients should wait between attempting acquisition and renewal of a leadership | |
|
||||
| `installCRDs` | If true, CRD resources will be installed as part of the Helm chart. If enabled, when uninstalling CRD resources will be deleted causing all installed custom resources to be DELETED | `false` |
|
||||
| `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` |
|
||||
| `image.tag` | Image tag | `v1.5.4` |
|
||||
| `image.tag` | Image tag | `v1.11.1` |
|
||||
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
|
||||
| `replicaCount` | Number of cert-manager replicas | `1` |
|
||||
| `clusterResourceNamespace` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources | Same namespace as cert-manager pod |
|
||||
| `featureGates` | Comma-separated list of feature gates to enable on the controller pod | `` |
|
||||
| `featureGates` | Set of comma-separated key=value pairs that describe feature gates on the controller. Some feature gates may also have to be enabled on other components, and can be set supplying the `feature-gate` flag to `<component>.extraArgs` | `` |
|
||||
| `extraArgs` | Optional flags for cert-manager | `[]` |
|
||||
| `extraEnv` | Optional environment variables for cert-manager | `[]` |
|
||||
| `serviceAccount.create` | If `true`, create a new service account | `true` |
|
||||
|
|
@ -99,12 +100,12 @@ The following table lists the configurable parameters of the cert-manager chart
|
|||
| `volumes` | Optional volumes for cert-manager | `[]` |
|
||||
| `volumeMounts` | Optional volume mounts for cert-manager | `[]` |
|
||||
| `resources` | CPU/memory resource requests/limits | `{}` |
|
||||
| `securityContext` | Optional security context. The yaml block should adhere to the [SecurityContext spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#securitycontext-v1-core) | `{}` |
|
||||
| `securityContext.enabled` | Deprecated (use `securityContext`) - Enable security context | `false` |
|
||||
| `containerSecurityContext` | Security context to be set on the controller component container | `{}` |
|
||||
| `securityContext` | Security context for the controller pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
|
||||
| `containerSecurityContext` | Security context to be set on the controller component container | refer to [Default Security Contexts](#default-security-contexts) |
|
||||
| `nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `affinity` | Node affinity for pod assignment | `{}` |
|
||||
| `tolerations` | Node tolerations for pod assignment | `[]` |
|
||||
| `topologySpreadConstraints` | Topology spread constraints for pod assignment | `[]` |
|
||||
| `ingressShim.defaultIssuerName` | Optional default issuer to use for ingress resources | |
|
||||
| `ingressShim.defaultIssuerKind` | Optional default issuer kind to use for ingress resources | |
|
||||
| `ingressShim.defaultIssuerGroup` | Optional default issuer group to use for ingress resources | |
|
||||
|
|
@ -117,12 +118,14 @@ The following table lists the configurable parameters of the cert-manager chart
|
|||
| `prometheus.servicemonitor.interval` | Prometheus scrape interval | `60s` |
|
||||
| `prometheus.servicemonitor.labels` | Add custom labels to ServiceMonitor | |
|
||||
| `prometheus.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` |
|
||||
| `prometheus.servicemonitor.honorLabels` | Enable label honoring for metrics scraped by Prometheus (see [Prometheus scrape config docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) for details). By setting `honorLabels` to `true`, Prometheus will prefer label contents given by cert-manager on conflicts. Can be used to remove the "exported_namespace" label for example. | `false` |
|
||||
| `podAnnotations` | Annotations to add to the cert-manager pod | `{}` |
|
||||
| `deploymentAnnotations` | Annotations to add to the cert-manager deployment | `{}` |
|
||||
| `podDnsPolicy` | Optional cert-manager pod [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy) | |
|
||||
| `podDnsConfig` | Optional cert-manager pod [DNS configurations](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-config) | |
|
||||
| `podLabels` | Labels to add to the cert-manager pod | `{}` |
|
||||
| `serviceLabels` | Labels to add to the cert-manager controller service | `{}` |
|
||||
| `serviceAnnotations` | Annotations to add to the cert-manager service | `{}` |
|
||||
| `http_proxy` | Value of the `HTTP_PROXY` environment variable in the cert-manager pod | |
|
||||
| `https_proxy` | Value of the `HTTPS_PROXY` environment variable in the cert-manager pod | |
|
||||
| `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | |
|
||||
|
|
@ -134,6 +137,8 @@ The following table lists the configurable parameters of the cert-manager chart
|
|||
| `webhook.deploymentAnnotations` | Annotations to add to the webhook deployment | `{}` |
|
||||
| `webhook.mutatingWebhookConfigurationAnnotations` | Annotations to add to the mutating webhook configuration | `{}` |
|
||||
| `webhook.validatingWebhookConfigurationAnnotations` | Annotations to add to the validating webhook configuration | `{}` |
|
||||
| `webhook.serviceAnnotations` | Annotations to add to the webhook service | `{}` |
|
||||
| `webhook.config` | WebhookConfiguration YAML used to configure flags for the webhook. Generates a ConfigMap containing contents of the field. See `values.yaml` for example. | `{}` |
|
||||
| `webhook.extraArgs` | Optional flags for cert-manager webhook component | `[]` |
|
||||
| `webhook.serviceAccount.create` | If `true`, create a new service account for the webhook component | `true` |
|
||||
| `webhook.serviceAccount.name` | Service account for the webhook component to be used. If not set and `webhook.serviceAccount.create` is `true`, a name is generated using the fullname template | |
|
||||
|
|
@ -141,14 +146,18 @@ The following table lists the configurable parameters of the cert-manager chart
|
|||
| `webhook.serviceAccount.automountServiceAccountToken` | Automount API credentials for the webhook Service Account | |
|
||||
| `webhook.resources` | CPU/memory resource requests/limits for the webhook pods | `{}` |
|
||||
| `webhook.nodeSelector` | Node labels for webhook pod assignment | `{}` |
|
||||
| `webhook.networkPolicy.enabled` | Enable default network policies for webhooks egress and ingress traffic | `false` |
|
||||
| `webhook.networkPolicy.ingress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` |
|
||||
| `webhook.networkPolicy.egress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` |
|
||||
| `webhook.affinity` | Node affinity for webhook pod assignment | `{}` |
|
||||
| `webhook.tolerations` | Node tolerations for webhook pod assignment | `[]` |
|
||||
| `webhook.topologySpreadConstraints` | Topology spread constraints for webhook pod assignment | `[]` |
|
||||
| `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` |
|
||||
| `webhook.image.tag` | Webhook image tag | `v1.5.4` |
|
||||
| `webhook.image.tag` | Webhook image tag | `v1.11.1` |
|
||||
| `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` |
|
||||
| `webhook.securePort` | The port that the webhook should listen on for requests. | `10250` |
|
||||
| `webhook.securityContext` | Security context for webhook pod assignment | `{}` |
|
||||
| `webhook.containerSecurityContext` | Security context to be set on the webhook component container | `{}` |
|
||||
| `webhook.securityContext` | Security context for webhook pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
|
||||
| `webhook.containerSecurityContext` | Security context to be set on the webhook component container | refer to [Default Security Contexts](#default-security-contexts) |
|
||||
| `webhook.hostNetwork` | If `true`, run the Webhook on the host network. | `false` |
|
||||
| `webhook.serviceType` | The type of the `Service`. | `ClusterIP` |
|
||||
| `webhook.loadBalancerIP` | The specific load balancer IP to use (when `serviceType` is `LoadBalancer`). | |
|
||||
|
|
@ -177,13 +186,18 @@ The following table lists the configurable parameters of the cert-manager chart
|
|||
| `cainjector.nodeSelector` | Node labels for cainjector pod assignment | `{}` |
|
||||
| `cainjector.affinity` | Node affinity for cainjector pod assignment | `{}` |
|
||||
| `cainjector.tolerations` | Node tolerations for cainjector pod assignment | `[]` |
|
||||
| `cainjector.topologySpreadConstraints` | Topology spread constraints for cainjector pod assignment | `[]` |
|
||||
| `cainjector.image.repository` | cainjector image repository | `quay.io/jetstack/cert-manager-cainjector` |
|
||||
| `cainjector.image.tag` | cainjector image tag | `v1.5.4` |
|
||||
| `cainjector.image.tag` | cainjector image tag | `v1.11.1` |
|
||||
| `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` |
|
||||
| `cainjector.securityContext` | Security context for cainjector pod assignment | `{}` |
|
||||
| `cainjector.containerSecurityContext` | Security context to be set on cainjector component container | `{}` |
|
||||
| `cainjector.securityContext` | Security context for cainjector pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
|
||||
| `cainjector.containerSecurityContext` | Security context to be set on cainjector component container | refer to [Default Security Contexts](#default-security-contexts) |
|
||||
| `acmesolver.image.repository` | acmesolver image repository | `quay.io/jetstack/cert-manager-acmesolver` |
|
||||
| `acmesolver.image.tag` | acmesolver image tag | `v1.11.1` |
|
||||
| `acmesolver.image.pullPolicy` | acmesolver image pull policy | `IfNotPresent` |
|
||||
| `startupapicheck.enabled` | Toggles whether the startupapicheck Job should be installed | `true` |
|
||||
| `startupapicheck.securityContext` | Pod Security Context to be set on the startupapicheck component Pod | `{}` |
|
||||
| `startupapicheck.securityContext` | Security context for startupapicheck pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
|
||||
| `startupapicheck.containerSecurityContext` | Security context to be set on startupapicheck component container | refer to [Default Security Contexts](#default-security-contexts) |
|
||||
| `startupapicheck.timeout` | Timeout for 'kubectl check api' command | `1m` |
|
||||
| `startupapicheck.backoffLimit` | Job backoffLimit | `4` |
|
||||
| `startupapicheck.jobAnnotations` | Optional additional annotations to add to the startupapicheck Job | `{}` |
|
||||
|
|
@ -195,12 +209,34 @@ The following table lists the configurable parameters of the cert-manager chart
|
|||
| `startupapicheck.tolerations` | Node tolerations for startupapicheck pod assignment | `[]` |
|
||||
| `startupapicheck.podLabels` | Optional additional labels to add to the startupapicheck Pods | `{}` |
|
||||
| `startupapicheck.image.repository` | startupapicheck image repository | `quay.io/jetstack/cert-manager-ctl` |
|
||||
| `startupapicheck.image.tag` | startupapicheck image tag | `v1.5.4` |
|
||||
| `startupapicheck.image.tag` | startupapicheck image tag | `v1.11.1` |
|
||||
| `startupapicheck.image.pullPolicy` | startupapicheck image pull policy | `IfNotPresent` |
|
||||
| `startupapicheck.serviceAccount.create` | If `true`, create a new service account for the startupapicheck component | `true` |
|
||||
| `startupapicheck.serviceAccount.name` | Service account for the startupapicheck component to be used. If not set and `startupapicheck.serviceAccount.create` is `true`, a name is generated using the fullname template | |
|
||||
| `startupapicheck.serviceAccount.annotations` | Annotations to add to the service account for the startupapicheck component | |
|
||||
| `startupapicheck.serviceAccount.automountServiceAccountToken` | Automount API credentials for the startupapicheck Service Account | `true` |
|
||||
| `maxConcurrentChallenges` | The maximum number of challenges that can be scheduled as 'processing' at once | `60` |
|
||||
|
||||
### Default Security Contexts
|
||||
|
||||
The default pod-level and container-level security contexts, below, adhere to the [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) Pod Security Standards policies.
|
||||
|
||||
Default pod-level securityContext:
|
||||
```yaml
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
```
|
||||
|
||||
Default containerSecurityContext:
|
||||
```yaml
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
```
|
||||
|
||||
### Assigning Values
|
||||
|
||||
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
|
||||
|
||||
|
|
@ -209,8 +245,8 @@ Alternatively, a YAML file that specifies the values for the above parameters ca
|
|||
```console
|
||||
$ helm install my-release -f values.yaml .
|
||||
```
|
||||
> **Tip**: You can use the default [values.yaml](https://github.com/jetstack/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml)
|
||||
> **Tip**: You can use the default [values.yaml](https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml)
|
||||
|
||||
## Contributing
|
||||
|
||||
This chart is maintained at [github.com/jetstack/cert-manager](https://github.com/jetstack/cert-manager/tree/master/deploy/charts/cert-manager).
|
||||
This chart is maintained at [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager).
|
||||
|
|
|
|||
|
|
@ -58,7 +58,7 @@ If release name contains chart name it will be used as a full name.
|
|||
{{- end -}}
|
||||
|
||||
{{- define "webhook.caRef" -}}
|
||||
{{ .Release.Namespace}}/{{ template "webhook.fullname" . }}-ca
|
||||
{{- template "cert-manager.namespace" }}/{{ template "webhook.fullname" . }}-ca
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
|
|
@ -156,4 +156,19 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
|||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
helm.sh/chart: {{ include "chartName" . }}
|
||||
{{- end -}}
|
||||
{{- if .Values.global.commonLabels}}
|
||||
{{ toYaml .Values.global.commonLabels }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Namespace for all resources to be installed into
|
||||
If not defined in values file then the helm release namespace is used
|
||||
By default this is not set so the helm release namespace will be used
|
||||
|
||||
This gets around an problem within helm discussed here
|
||||
https://github.com/helm/helm/issues/5358
|
||||
*/}}
|
||||
{{- define "cert-manager.namespace" -}}
|
||||
{{ .Values.namespace | default .Release.Namespace }}
|
||||
{{- end -}}
|
||||
|
|
|
|||
|
|
@ -1,18 +1,18 @@
|
|||
{{- if .Values.cainjector.enabled -}}
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "cainjector.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cainjector.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.cainjector.deploymentAnnotations }}
|
||||
{{- with .Values.cainjector.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.cainjector.deploymentAnnotations | indent 4 }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: {{ .Values.cainjector.replicaCount }}
|
||||
|
|
@ -23,7 +23,7 @@ spec:
|
|||
app.kubernetes.io/component: "cainjector"
|
||||
{{- with .Values.cainjector.strategy }}
|
||||
strategy:
|
||||
{{- . | toYaml | nindent 4 }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
|
|
@ -33,24 +33,27 @@ spec:
|
|||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- if .Values.cainjector.podLabels }}
|
||||
{{ toYaml .Values.cainjector.podLabels | indent 8 }}
|
||||
{{- with .Values.cainjector.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.cainjector.podAnnotations }}
|
||||
{{- with .Values.cainjector.podAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.cainjector.podAnnotations | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ template "cainjector.serviceAccountName" . }}
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ .Values.global.priorityClassName | quote }}
|
||||
{{- if hasKey .Values.cainjector "automountServiceAccountToken" }}
|
||||
automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
{{- if .Values.cainjector.securityContext}}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.securityContext }}
|
||||
securityContext:
|
||||
{{ toYaml .Values.cainjector.securityContext | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
- name: {{ .Chart.Name }}-cainjector
|
||||
{{- with .Values.cainjector.image }}
|
||||
image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
|
||||
{{- end }}
|
||||
|
|
@ -71,30 +74,36 @@ spec:
|
|||
- --leader-election-retry-period={{ .retryPeriod }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.cainjector.extraArgs }}
|
||||
{{ toYaml .Values.cainjector.extraArgs | indent 10 }}
|
||||
{{- with .Values.cainjector.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- if .Values.cainjector.containerSecurityContext }}
|
||||
{{- with .Values.cainjector.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.cainjector.containerSecurityContext | nindent 12 }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.cainjector.resources | indent 12 }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.cainjector.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{{- if .Values.cainjector.enabled -}}
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{{- if .Values.cainjector.enabled -}}
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
|
|
@ -17,6 +17,6 @@ roleRef:
|
|||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{{- if .Values.cainjector.enabled -}}
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
|
|
@ -47,5 +47,5 @@ spec:
|
|||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
{{- if .Values.cainjector.enabled -}}
|
||||
{{- if .Values.global.rbac.create -}}
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.global.rbac.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
|
@ -29,9 +29,6 @@ rules:
|
|||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["auditregistration.k8s.io"]
|
||||
resources: ["auditsinks"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
|
|
@ -49,7 +46,7 @@ roleRef:
|
|||
name: {{ template "cainjector.fullname" . }}
|
||||
subjects:
|
||||
- name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
|
@ -71,14 +68,6 @@ rules:
|
|||
# see cmd/cainjector/start.go#L113
|
||||
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
|
||||
# see cmd/cainjector/start.go#L137
|
||||
# See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
|
||||
verbs: ["get", "update", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["create"]
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
|
||||
|
|
@ -109,6 +98,6 @@ roleRef:
|
|||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -1,14 +1,14 @@
|
|||
{{- if .Values.cainjector.enabled -}}
|
||||
{{- if .Values.cainjector.serviceAccount.create -}}
|
||||
{{- if .Values.cainjector.enabled }}
|
||||
{{- if .Values.cainjector.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: {{ .Values.cainjector.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "cainjector.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- if .Values.cainjector.serviceAccount.annotations }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.cainjector.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.cainjector.serviceAccount.annotations | indent 4 }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cainjector.name" . }}
|
||||
|
|
@ -16,8 +16,12 @@ metadata:
|
|||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }}
|
||||
{{- with .Values.cainjector.serviceAccount.labels }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
|
|
@ -2,16 +2,16 @@ apiVersion: apps/v1
|
|||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.deploymentAnnotations }}
|
||||
{{- with .Values.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.deploymentAnnotations | indent 4 }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
|
|
@ -22,7 +22,7 @@ spec:
|
|||
app.kubernetes.io/component: "controller"
|
||||
{{- with .Values.strategy }}
|
||||
strategy:
|
||||
{{- . | toYaml | nindent 4 }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
|
|
@ -32,12 +32,12 @@ spec:
|
|||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- if .Values.podLabels }}
|
||||
{{ toYaml .Values.podLabels | indent 8 }}
|
||||
{{- with .Values.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.podAnnotations }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.podAnnotations | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.prometheus.enabled (not .Values.prometheus.servicemonitor.enabled) }}
|
||||
{{- if not .Values.podAnnotations }}
|
||||
|
|
@ -49,28 +49,22 @@ spec:
|
|||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ template "cert-manager.serviceAccountName" . }}
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ .Values.global.priorityClassName | quote }}
|
||||
{{- if hasKey .Values "automountServiceAccountToken" }}
|
||||
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
{{- $enabledDefined := gt (len (keys (pick .Values.securityContext "enabled"))) 0 }}
|
||||
{{- $legacyEnabledExplicitlyOff := and $enabledDefined (not .Values.securityContext.enabled) }}
|
||||
{{- if and .Values.securityContext (not $legacyEnabledExplicitlyOff) }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.securityContext }}
|
||||
securityContext:
|
||||
{{- if .Values.securityContext.enabled -}}
|
||||
{{/* support legacy securityContext.enabled and its two parameters */}}
|
||||
fsGroup: {{ default 1001 .Values.securityContext.fsGroup }}
|
||||
runAsUser: {{ default 1001 .Values.securityContext.runAsUser }}
|
||||
{{- else -}}
|
||||
{{/* this is the way forward: support an arbitrary yaml block */}}
|
||||
{{ toYaml .Values.securityContext | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.volumes }}
|
||||
{{- with .Values.volumes }}
|
||||
volumes:
|
||||
{{ toYaml .Values.volumes | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
- name: {{ .Chart.Name }}-controller
|
||||
{{- with .Values.image }}
|
||||
image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
|
||||
{{- end }}
|
||||
|
|
@ -96,8 +90,11 @@ spec:
|
|||
- --leader-election-retry-period={{ .retryPeriod }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraArgs }}
|
||||
{{ toYaml .Values.extraArgs | indent 10 }}
|
||||
{{- with .Values.acmesolver.image }}
|
||||
- --acme-http01-solver-image={{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}
|
||||
{{- end }}
|
||||
{{- with .Values.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.ingressShim }}
|
||||
{{- if .defaultIssuerName }}
|
||||
|
|
@ -113,55 +110,65 @@ spec:
|
|||
{{- if .Values.featureGates }}
|
||||
- --feature-gates={{ .Values.featureGates }}
|
||||
{{- end }}
|
||||
{{- if .Values.maxConcurrentChallenges }}
|
||||
- --max-concurrent-challenges={{ .Values.maxConcurrentChallenges }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 9402
|
||||
name: http-metrics
|
||||
protocol: TCP
|
||||
{{- if .Values.containerSecurityContext }}
|
||||
{{- with .Values.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.volumeMounts }}
|
||||
{{- with .Values.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{ toYaml .Values.volumeMounts | indent 12 }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- if .Values.extraEnv }}
|
||||
{{ toYaml .Values.extraEnv | indent 10 }}
|
||||
{{- with .Values.extraEnv }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.http_proxy }}
|
||||
{{- with .Values.http_proxy }}
|
||||
- name: HTTP_PROXY
|
||||
value: {{ .Values.http_proxy }}
|
||||
value: {{ . }}
|
||||
{{- end }}
|
||||
{{- if .Values.https_proxy }}
|
||||
{{- with .Values.https_proxy }}
|
||||
- name: HTTPS_PROXY
|
||||
value: {{ .Values.https_proxy }}
|
||||
value: {{ . }}
|
||||
{{- end }}
|
||||
{{- if .Values.no_proxy }}
|
||||
{{- with .Values.no_proxy }}
|
||||
- name: NO_PROXY
|
||||
value: {{ .Values.no_proxy }}
|
||||
value: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.resources | indent 12 }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.podDnsPolicy }}
|
||||
dnsPolicy: {{ .Values.podDnsPolicy }}
|
||||
{{- with .Values.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.podDnsConfig }}
|
||||
{{- with .Values.podDnsPolicy }}
|
||||
dnsPolicy: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.podDnsConfig }}
|
||||
dnsConfig:
|
||||
{{ toYaml .Values.podDnsConfig | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,23 @@
|
|||
{{- if .Values.webhook.networkPolicy.enabled }}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}-allow-egress
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
spec:
|
||||
egress:
|
||||
{{- with .Values.webhook.networkPolicy.egress }}
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- with .Values.webhook.podLabels }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
policyTypes:
|
||||
- Egress
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
{{- if .Values.webhook.networkPolicy.enabled }}
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}-allow-ingress
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
spec:
|
||||
ingress:
|
||||
{{- with .Values.webhook.networkPolicy.ingress }}
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- with .Values.webhook.podLabels }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
|
||||
{{- end }}
|
||||
|
|
@ -16,5 +16,5 @@ roleRef:
|
|||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{{- if .Values.global.rbac.create -}}
|
||||
{{- if .Values.global.rbac.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
|
|
@ -11,15 +11,6 @@ metadata:
|
|||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
rules:
|
||||
# Used for leader election by the controller
|
||||
# See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
resourceNames: ["cert-manager-controller"]
|
||||
verbs: ["get", "update", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["create"]
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
resourceNames: ["cert-manager-controller"]
|
||||
|
|
@ -51,7 +42,7 @@ subjects:
|
|||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
|
||||
---
|
||||
|
||||
|
|
@ -69,7 +60,7 @@ metadata:
|
|||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers", "issuers/status"]
|
||||
verbs: ["update"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
|
@ -96,7 +87,7 @@ metadata:
|
|||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers", "clusterissuers/status"]
|
||||
verbs: ["update"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
|
@ -123,7 +114,7 @@ metadata:
|
|||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
|
||||
verbs: ["update"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
|
@ -138,7 +129,7 @@ rules:
|
|||
verbs: ["create", "delete", "get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
|
|
@ -159,7 +150,7 @@ metadata:
|
|||
rules:
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders", "orders/status"]
|
||||
verbs: ["update"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders", "challenges"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
|
@ -199,7 +190,7 @@ rules:
|
|||
# Use to update challenge resource status
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "challenges/status"]
|
||||
verbs: ["update"]
|
||||
verbs: ["update", "patch"]
|
||||
# Used to watch challenge resources
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges"]
|
||||
|
|
@ -223,7 +214,7 @@ rules:
|
|||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||
- apiGroups: [ "networking.x-k8s.io" ]
|
||||
- apiGroups: [ "gateway.networking.k8s.io" ]
|
||||
resources: [ "httproutes" ]
|
||||
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||
# We require the ability to specify a custom hostname when we are creating
|
||||
|
|
@ -272,10 +263,10 @@ rules:
|
|||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["networking.x-k8s.io"]
|
||||
- apiGroups: ["gateway.networking.k8s.io"]
|
||||
resources: ["gateways", "httproutes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["networking.x-k8s.io"]
|
||||
- apiGroups: ["gateway.networking.k8s.io"]
|
||||
resources: ["gateways/finalizers", "httproutes/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: [""]
|
||||
|
|
@ -300,7 +291,7 @@ roleRef:
|
|||
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
|
@ -321,7 +312,7 @@ roleRef:
|
|||
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
|
@ -342,7 +333,7 @@ roleRef:
|
|||
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
|
@ -363,7 +354,7 @@ roleRef:
|
|||
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
|
@ -384,7 +375,7 @@ roleRef:
|
|||
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
|
@ -405,7 +396,7 @@ roleRef:
|
|||
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
|
@ -420,9 +411,11 @@ metadata:
|
|||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.global.rbac.aggregateClusterRoles }}
|
||||
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers"]
|
||||
|
|
@ -444,12 +437,17 @@ metadata:
|
|||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.global.rbac.aggregateClusterRoles }}
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers"]
|
||||
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates/status"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "orders"]
|
||||
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||
|
|
@ -491,7 +489,7 @@ roleRef:
|
|||
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
|
||||
---
|
||||
|
|
@ -515,7 +513,7 @@ rules:
|
|||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources: ["certificatesigningrequests/status"]
|
||||
verbs: ["update"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources: ["signers"]
|
||||
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
|
||||
|
|
@ -542,6 +540,6 @@ roleRef:
|
|||
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
||||
subjects:
|
||||
- name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
kind: ServiceAccount
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -3,15 +3,19 @@ apiVersion: v1
|
|||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "cert-manager.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.serviceAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml . | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.serviceLabels }}
|
||||
{{ toYaml .Values.serviceLabels | indent 4 }}
|
||||
{{- with .Values.serviceLabels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
|
|
|
|||
|
|
@ -1,16 +1,17 @@
|
|||
{{- if .Values.serviceAccount.create -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "cert-manager.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- if .Values.serviceAccount.annotations }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.serviceAccount.annotations | indent 4 }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
|
|
@ -18,4 +19,7 @@ metadata:
|
|||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.labels }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ metadata:
|
|||
{{- if .Values.prometheus.servicemonitor.namespace }}
|
||||
namespace: {{ .Values.prometheus.servicemonitor.namespace }}
|
||||
{{- else }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "cert-manager.name" . }}
|
||||
|
|
@ -15,8 +15,14 @@ metadata:
|
|||
app.kubernetes.io/component: "controller"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
prometheus: {{ .Values.prometheus.servicemonitor.prometheusInstance }}
|
||||
{{- if .Values.prometheus.servicemonitor.labels }}
|
||||
{{ toYaml .Values.prometheus.servicemonitor.labels | indent 4}}
|
||||
{{- with .Values.prometheus.servicemonitor.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.prometheus.servicemonitor.annotations }}
|
||||
annotations:
|
||||
{{- with .Values.prometheus.servicemonitor.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
jobLabel: {{ template "cert-manager.fullname" . }}
|
||||
|
|
@ -25,12 +31,15 @@ spec:
|
|||
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "controller"
|
||||
{{- if .Values.prometheus.servicemonitor.namespace }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ .Release.Namespace }}
|
||||
- {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
endpoints:
|
||||
- targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
|
||||
path: {{ .Values.prometheus.servicemonitor.path }}
|
||||
interval: {{ .Values.prometheus.servicemonitor.interval }}
|
||||
scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }}
|
||||
honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -1,18 +1,18 @@
|
|||
{{- if .Values.startupapicheck.enabled -}}
|
||||
{{- if .Values.startupapicheck.enabled }}
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ include "startupapicheck.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.startupapicheck.jobAnnotations }}
|
||||
{{- with .Values.startupapicheck.jobAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.startupapicheck.jobAnnotations | indent 4 }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
backoffLimit: {{ .Values.startupapicheck.backoffLimit }}
|
||||
|
|
@ -24,25 +24,25 @@ spec:
|
|||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- if .Values.startupapicheck.podLabels }}
|
||||
{{ toYaml .Values.startupapicheck.podLabels | indent 8 }}
|
||||
{{- with .Values.startupapicheck.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.startupapicheck.podAnnotations }}
|
||||
{{- with .Values.startupapicheck.podAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.startupapicheck.podAnnotations | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
restartPolicy: OnFailure
|
||||
serviceAccountName: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ .Values.global.priorityClassName | quote }}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.startupapicheck.securityContext}}
|
||||
{{- with .Values.startupapicheck.securityContext }}
|
||||
securityContext:
|
||||
{{ toYaml .Values.startupapicheck.securityContext | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
- name: {{ .Chart.Name }}-startupapicheck
|
||||
{{- with .Values.startupapicheck.image }}
|
||||
image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
|
||||
{{- end }}
|
||||
|
|
@ -51,25 +51,27 @@ spec:
|
|||
- check
|
||||
- api
|
||||
- --wait={{ .Values.startupapicheck.timeout }}
|
||||
{{- if .Values.startupapicheck.extraArgs }}
|
||||
{{ toYaml .Values.startupapicheck.extraArgs | indent 10 }}
|
||||
{{- with .Values.startupapicheck.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.startupapicheck.containerSecurityContext }}
|
||||
{{- with .Values.startupapicheck.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.startupapicheck.containerSecurityContext | nindent 12 }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.startupapicheck.resources | indent 12 }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.startupapicheck.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{{- if .Values.startupapicheck.enabled -}}
|
||||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
@ -10,9 +10,9 @@ metadata:
|
|||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.startupapicheck.rbac.annotations }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.startupapicheck.rbac.annotations | nindent 4 }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{{- if .Values.startupapicheck.enabled -}}
|
||||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
|
|
@ -10,9 +10,9 @@ metadata:
|
|||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.startupapicheck.rbac.annotations }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.startupapicheck.rbac.annotations | nindent 4 }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
|
@ -21,6 +21,6 @@ roleRef:
|
|||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{{- if .Values.startupapicheck.enabled -}}
|
||||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.podSecurityPolicy.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
|
|
@ -17,8 +17,8 @@ metadata:
|
|||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
{{- end }}
|
||||
{{- if .Values.startupapicheck.rbac.annotations }}
|
||||
{{ toYaml .Values.startupapicheck.rbac.annotations | nindent 4 }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
|
|
@ -47,5 +47,5 @@ spec:
|
|||
ranges:
|
||||
- min: 1000
|
||||
max: 1000
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -1,41 +1,40 @@
|
|||
{{- if .Values.startupapicheck.enabled -}}
|
||||
{{- if .Values.global.rbac.create -}}
|
||||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.global.rbac.create }}
|
||||
# create certificate role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.fullname" . }}:create-cert
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.startupapicheck.rbac.annotations }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.startupapicheck.rbac.annotations | indent 4 }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates"]
|
||||
verbs: ["create"]
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "startupapicheck.fullname" . }}:create-cert
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.startupapicheck.rbac.annotations }}
|
||||
{{- with .Values.startupapicheck.rbac.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.startupapicheck.rbac.annotations | indent 4 }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
|
@ -44,6 +43,6 @@ roleRef:
|
|||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -1,14 +1,14 @@
|
|||
{{- if .Values.startupapicheck.enabled -}}
|
||||
{{- if .Values.startupapicheck.serviceAccount.create -}}
|
||||
{{- if .Values.startupapicheck.enabled }}
|
||||
{{- if .Values.startupapicheck.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: {{ .Values.startupapicheck.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "startupapicheck.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- if .Values.startupapicheck.serviceAccount.annotations }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.startupapicheck.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.startupapicheck.serviceAccount.annotations | indent 4 }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "startupapicheck.name" . }}
|
||||
|
|
@ -16,8 +16,12 @@ metadata:
|
|||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "startupapicheck"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }}
|
||||
{{- with .Values.startupapicheck.serviceAccount.labels }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,25 @@
|
|||
{{- if .Values.webhook.config -}}
|
||||
{{- if not .Values.webhook.config.apiVersion -}}
|
||||
{{- fail "webhook.config.apiVersion must be set" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if not .Values.webhook.config.kind -}}
|
||||
{{- fail "webhook.config.kind must be set" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
data:
|
||||
{{- if .Values.webhook.config }}
|
||||
config.yaml: |
|
||||
{{ .Values.webhook.config | toYaml | nindent 4 }}
|
||||
{{- end }}
|
||||
|
|
@ -2,16 +2,16 @@ apiVersion: apps/v1
|
|||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.webhook.deploymentAnnotations }}
|
||||
{{- with .Values.webhook.deploymentAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.webhook.deploymentAnnotations | indent 4 }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: {{ .Values.webhook.replicaCount }}
|
||||
|
|
@ -22,7 +22,7 @@ spec:
|
|||
app.kubernetes.io/component: "webhook"
|
||||
{{- with .Values.webhook.strategy }}
|
||||
strategy:
|
||||
{{- . | toYaml | nindent 4 }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
|
|
@ -32,27 +32,30 @@ spec:
|
|||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 8 }}
|
||||
{{- if .Values.webhook.podLabels }}
|
||||
{{ toYaml .Values.webhook.podLabels | indent 8 }}
|
||||
{{- with .Values.webhook.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.podAnnotations }}
|
||||
{{- with .Values.webhook.podAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.webhook.podAnnotations | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ template "webhook.serviceAccountName" . }}
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ .Values.global.priorityClassName | quote }}
|
||||
{{- if hasKey .Values.webhook "automountServiceAccountToken" }}
|
||||
automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.securityContext}}
|
||||
{{- with .Values.global.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.securityContext }}
|
||||
securityContext:
|
||||
{{ toYaml .Values.webhook.securityContext | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.hostNetwork }}
|
||||
hostNetwork: true
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
- name: {{ .Chart.Name }}-webhook
|
||||
{{- with .Values.webhook.image }}
|
||||
image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
|
||||
{{- end }}
|
||||
|
|
@ -61,21 +64,55 @@ spec:
|
|||
{{- if .Values.global.logLevel }}
|
||||
- --v={{ .Values.global.logLevel }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.config }}
|
||||
- --config=/var/cert-manager/config/config.yaml
|
||||
{{- end }}
|
||||
{{- $config := default .Values.webhook.config "" }}
|
||||
{{ if not $config.securePort -}}
|
||||
- --secure-port={{ .Values.webhook.securePort }}
|
||||
{{- end }}
|
||||
{{- if .Values.featureGates }}
|
||||
- --feature-gates={{ .Values.featureGates }}
|
||||
{{- end }}
|
||||
{{- $tlsConfig := default $config.tlsConfig "" }}
|
||||
{{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}}
|
||||
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
|
||||
- --dynamic-serving-ca-secret-name={{ template "webhook.fullname" . }}-ca
|
||||
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }},{{ template "webhook.fullname" . }}.{{ .Release.Namespace }},{{ template "webhook.fullname" . }}.{{ .Release.Namespace }}.svc{{ if .Values.webhook.url.host }},{{ .Values.webhook.url.host }}{{ end }}
|
||||
{{- if .Values.webhook.extraArgs }}
|
||||
{{ toYaml .Values.webhook.extraArgs | indent 10 }}
|
||||
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}
|
||||
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE)
|
||||
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE).svc
|
||||
{{ if .Values.webhook.url.host }}
|
||||
- --dynamic-serving-dns-names={{ .Values.webhook.url.host }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.extraArgs }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: https
|
||||
protocol: TCP
|
||||
{{- if $config.securePort }}
|
||||
containerPort: {{ $config.securePort }}
|
||||
{{- else if .Values.webhook.securePort }}
|
||||
containerPort: {{ .Values.webhook.securePort }}
|
||||
{{- else }}
|
||||
containerPort: 6443
|
||||
{{- end }}
|
||||
- name: healthcheck
|
||||
protocol: TCP
|
||||
{{- if $config.healthzPort }}
|
||||
containerPort: {{ $config.healthzPort }}
|
||||
{{- else }}
|
||||
containerPort: 6080
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /livez
|
||||
{{- if $config.healthzPort }}
|
||||
port: {{ $config.healthzPort }}
|
||||
{{- else }}
|
||||
port: 6080
|
||||
{{- end }}
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.webhook.livenessProbe.periodSeconds }}
|
||||
|
|
@ -85,33 +122,54 @@ spec:
|
|||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
{{- if $config.healthzPort }}
|
||||
port: {{ $config.healthzPort }}
|
||||
{{- else }}
|
||||
port: 6080
|
||||
{{- end }}
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.webhook.readinessProbe.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.webhook.readinessProbe.timeoutSeconds }}
|
||||
successThreshold: {{ .Values.webhook.readinessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.webhook.readinessProbe.failureThreshold }}
|
||||
{{- if .Values.webhook.containerSecurityContext }}
|
||||
{{- with .Values.webhook.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.webhook.containerSecurityContext | nindent 12 }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- with .Values.webhook.resources }}
|
||||
resources:
|
||||
{{ toYaml .Values.webhook.resources | indent 12 }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.config }}
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /var/cert-manager/config
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | indent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.webhook.config }}
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ include "webhook.fullname" . }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -9,9 +9,9 @@ metadata:
|
|||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ template "webhook.fullname" . }}-ca"
|
||||
{{- if .Values.webhook.mutatingWebhookConfigurationAnnotations }}
|
||||
{{ toYaml .Values.webhook.mutatingWebhookConfigurationAnnotations | indent 4 }}
|
||||
cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote }}
|
||||
{{- with .Values.webhook.mutatingWebhookConfigurationAnnotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
webhooks:
|
||||
- name: webhook.cert-manager.io
|
||||
|
|
@ -26,15 +26,7 @@ webhooks:
|
|||
- UPDATE
|
||||
resources:
|
||||
- "*/*"
|
||||
# We don't actually support `v1beta1` but is listed here as it is a
|
||||
# required value for
|
||||
# [Kubernetes v1.16](https://github.com/kubernetes/kubernetes/issues/82025).
|
||||
# The API server reads the supported versions in order, so _should always_
|
||||
# attempt a `v1` request which is understood by the cert-manager webhook.
|
||||
# Any `v1beta1` request will return an error and fail closed for that
|
||||
# resource (the whole object request is rejected). When we no longer
|
||||
# support v1.16 we can remove `v1beta1` from this list.
|
||||
admissionReviewVersions: ["v1", "v1beta1"]
|
||||
admissionReviewVersions: ["v1"]
|
||||
# This webhook only accepts v1 cert-manager resources.
|
||||
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
||||
# this webhook (after the resources have been converted to v1).
|
||||
|
|
@ -49,6 +41,6 @@ webhooks:
|
|||
{{- else }}
|
||||
service:
|
||||
name: {{ template "webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
path: /mutate
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -16,5 +16,5 @@ roleRef:
|
|||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -27,11 +27,11 @@ spec:
|
|||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
hostNetwork: {{ .Values.webhook.hostNetwork }}
|
||||
{{ if .Values.webhook.hostNetwork }}
|
||||
{{- if .Values.webhook.hostNetwork }}
|
||||
hostPorts:
|
||||
- max: {{ .Values.webhook.securePort }}
|
||||
min: {{ .Values.webhook.securePort }}
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
|
|
|
|||
|
|
@ -1,9 +1,9 @@
|
|||
{{- if .Values.global.rbac.create -}}
|
||||
{{- if .Values.global.rbac.create }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}:dynamic-serving
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
|
|
@ -26,7 +26,7 @@ apiVersion: rbac.authorization.k8s.io/v1
|
|||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}:dynamic-serving
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
|
|
@ -41,7 +41,7 @@ subjects:
|
|||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
|
||||
---
|
||||
|
||||
|
|
@ -79,5 +79,5 @@ subjects:
|
|||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end -}}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -2,26 +2,30 @@ apiVersion: v1
|
|||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.webhook.serviceAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml . | indent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.webhook.serviceLabels }}
|
||||
{{ toYaml .Values.webhook.serviceLabels | indent 4 }}
|
||||
{{- with .Values.webhook.serviceLabels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: {{ .Values.webhook.serviceType }}
|
||||
{{- if .Values.webhook.loadBalancerIP }}
|
||||
loadBalancerIP: {{ .Values.webhook.loadBalancerIP }}
|
||||
{{- with .Values.webhook.loadBalancerIP }}
|
||||
loadBalancerIP: {{ . }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: https
|
||||
port: 443
|
||||
protocol: TCP
|
||||
targetPort: {{ .Values.webhook.securePort }}
|
||||
targetPort: "https"
|
||||
selector:
|
||||
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
|
|
|
|||
|
|
@ -1,13 +1,13 @@
|
|||
{{- if .Values.webhook.serviceAccount.create -}}
|
||||
{{- if .Values.webhook.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automountServiceAccountToken }}
|
||||
metadata:
|
||||
name: {{ template "webhook.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- if .Values.webhook.serviceAccount.annotations }}
|
||||
namespace: {{ include "cert-manager.namespace" . }}
|
||||
{{- with .Values.webhook.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.webhook.serviceAccount.annotations | indent 4 }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
app: {{ include "webhook.name" . }}
|
||||
|
|
@ -15,7 +15,11 @@ metadata:
|
|||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "webhook"
|
||||
{{- include "labels" . | nindent 4 }}
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- with .Values.webhook.serviceAccount.labels }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue