Added chart versions:

codefresh/cf-runtime:
    - 7.0.1
  instana/instana-agent:
    - 2.0.0
  loft/loft:
    - 4.1.0
  new-relic/nri-bundle:
    - 5.0.101
  speedscale/speedscale-operator:
    - 2.2.677

charts/codefresh/cf-runtime/7.0.1/.helmignore

@@ -0,0 +1,3 @@
+tests/
+.ci/
+test-values/

charts/codefresh/cf-runtime/7.0.1/Chart.yaml

@@ -0,0 +1,28 @@
+annotations:
+  artifacthub.io/changes: |
+    - kind: security
+      description: "updating k8s-agent"
+  artifacthub.io/containsSecurityUpdates: "false"
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Codefresh
+  catalog.cattle.io/kube-version: '>=1.18-0'
+  catalog.cattle.io/release-name: ""
+apiVersion: v2
+dependencies:
+- name: cf-common
+  repository: oci://quay.io/codefresh/charts
+  version: 0.21.0
+description: A Helm chart for Codefresh Runner
+home: https://codefresh.io/
+icon: file://assets/icons/cf-runtime.png
+keywords:
+- codefresh
+- runner
+kubeVersion: '>=1.18-0'
+maintainers:
+- name: codefresh
+  url: https://codefresh-io.github.io/
+name: cf-runtime
+sources:
+- https://github.com/codefresh-io/venona
+version: 7.0.1

charts/codefresh/cf-runtime/7.0.1/files/cleanup-runtime.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+echo "-----"
+echo "API_HOST:           ${API_HOST}"
+echo "AGENT_NAME:         ${AGENT_NAME}"
+echo "RUNTIME_NAME:       ${RUNTIME_NAME}"
+echo "AGENT:              ${AGENT}"
+echo "AGENT_SECRET_NAME:  ${AGENT_SECRET_NAME}"
+echo "DIND_SECRET_NAME:   ${DIND_SECRET_NAME}"
+echo "-----"
+
+auth() {
+  codefresh auth create-context --api-key ${API_TOKEN} --url ${API_HOST}
+}
+
+remove_runtime() {
+  if [ "$AGENT" == "true" ]; then
+    codefresh delete re ${RUNTIME_NAME} || true
+  else
+    codefresh delete sys-re ${RUNTIME_NAME} || true
+  fi
+}
+
+remove_agent() {
+  codefresh delete agent ${AGENT_NAME} || true
+}
+
+remove_secrets() {
+  kubectl patch secret $(kubectl get secret -l codefresh.io/internal=true | awk 'NR>1{print $1}' | xargs) -p '{"metadata":{"finalizers":null}}' --type=merge || true
+  kubectl delete secret $AGENT_SECRET_NAME || true
+  kubectl delete secret $DIND_SECRET_NAME || true
+}
+
+auth
+remove_runtime
+remove_agent
+remove_secrets

charts/codefresh/cf-runtime/7.0.1/files/configure-dind-certs.sh

@@ -0,0 +1,132 @@
+#!/usr/bin/env bash
+#
+
+#---
+fatal() {
+   echo "ERROR: $1"
+   exit 1
+}
+
+msg() { echo -e "\e[32mINFO ---> $1\e[0m"; }
+err() { echo -e "\e[31mERR ---> $1\e[0m" ; return 1; }
+
+exit_trap () {
+  local lc="$BASH_COMMAND" rc=$?
+  if [ $rc != 0 ]; then
+    if [[ -n "$SLEEP_ON_ERROR" ]]; then
+      echo -e "\nSLEEP_ON_ERROR is set - Sleeping to fix error"
+      sleep $SLEEP_ON_ERROR
+    fi
+  fi
+}
+trap exit_trap EXIT
+
+usage() {
+    echo "Usage:
+    $0 [-n | --namespace] [--server-cert-cn] [--server-cert-extra-sans] codefresh-api-host codefresh-api-token
+
+Example:
+   $0 -n workflow https://g.codefresh.io 21341234.423141234.412431234
+
+"
+}
+
+# Args
+while [[ $1 =~ ^(-(n|h)|--(namespace|server-cert-cn|server-cert-extra-sans|help)) ]]
+do
+  key=$1
+  value=$2
+
+  case $key in
+    -h|--help)
+        usage
+        exit
+      ;;
+    -n|--namespace)
+        NAMESPACE="$value"
+        shift
+      ;;
+    --server-cert-cn)
+        SERVER_CERT_CN="$value"
+        shift
+      ;;
+    --server-cert-extra-sans)
+        SERVER_CERT_EXTRA_SANS="$value"
+        shift
+      ;;
+  esac
+  shift # past argument or value
+done
+
+API_HOST=${1:-"$CF_API_HOST"}
+API_TOKEN=${2:-"$CF_API_TOKEN"}
+
+[[ -z "$API_HOST" ]] && usage && fatal "Missing API_HOST"
+[[ -z "$API_TOKEN" ]] && usage && fatal "Missing token"
+
+
+API_SIGN_PATH=${API_SIGN_PATH:-"api/custom_clusters/signServerCerts"}
+
+NAMESPACE=${NAMESPACE:-default}
+RELEASE=${RELEASE:-cf-runtime}
+
+DIR=$(dirname $0)
+TMPDIR=/tmp/codefresh/
+
+TMP_CERTS_FILE_ZIP=$TMPDIR/cf-certs.zip
+TMP_CERTS_HEADERS_FILE=$TMPDIR/cf-certs-response-headers.txt
+CERTS_DIR=$TMPDIR/ssl
+SRV_TLS_CA_CERT=${CERTS_DIR}/ca.pem
+SRV_TLS_KEY=${CERTS_DIR}/server-key.pem
+SRV_TLS_CSR=${CERTS_DIR}/server-cert.csr
+SRV_TLS_CERT=${CERTS_DIR}/server-cert.pem
+CF_SRV_TLS_CERT=${CERTS_DIR}/cf-server-cert.pem
+CF_SRV_TLS_CA_CERT=${CERTS_DIR}/cf-ca.pem
+mkdir -p $TMPDIR $CERTS_DIR
+
+K8S_CERT_SECRET_NAME=codefresh-certs-server
+echo -e "\n------------------\nGenerating server tls certificates ... "
+
+SERVER_CERT_CN=${SERVER_CERT_CN:-"docker.codefresh.io"}
+SERVER_CERT_EXTRA_SANS="${SERVER_CERT_EXTRA_SANS}"
+###
+
+  openssl genrsa -out $SRV_TLS_KEY 4096 || fatal "Failed to generate openssl key "
+  openssl req -subj "/CN=${SERVER_CERT_CN}" -new -key $SRV_TLS_KEY -out $SRV_TLS_CSR  || fatal "Failed to generate openssl csr "
+  GENERATE_CERTS=true
+  CSR=$(sed ':a;N;$!ba;s/\n/\\n/g' ${SRV_TLS_CSR})
+
+  SERVER_CERT_SANS="IP:127.0.0.1,DNS:dind,DNS:*.dind.${NAMESPACE},DNS:*.dind.${NAMESPACE}.svc${KUBE_DOMAIN},DNS:*.cf-cd.com,DNS:*.codefresh.io"
+  if [[ -n "${SERVER_CERT_EXTRA_SANS}" ]]; then
+    SERVER_CERT_SANS=${SERVER_CERT_SANS},${SERVER_CERT_EXTRA_SANS}
+  fi
+  echo "{\"reqSubjectAltName\": \"${SERVER_CERT_SANS}\", \"csr\": \"${CSR}\" }" > ${TMPDIR}/sign_req.json
+
+  rm -fv ${TMP_CERTS_HEADERS_FILE} ${TMP_CERTS_FILE_ZIP}
+
+  SIGN_STATUS=$(curl -k -sSL -d @${TMPDIR}/sign_req.json -H "Content-Type: application/json" -H "Authorization: ${API_TOKEN}" -H "Expect: " \
+        -o ${TMP_CERTS_FILE_ZIP} -D ${TMP_CERTS_HEADERS_FILE} -w '%{http_code}' ${API_HOST}/${API_SIGN_PATH} )
+
+  echo "Sign request completed with HTTP_STATUS_CODE=$SIGN_STATUS"
+  if [[ $SIGN_STATUS != 200 ]]; then
+     echo "ERROR: Cannot sign certificates"
+     if [[ -f ${TMP_CERTS_FILE_ZIP} ]]; then
+       mv ${TMP_CERTS_FILE_ZIP} ${TMP_CERTS_FILE_ZIP}.error
+       cat ${TMP_CERTS_FILE_ZIP}.error
+     fi
+     exit 1
+  fi
+  unzip -o -d ${CERTS_DIR}/  ${TMP_CERTS_FILE_ZIP} || fatal "Failed to unzip certificates to ${CERTS_DIR} "
+  cp -v ${CF_SRV_TLS_CA_CERT} $SRV_TLS_CA_CERT || fatal "received ${TMP_CERTS_FILE_ZIP} does not contains ca.pem"
+  cp -v ${CF_SRV_TLS_CERT} $SRV_TLS_CERT || fatal "received ${TMP_CERTS_FILE_ZIP} does not contains cf-server-cert.pem"
+
+
+echo -e "\n------------------\nCreating certificate secret "
+
+kubectl -n $NAMESPACE create secret generic $K8S_CERT_SECRET_NAME \
+    --from-file=$SRV_TLS_CA_CERT \
+    --from-file=$SRV_TLS_KEY \
+    --from-file=$SRV_TLS_CERT \
+    --dry-run=client -o yaml | kubectl apply --overwrite -f -
+kubectl -n $NAMESPACE label --overwrite secret ${K8S_CERT_SECRET_NAME} codefresh.io/internal=true
+kubectl -n $NAMESPACE patch secret $K8S_CERT_SECRET_NAME -p '{"metadata": {"finalizers": ["kubernetes"]}}'

charts/codefresh/cf-runtime/7.0.1/files/init-runtime.sh

@@ -0,0 +1,80 @@
+#!/bin/bash
+
+echo "-----"
+echo "API_HOST:         ${API_HOST}"
+echo "AGENT_NAME:       ${AGENT_NAME}"
+echo "KUBE_CONTEXT:     ${KUBE_CONTEXT}"
+echo "KUBE_NAMESPACE:   ${KUBE_NAMESPACE}"
+echo "OWNER_NAME:       ${OWNER_NAME}"
+echo "RUNTIME_NAME:     ${RUNTIME_NAME}"
+echo "SECRET_NAME:      ${SECRET_NAME}"
+echo "-----"
+
+create_agent_secret() {
+
+  kubectl apply -f - <<EOF
+  apiVersion: v1
+  kind: Secret
+  type: Opaque
+  metadata:
+    name: ${SECRET_NAME}
+    namespace: ${KUBE_NAMESPACE}
+    labels:
+      codefresh.io/internal: "true"
+    finalizers:
+    - kubernetes
+    ownerReferences:
+    - apiVersion: apps/v1
+      kind: Deploy
+      name: ${OWNER_NAME}
+      uid: ${OWNER_UID}
+  stringData:
+    agent-codefresh-token: ${1}
+EOF
+
+}
+
+OWNER_UID=$(kubectl get deploy ${OWNER_NAME} --namespace ${KUBE_NAMESPACE} -o jsonpath='{.metadata.uid}')
+echo "got owner uid: ${OWNER_UID}"
+
+if [ ! -z "${AGENT_CODEFRESH_TOKEN}" ]; then
+    echo "-----"
+    echo "runtime and agent are already initialized"
+    echo "-----"
+    exit 0
+fi
+
+if [ ! -z "${EXISTING_AGENT_CODEFRESH_TOKEN}" ]; then
+    echo "using existing agentToken value"
+    create_agent_secret $EXISTING_AGENT_CODEFRESH_TOKEN
+    exit 0
+fi
+
+if [ -z "${USER_CODEFRESH_TOKEN}" ]; then
+    echo "-----"
+    echo "missing codefresh user token. must supply \".global.codefreshToken\" if agent-codefresh-token does not exist"
+    echo "-----"
+    exit 1
+fi
+
+codefresh auth create-context --api-key ${USER_CODEFRESH_TOKEN} --url ${API_HOST}
+
+# AGENT_TOKEN might be empty, in which case it will be returned by the call
+RES=$(codefresh install agent \
+    --name ${AGENT_NAME} \
+    --kube-context-name ${KUBE_CONTEXT} \
+    --kube-namespace ${KUBE_NAMESPACE} \
+    --agent-kube-namespace ${KUBE_NAMESPACE} \
+    --install-runtime \
+    --runtime-name ${RUNTIME_NAME} \
+    --skip-cluster-creation \
+    --platform-only)
+
+AGENT_CODEFRESH_TOKEN=$(echo "${RES}" | tail -n 1)
+echo "generated agent + runtime in platform"
+
+create_agent_secret $AGENT_CODEFRESH_TOKEN
+
+echo "-----"
+echo "done initializing runtime and agent"
+echo "-----"

charts/codefresh/cf-runtime/7.0.1/files/reconcile-runtime.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+echo "-----"
+echo "API_HOST:             ${API_HOST}"
+echo "KUBE_CONTEXT:         ${KUBE_CONTEXT}"
+echo "KUBE_NAMESPACE:       ${KUBE_NAMESPACE}"
+echo "OWNER_NAME:           ${OWNER_NAME}"
+echo "RUNTIME_NAME:         ${RUNTIME_NAME}"
+echo "CONFIGMAP_NAME:       ${CONFIGMAP_NAME}"
+echo "RECONCILE_INTERVAL:   ${RECONCILE_INTERVAL}"
+echo "-----"
+
+msg() { echo -e "\e[32mINFO ---> $1\e[0m"; }
+err() { echo -e "\e[31mERR ---> $1\e[0m" ; return 1; }
+
+
+if [ -z "${USER_CODEFRESH_TOKEN}" ]; then
+    err "missing codefresh user token. must supply \".global.codefreshToken\" if agent-codefresh-token does not exist"
+    exit 1
+fi
+
+codefresh auth create-context --api-key ${USER_CODEFRESH_TOKEN} --url ${API_HOST}
+
+while true; do
+  msg "Reconciling ${RUNTIME_NAME} runtime"
+
+  sleep $RECONCILE_INTERVAL
+
+  codefresh get re \
+      --name ${RUNTIME_NAME} \
+      -o yaml \
+      | yq 'del(.version, .metadata.changedBy, .metadata.creationTime)' > /tmp/runtime.yaml
+
+  kubectl get cm ${CONFIGMAP_NAME} -n ${KUBE_NAMESPACE} -o yaml \
+  | yq 'del(.metadata.resourceVersion, .metadata.uid)' \
+  | yq eval '.data["runtime.yaml"] = load_str("/tmp/runtime.yaml")' \
+  | kubectl apply -f -
+done

charts/codefresh/cf-runtime/7.0.1/templates/_components/app-proxy/_deployment.yaml

@@ -0,0 +1,70 @@
+{{- define "app-proxy.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "app-proxy.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "app-proxy.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "app-proxy.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: app-proxy
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        env:
+        {{- include "app-proxy.environment-variables" . | nindent 8 }}
+        ports:
+        - name: http
+          containerPort: 3000
+        readinessProbe:
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+          httpGet:
+            path: /health
+            port: http
+        resources:
+          {{- toYaml .Values.resources | nindent 12  }}
+        volumeMounts:
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_components/app-proxy/_env-vars.yaml

@@ -0,0 +1,19 @@
+{{- define "app-proxy.environment-variables.defaults" }}
+PORT: 3000
+{{- end }}
+
+{{- define "app-proxy.environment-variables.calculated" }}
+CODEFRESH_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+{{- with .Values.ingress.pathPrefix }}
+API_PATH_PREFIX: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "app-proxy.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "app-proxy.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "app-proxy.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/_components/app-proxy/_helpers.tpl

@@ -0,0 +1,43 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "app-proxy.name" -}}
+    {{- printf "%s-%s" (include "cf-runtime.name" .) "app-proxy" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "app-proxy.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "app-proxy" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "app-proxy.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: app-proxy
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "app-proxy.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: app-proxy
+{{- end }}
+
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "app-proxy.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "app-proxy.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/_components/app-proxy/_ingress.yaml

@@ -0,0 +1,32 @@
+{{- define "app-proxy.resources.ingress" -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels: {{- include "app-proxy.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.class (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.class }}
+  {{- end }}
+  {{- if .Values.ingress.tlsSecret }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host }}
+      secretName: {{ .Values.tlsSecret }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: {{ .Values.ingress.pathPrefix | default "/" }}
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: {{ include "app-proxy.fullname" . }}
+                port:
+                  number: 80
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_components/app-proxy/_rbac.yaml

@@ -0,0 +1,47 @@
+{{- define "app-proxy.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "app-proxy.serviceAccountName" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "get" ]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: {{ .Values.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "app-proxy.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "app-proxy.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_components/app-proxy/_service.yaml

@@ -0,0 +1,17 @@
+{{- define "app-proxy.resources.service" -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 3000
+  selector:
+    {{- include "app-proxy.selectorLabels" . | nindent 4 }}
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_components/event-exporter/_deployment.yaml

@@ -0,0 +1,62 @@
+{{- define "event-exporter.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "event-exporter.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "event-exporter.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "event-exporter.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: event-exporter
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        args: [--running-in-cluster=true]
+        env:
+        {{- include "event-exporter.environment-variables" . | nindent 8 }}
+        ports:
+        - name: metrics
+          containerPort: 9102
+        resources:
+          {{- toYaml .Values.resources | nindent 12  }}
+        volumeMounts:
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_components/event-exporter/_env-vars.yaml

@@ -0,0 +1,14 @@
+{{- define "event-exporter.environment-variables.defaults" }}
+{{- end }}
+
+{{- define "event-exporter.environment-variables.calculated" }}
+{{- end }}
+
+{{- define "event-exporter.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "event-exporter.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "event-exporter.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/_components/event-exporter/_helpers.tpl

@@ -0,0 +1,43 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "event-exporter.name" -}}
+    {{- printf "%s-%s" (include "cf-runtime.name" .) "event-exporter" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "event-exporter.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "event-exporter" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "event-exporter.labels" -}}
+{{ include "cf-runtime.labels" . }}
+app: event-exporter
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "event-exporter.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+app: event-exporter
+{{- end }}
+
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "event-exporter.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "event-exporter.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/_components/event-exporter/_rbac.yaml

@@ -0,0 +1,47 @@
+{{- define "event-exporter.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "event-exporter.serviceAccountName" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: [events]
+    verbs: [get, list, watch]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "event-exporter.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "event-exporter.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_components/event-exporter/_service.yaml

@@ -0,0 +1,17 @@
+{{- define "event-exporter.resources.service" -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: metrics
+    port: 9102
+    targetPort: metrics
+    protocol: TCP
+  selector:
+    {{- include "event-exporter.selectorLabels" . | nindent 4 }}
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_components/event-exporter/_serviceMontor.yaml

@@ -0,0 +1,14 @@
+{{- define "event-exporter.resources.serviceMonitor" -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+spec:
+  endpoints:
+  - port: metrics
+  selector:
+    matchLabels:
+    {{- include "event-exporter.selectorLabels" . | nindent 6 }}
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_components/monitor/_deployment.yaml

@@ -0,0 +1,70 @@
+{{- define "monitor.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "monitor.fullname" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "monitor.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "monitor.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "monitor.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: monitor
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        env:
+        {{- include "monitor.environment-variables" . | nindent 8 }}
+        ports:
+        - name: http
+          containerPort: 9020
+        readinessProbe:
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+          httpGet:
+            path: /api/ping
+            port: 9020
+        resources:
+          {{- toYaml .Values.resources | nindent 12  }}
+        volumeMounts:
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_components/monitor/_env-vars.yaml

@@ -0,0 +1,26 @@
+{{- define "monitor.environment-variables.defaults" }}
+SERVICE_NAME: {{ include "monitor.fullname" . }}
+PORT: 9020
+HELM3: true
+NODE_OPTIONS: "--max_old_space_size=4096"
+{{- end }}
+
+{{- define "monitor.environment-variables.calculated" }}
+API_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }}
+CLUSTER_ID: {{ include "runtime.runtime-environment-spec.context-name" . }}
+API_URL: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}/api/k8s-monitor/events
+ACCOUNT_ID: {{ .Values.global.accountId }}
+NAMESPACE: {{ .Release.Namespace }}
+{{- if .Values.rbac.namespaced }}
+ROLE_BINDING: true
+{{- end }}
+{{- end }}
+
+{{- define "monitor.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "monitor.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "monitor.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/_components/monitor/_helpers.tpl

@@ -0,0 +1,42 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "monitor.name" -}}
+    {{- printf "%s-%s" (include "cf-runtime.name" .) "monitor" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "monitor.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "monitor" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "monitor.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: monitor
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "monitor.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: monitor
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "monitor.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "monitor.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/_components/monitor/_rbac.yaml

@@ -0,0 +1,56 @@
+{{- define "monitor.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "monitor.serviceAccountName" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "monitor.fullname" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "*" ]
+    verbs: [ "get", "list", "watch", "create", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch", "create", "deletecollection" ]
+  - apiGroups: [ "extensions" ]
+    resources: [ "*" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "apps" ]
+    resources: [ "*" ]
+    verbs: [ "get", "list", "watch" ]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: {{ .Values.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "monitor.fullname" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "monitor.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
+  name: {{ include "monitor.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_components/monitor/_service.yaml

@@ -0,0 +1,17 @@
+{{- define "monitor.resources.service" -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "monitor.fullname" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 9020
+  selector:
+    {{- include "monitor.selectorLabels" . | nindent 4 }}
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_components/runner/_deployment.yaml

@@ -0,0 +1,103 @@
+{{- define "runner.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "runner.fullname" . }}
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "runner.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "runner.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "runner.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      initContainers:
+      - name: init
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.init.image "context" .) }}
+        imagePullPolicy: {{ .Values.init.image.pullPolicy | default "IfNotPresent" }}
+        command:
+        - /bin/bash
+        args:
+        - -ec
+        - | {{ .Files.Get "files/init-runtime.sh" | nindent 10 }}
+        env:
+        {{- include "runner-init.environment-variables" . | nindent 8 }}
+        {{- with .Values.init.resources }}
+        resources:
+          {{- toYaml . | nindent 10  }}
+        {{- end }}
+      containers:
+      - name: runner
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "IfNotPresent" }}
+        env:
+        {{- include "runner.environment-variables" . | nindent 8 }}
+        ports:
+        - name: http
+          containerPort: 8080
+        readinessProbe:
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+          httpGet:
+            path: /health
+            port: http
+        {{- with .Values.resources }}
+        resources:
+          {{- toYaml . | nindent 10  }}
+        {{- end }}
+        {{- with .Values.extraVolumeMounts }}
+        volumeMounts:
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- if .Values.sidecar.enabled }}
+      - name: reconcile-runtime
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.sidecar.image "context" .) }}
+        imagePullPolicy: {{ .Values.sidecar.image.pullPolicy | default "IfNotPresent" }}
+        command:
+        - /bin/bash
+        args:
+        - -ec
+        - | {{ .Files.Get "files/reconcile-runtime.sh" | nindent 10 }}
+        env:
+        {{- include "runner-sidecar.environment-variables" . | nindent 8 }}
+        {{- with .Values.sidecar.resources }}
+        resources:
+          {{- toYaml . | nindent 10  }}
+        {{- end }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- with .Values.extraVolumes }}
+      volumes:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_components/runner/_helpers.tpl

@@ -0,0 +1,42 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "runner.name" -}}
+  {{- printf "%s-%s" (include "cf-runtime.name" .) "runner" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "runner.fullname" -}}
+  {{- printf "%s-%s" (include "cf-runtime.fullname" .) "runner" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "runner.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: runner
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "runner.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: runner
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "runner.serviceAccountName" -}}
+  {{- if .Values.serviceAccount.create }}
+    {{- default (include "runner.fullname" .) .Values.serviceAccount.name }}
+  {{- else }}
+    {{- default "default" .Values.serviceAccount.name }}
+  {{- end }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/_components/runner/_rbac.yaml

@@ -0,0 +1,53 @@
+{{- define "runner.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "runner.serviceAccountName" . }}
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "runner.fullname" . }}
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "pods", "persistentvolumeclaims" ]
+    verbs: [ "get", "create", "delete", patch ]
+  - apiGroups: [ "" ]
+    resources: [ "configmaps", "secrets" ]
+    verbs: [ "get", "create", "update", patch ]
+  - apiGroups: [ "apps" ]
+    resources: [ "deployments" ]
+    verbs: [ "get" ]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "runner.fullname" . }}
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "runner.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "runner.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_components/runner/environment-variables/_init-container.yaml

@@ -0,0 +1,30 @@
+{{- define "runner-init.environment-variables.defaults" }}
+HOME: /tmp
+{{- end }}
+
+{{- define "runner-init.environment-variables.calculated" }}
+AGENT_NAME: {{ include "runtime.runtime-environment-spec.agent-name" . }}
+API_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+AGENT_CODEFRESH_TOKEN:
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "runner.fullname" . }}
+      key: agent-codefresh-token
+      optional: true
+EXISTING_AGENT_CODEFRESH_TOKEN: {{ include "runtime.agent-token-env-var-value" . | nindent 2 }}
+KUBE_CONTEXT: {{ include "runtime.runtime-environment-spec.context-name" . }}
+KUBE_NAMESPACE: {{ .Release.Namespace }}
+OWNER_NAME: {{ include "runner.fullname" . }}
+RUNTIME_NAME: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+SECRET_NAME: {{ include "runner.fullname" . }}
+USER_CODEFRESH_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }}
+{{- end }}
+
+{{- define "runner-init.environment-variables" }}
+  {{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+  {{- $defaults := (include "runner-init.environment-variables.defaults" . | fromYaml) }}
+  {{- $calculated := (include "runner-init.environment-variables.calculated" . | fromYaml) }}
+  {{- $overrides := .Values.env }}
+  {{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+  {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/_components/runner/environment-variables/_main-container.yaml

@@ -0,0 +1,28 @@
+{{- define "runner.environment-variables.defaults" }}
+AGENT_MODE: InCluster
+SELF_DEPLOYMENT_NAME:
+  valueFrom:
+    fieldRef:
+      fieldPath: metadata.name
+{{- end }}
+
+{{- define "runner.environment-variables.calculated" }}
+AGENT_ID: {{ include "runtime.runtime-environment-spec.agent-name" . }}
+CODEFRESH_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+CODEFRESH_IN_CLUSTER_RUNTIME: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+CODEFRESH_TOKEN:
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "runner.fullname" . }}
+      key: agent-codefresh-token
+DOCKER_REGISTRY: {{ .Values.global.imageRegistry }}
+{{- end }}
+
+{{- define "runner.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "runner.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "runner.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/_components/runner/environment-variables/_sidecar-container.yaml

@@ -0,0 +1,22 @@
+{{- define "runner-sidecar.environment-variables.defaults" }}
+HOME: /tmp
+{{- end }}
+
+{{- define "runner-sidecar.environment-variables.calculated" }}
+API_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+USER_CODEFRESH_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }}
+KUBE_CONTEXT: {{ include "runtime.runtime-environment-spec.context-name" . }}
+KUBE_NAMESPACE: {{ .Release.Namespace }}
+OWNER_NAME: {{ include "runner.fullname" . }}
+RUNTIME_NAME: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+CONFIGMAP_NAME: {{ printf "%s-%s" (include "runtime.fullname" .) "spec" }}
+{{- end }}
+
+{{- define "runner-sidecar.environment-variables" }}
+  {{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+  {{- $defaults := (include "runner-sidecar.environment-variables.defaults" . | fromYaml) }}
+  {{- $calculated := (include "runner-sidecar.environment-variables.calculated" . | fromYaml) }}
+  {{- $overrides := .Values.sidecar.env }}
+  {{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+  {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/_components/volume-provisioner/_cronjob.yaml

@@ -0,0 +1,58 @@
+{{- define "dind-volume-provisioner.resources.cronjob" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- if not (eq .Values.storage.backend "local") }}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "dind-volume-cleanup.fullname" . }}
+  labels:
+    {{- include "dind-volume-cleanup.labels" . | nindent 4 }}
+spec:
+  concurrencyPolicy: {{ .Values.concurrencyPolicy }}
+  schedule: {{ .Values.schedule | quote }}
+  successfulJobsHistoryLimit: {{ .Values.successfulJobsHistory }}
+  failedJobsHistoryLimit: {{ .Values.failedJobsHistory }}
+  {{- with .Values.suspend }}
+  suspend: {{ . }}
+  {{- end }}
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            {{- include "dind-volume-cleanup.selectorLabels" . | nindent 12 }}
+          {{- with .Values.podAnnotations }}
+          annotations:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+        spec:
+          {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 10 }}
+          serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+          {{- if .Values.podSecurityContext.enabled }}
+          securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
+          restartPolicy: {{ .Values.restartPolicy | default "Never" }}
+          containers:
+          - name: dind-volume-cleanup
+            image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+            imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+            env:
+            {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" .Values.env "context" .) | nindent 12 }}
+            - name: PROVISIONED_BY
+              value: {{ include "dind-volume-provisioner.volumeProvisionerName" . }}
+            resources:
+            {{- toYaml .Values.resources | nindent 14 }}
+          {{- with .Values.nodeSelector }}
+          nodeSelector:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.affinity }}
+          affinity:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.tolerations }}
+          tolerations:
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+  {{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_components/volume-provisioner/_daemonset.yaml

@@ -0,0 +1,98 @@
+{{- define "dind-volume-provisioner.resources.daemonset" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $localVolumeParentDir := .Values.storage.local.volumeParentDir  }}
+{{- if eq .Values.storage.backend "local" }}
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "dind-lv-monitor.fullname" . }}
+  labels:
+    {{- include "dind-lv-monitor.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "dind-lv-monitor.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "dind-lv-monitor.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      {{- if .Values.volumePermissions.enabled }}
+      initContainers:
+      - name: volume-permissions
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.volumePermissions.image "context" .) }}
+        imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | default "Always" }}
+        command:
+         - /bin/sh
+        args:
+         - -ec
+         - |
+           chown -R {{ .Values.podSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ $localVolumeParentDir }}
+        volumeMounts:
+        - mountPath: {{ $localVolumeParentDir }}
+          name: dind-volume-dir
+        {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
+        securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 10 }}
+        {{- else }}
+        securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 10 }}
+        {{- end }}
+        resources:
+          {{- toYaml .Values.volumePermissions.resources | nindent 10 }}
+      {{- end }}
+      containers:
+      - name: dind-lv-monitor
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        {{- if .Values.containerSecurityContext.enabled }}
+        securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }}
+        {{- end }}
+        command:
+          - /home/dind-volume-utils/bin/local-volumes-agent
+        env:
+          {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" .Values.env "context" .) | nindent 10 }}
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+          - name: VOLUME_PARENT_DIR
+            value: {{ $localVolumeParentDir }}
+        resources:
+          {{- toYaml .Values.resources | nindent 10  }}
+        volumeMounts:
+        - mountPath: {{ $localVolumeParentDir }}
+          readOnly: false
+          name: dind-volume-dir
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      - name: dind-volume-dir
+        hostPath:
+          path: {{ $localVolumeParentDir }}
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_components/volume-provisioner/_deployment.yaml

@@ -0,0 +1,67 @@
+{{- define "dind-volume-provisioner.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "dind-volume-provisioner.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "dind-volume-provisioner.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: dind-volume-provisioner
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        command:
+          - /usr/local/bin/dind-volume-provisioner
+          - -v=4
+          - --resync-period=50s
+        env:
+        {{- include "dind-volume-provisioner.environment-variables" . | nindent 8 }}
+        ports:
+        - name: http
+          containerPort: 8080
+        resources:
+          {{- toYaml .Values.resources | nindent 12  }}
+        volumeMounts:
+        {{- include "dind-volume-provisioner.volumeMounts.calculated" . | nindent 8 }}
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      {{- include "dind-volume-provisioner.volumes.calculated" . | nindent 6 }}
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_components/volume-provisioner/_env-vars.yaml

@@ -0,0 +1,88 @@
+{{- define "dind-volume-provisioner.environment-variables.defaults" }}
+{{- end }}
+
+{{- define "dind-volume-provisioner.environment-variables.calculated" }}
+DOCKER_REGISTRY: {{ .Values.global.imageRegistry }}
+PROVISIONER_NAME: {{ include "dind-volume-provisioner.volumeProvisionerName" . }}
+
+{{- if or .Values.storage.ebs.accessKeyId .Values.storage.ebs.accessKeyIdSecretKeyRef }}
+AWS_ACCESS_KEY_ID:
+  {{- if .Values.storage.ebs.accessKeyId }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "dind-volume-provisioner.fullname" . }}
+      key: aws_access_key_id
+  {{- else if .Values.storage.ebs.accessKeyIdSecretKeyRef }}
+  valueFrom:
+    secretKeyRef:
+  {{- .Values.storage.ebs.accessKeyIdSecretKeyRef | toYaml | nindent 6 }}
+  {{- end }}
+{{- end }}
+
+{{- if or .Values.storage.ebs.secretAccessKey .Values.storage.ebs.secretAccessKeySecretKeyRef }}
+AWS_SECRET_ACCESS_KEY:
+  {{- if .Values.storage.ebs.secretAccessKey }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "dind-volume-provisioner.fullname" . }}
+      key: aws_secret_access_key
+  {{- else if .Values.storage.ebs.secretAccessKeySecretKeyRef }}
+  valueFrom:
+    secretKeyRef:
+  {{- .Values.storage.ebs.secretAccessKeySecretKeyRef | toYaml | nindent 6 }}
+  {{- end }}
+{{- end }}
+
+{{- if or .Values.storage.gcedisk.serviceAccountJson .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
+GOOGLE_APPLICATION_CREDENTIALS: {{ printf "/etc/dind-volume-provisioner/credentials/%s" (.Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.key | default "google-service-account.json") }}
+{{- end }}
+
+{{- if and .Values.storage.mountAzureJson }}
+AZURE_CREDENTIAL_FILE: /etc/kubernetes/azure.json
+CLOUDCONFIG_AZURE: /etc/kubernetes/azure.json
+{{- end }}
+
+{{- end }}
+
+{{- define "dind-volume-provisioner.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "dind-volume-provisioner.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "dind-volume-provisioner.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}
+
+
+{{- define "dind-volume-provisioner.volumes.calculated" }}
+  {{- if .Values.storage.gcedisk.serviceAccountJson }}
+- name: credentials
+  secret:
+    secretName: {{ include "dind-volume-provisioner.fullname" . }}
+    optional: true
+  {{- else if .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
+- name: credentials
+  secret:
+    secretName: {{ .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.name }}
+    optional: true
+  {{- end }}
+  {{- if .Values.storage.mountAzureJson }}
+- name: azure-json
+  hostPath:
+    path: /etc/kubernetes/azure.json
+    type: File
+  {{- end }}
+{{- end }}
+
+{{- define "dind-volume-provisioner.volumeMounts.calculated" }}
+  {{- if or .Values.storage.gcedisk.serviceAccountJson .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
+- name: credentials
+  readOnly: true
+  mountPath: "/etc/dind-volume-provisioner/credentials"
+  {{- end }}
+  {{- if .Values.storage.mountAzureJson }}
+- name: azure-json
+  readOnly: true
+  mountPath: "/etc/kubernetes/azure.json"
+  {{- end }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/_components/volume-provisioner/_helpers.tpl

@@ -0,0 +1,93 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "dind-volume-provisioner.name" -}}
+    {{- printf "%s-%s" (include "cf-runtime.name" .) "volume-provisioner" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "dind-volume-provisioner.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "volume-provisioner" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "dind-volume-cleanup.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "volume-cleanup" | trunc 52 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "dind-lv-monitor.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "lv-monitor" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Provisioner name for storage class
+*/}}
+{{- define "dind-volume-provisioner.volumeProvisionerName" }}
+    {{- printf "codefresh.io/dind-volume-provisioner-runner-%s" .Release.Namespace }}
+{{- end }}
+
+{{/*
+Common labels for dind-lv-monitor
+*/}}
+{{- define "dind-lv-monitor.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: lv-monitor
+{{- end }}
+
+{{/*
+Selector labels for dind-lv-monitor
+*/}}
+{{- define "dind-lv-monitor.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: lv-monitor
+{{- end }}
+
+{{/*
+Common labels for dind-volume-provisioner
+*/}}
+{{- define "dind-volume-provisioner.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: volume-provisioner
+{{- end }}
+
+{{/*
+Selector labels for dind-volume-provisioner
+*/}}
+{{- define "dind-volume-provisioner.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: volume-provisioner
+{{- end }}
+
+{{/*
+Common labels for dind-volume-cleanup
+*/}}
+{{- define "dind-volume-cleanup.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: pv-cleanup
+{{- end }}
+
+{{/*
+Common labels for dind-volume-cleanup
+*/}}
+{{- define "dind-volume-cleanup.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: pv-cleanup
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "dind-volume-provisioner.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "dind-volume-provisioner.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "dind-volume-provisioner.storageClassName" }}
+{{- printf "dind-local-volumes-runner-%s" .Release.Namespace }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/_components/volume-provisioner/_rbac.yaml

@@ -0,0 +1,71 @@
+{{- define "dind-volume-provisioner.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "persistentvolumes" ]
+    verbs: [ "get", "list", "watch", "create", "delete", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "persistentvolumeclaims" ]
+    verbs: [ "get", "list", "watch", "update", "delete" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "storageclasses" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "events" ]
+    verbs: [ "list", "watch", "create", "update", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "get", "list" ]
+  - apiGroups: [ "" ]
+    resources: [ "nodes" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch", "create", "delete", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "endpoints" ]
+    verbs: [ "get", "list", "watch", "create", "update", "delete" ]
+  - apiGroups: [ "coordination.k8s.io" ]
+    resources: [ "leases" ]
+    verbs: [ "get", "create", "update" ]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_components/volume-provisioner/_secret.yaml

@@ -0,0 +1,22 @@
+{{- define "dind-volume-provisioner.resources.secret" -}}
+{{- if or .Values.storage.ebs.accessKeyId .Values.storage.ebs.secretAccessKey .Values.storage.gcedisk.serviceAccountJson }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+stringData:
+  {{- with .Values.storage.gcedisk.serviceAccountJson }}
+  google-service-account.json: |
+{{- . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.storage.ebs.accessKeyId }}
+  aws_access_key_id: {{ . }}
+  {{- end }}
+  {{- with .Values.storage.ebs.secretAccessKey }}
+  aws_secret_access_key: {{ . }}
+  {{- end }}
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_components/volume-provisioner/_storageclass.yaml

@@ -0,0 +1,47 @@
+{{- define "dind-volume-provisioner.resources.storageclass" -}}
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  {{/* has to be exactly that */}}
+  name: {{ include "dind-volume-provisioner.storageClassName" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+provisioner: {{ include "dind-volume-provisioner.volumeProvisionerName" . }}
+parameters:
+{{- if eq .Values.storage.backend "local" }}
+  volumeBackend: local
+  volumeParentDir: {{ .Values.storage.local.volumeParentDir }}
+{{- else if eq .Values.storage.backend "gcedisk" }}
+  volumeBackend: {{ .Values.storage.backend }}
+  type: {{ .Values.storage.gcedisk.volumeType | default "pd-ssd" }}
+  zone: {{ required ".Values.storage.gcedisk.availabilityZone is required" .Values.storage.gcedisk.availabilityZone }}
+  fsType: {{ .Values.storage.fsType | default "ext4" }}
+{{- else if or (eq .Values.storage.backend "ebs") (eq .Values.storage.backend "ebs-csi")}}
+  volumeBackend: {{ .Values.storage.backend }}
+  VolumeType: {{ .Values.storage.ebs.volumeType | default "gp3" }}
+  AvailabilityZone: {{ required ".Values.storage.ebs.availabilityZone is required" .Values.storage.ebs.availabilityZone }}
+  fsType: {{ .Values.storage.fsType | default "ext4" }}
+  encrypted: {{ .Values.storage.ebs.encrypted | default "false" | quote }}
+  {{- with .Values.storage.ebs.kmsKeyId }}
+  kmsKeyId: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.storage.ebs.iops }}
+  iops: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.storage.ebs.throughput }}
+  throughput: {{ . | quote }}
+  {{- end }}
+{{- else if or (eq .Values.storage.backend "azuredisk") (eq .Values.storage.backend "azuredisk-csi")}}
+  volumeBackend: {{ .Values.storage.backend }}
+  kind: managed
+  skuName: {{ .Values.storage.azuredisk.skuName | default "Premium_LRS" }}
+  fsType: {{ .Values.storage.fsType | default "ext4" }}
+  cachingMode: {{ .Values.storage.azuredisk.cachingMode | default "None" }}
+  {{- with .Values.storage.azuredisk.availabilityZone }}
+  availabilityZone: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.storage.azuredisk.resourceGroup }}
+  resourceGroup: {{ . | quote }}
+  {{- end }}
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/7.0.1/templates/_helpers.tpl

@@ -0,0 +1,51 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cf-runtime.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cf-runtime.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cf-runtime.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "cf-runtime.labels" -}}
+helm.sh/chart: {{ include "cf-runtime.chart" . }}
+{{ include "cf-runtime.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "cf-runtime.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cf-runtime.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/app-proxy/deployment.yaml

@@ -0,0 +1,9 @@
+{{- $appProxyContext := deepCopy . }}
+{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
+{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
+{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $appProxyContext.Values.enabled }}
+{{- include "app-proxy.resources.deployment" $appProxyContext }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/app-proxy/ingress.yaml

@@ -0,0 +1,9 @@
+{{- $appProxyContext := deepCopy . }}
+{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
+{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
+{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $appProxyContext.Values.enabled }}
+{{- include "app-proxy.resources.ingress" $appProxyContext }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/app-proxy/rbac.yaml

@@ -0,0 +1,9 @@
+{{- $appProxyContext := deepCopy . }}
+{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
+{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
+{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $appProxyContext.Values.enabled }}
+{{- include "app-proxy.resources.rbac" $appProxyContext }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/app-proxy/service.yaml

@@ -0,0 +1,9 @@
+{{- $appProxyContext := deepCopy . }}
+{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
+{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
+{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $appProxyContext.Values.enabled }}
+{{- include "app-proxy.resources.service" $appProxyContext }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/event-exporter/deployment.yaml

@@ -0,0 +1,9 @@
+{{- $eventExporterContext := deepCopy . }}
+{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }}
+{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }}
+{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $eventExporterContext.Values.enabled }}
+{{- include "event-exporter.resources.deployment" $eventExporterContext }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/event-exporter/rbac.yaml

@@ -0,0 +1,9 @@
+{{- $eventExporterContext := deepCopy . }}
+{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }}
+{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }}
+{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $eventExporterContext.Values.enabled }}
+{{- include "event-exporter.resources.rbac" $eventExporterContext }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/event-exporter/service.yaml

@@ -0,0 +1,11 @@
+{{- $eventExporterContext := deepCopy . }}
+{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }}
+{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }}
+{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $eventExporterContext.Values.enabled }}
+{{- include "event-exporter.resources.service" $eventExporterContext }}
+---
+{{- include "event-exporter.resources.serviceMonitor" $eventExporterContext }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/extra/extra-resources.yaml

@@ -0,0 +1,6 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+
+{{- range .Values.extraResources }}
+---
+{{ include (printf "%s.tplrender" $cfCommonTplSemver) (dict "Values" . "context" $) }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/extra/runtime-images-cm.yaml

@@ -0,0 +1,19 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.engine.runtimeImages }}
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  {{- /* dummy template just to list runtime images */}}
+  name: {{ include "runtime.fullname" . }}-images
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+data:
+  images: |
+    {{- range $key, $val := $values }}
+    image: {{ $val }}
+    {{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/hooks/post-install/cm-update-runtime.yaml

@@ -0,0 +1,18 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.patch }}
+{{- if $values.enabled }}
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ include "runtime.fullname" . }}-spec
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+data:
+  runtime.yaml: |
+    {{ include "runtime.runtime-environment-spec.template" . | nindent 4 | trim }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/hooks/post-install/job-gencerts-dind.yaml

@@ -0,0 +1,68 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.gencerts }}
+{{- if and $values.enabled }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-weight: "3"
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- with $values.ttlSecondsAfterFinished }}
+  ttlSecondsAfterFinished: {{ . }}
+  {{- end }}
+  {{- with $values.backoffLimit }}
+  backoffLimit: {{ . | int }}
+  {{- end }}
+  template:
+    metadata:
+      name: {{ include "runtime.fullname" . }}-gencerts-dind
+      labels:
+        {{- include "runtime.labels" . | nindent 8 }}
+    spec:
+      {{- if $values.rbac.enabled }}
+      serviceAccountName: {{ template "runtime.fullname" . }}-gencerts-dind
+      {{- end }}
+      securityContext:
+        {{- toYaml $values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: gencerts-dind
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
+        imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
+        command:
+        - "/bin/bash"
+        args:
+        - -ec
+        - | {{ .Files.Get "files/configure-dind-certs.sh" | nindent 10 }}
+        env:
+        - name: NAMESPACE
+          value: {{ .Release.Namespace }}
+        - name: RELEASE
+          value: {{ .Release.Name }}
+        - name: CF_API_HOST
+          value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+        - name: CF_API_TOKEN
+          {{- include "runtime.installation-token-env-var-value" . | indent 10}}
+          {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }}
+      {{- with $values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      restartPolicy: OnFailure
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/hooks/post-install/job-update-runtime.yaml

@@ -0,0 +1,77 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.patch }}
+{{- if $values.enabled }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "runtime.fullname" . }}-patch
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-weight: "5"
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- with $values.ttlSecondsAfterFinished }}
+  ttlSecondsAfterFinished: {{ . }}
+  {{- end }}
+  {{- with $values.backoffLimit }}
+  backoffLimit: {{ . | int }}
+  {{- end }}
+  template:
+    metadata:
+      name: {{ include "runtime.fullname" . }}-patch
+      labels:
+        {{- include "runtime.labels" . | nindent 8 }}
+    spec:
+      securityContext:
+        {{- toYaml $values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: patch-runtime
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
+        imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
+        command:
+        - "/bin/bash"
+        args:
+        - -ec
+        - |
+          codefresh auth create-context --api-key $API_KEY --url $API_HOST
+          cat /usr/share/extras/runtime.yaml
+          codefresh get re
+{{- if .Values.runtime.agent }}
+          codefresh patch re -f /usr/share/extras/runtime.yaml
+{{- else }}
+          codefresh patch sys-re -f /usr/share/extras/runtime.yaml
+{{- end }}
+        env:
+        - name: API_KEY
+          {{- include "runtime.installation-token-env-var-value" . | indent 10}}
+        - name: API_HOST
+          value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+          {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }}
+        volumeMounts:
+        - name: config
+          mountPath: /usr/share/extras/runtime.yaml
+          subPath: runtime.yaml
+      {{- with $values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      restartPolicy: OnFailure
+      volumes:
+      - name: config
+        configMap:
+          name: {{ include "runtime.fullname" . }}-spec
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/hooks/post-install/rbac-gencerts-dind.yaml

@@ -0,0 +1,37 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.gencerts }}
+{{- if and $values.enabled }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - configmaps
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "runtime.fullname" . }}-gencerts-dind
+    namespace: {{ .Release.Namespace }}
+{{ end }}

charts/codefresh/cf-runtime/7.0.1/templates/hooks/pre-delete/job-cleanup-resources.yaml

@@ -0,0 +1,73 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.patch }}
+{{- if and $values.enabled }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "runtime.fullname" . }}-cleanup
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy:  hook-succeeded,before-hook-creation
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- with $values.ttlSecondsAfterFinished }}
+  ttlSecondsAfterFinished: {{ . }}
+  {{- end }}
+  {{- with $values.backoffLimit }}
+  backoffLimit: {{ . | int }}
+  {{- end }}
+  template:
+    metadata:
+      name: {{ include "runtime.fullname" . }}-cleanup
+      labels:
+        {{- include "runtime.labels" . | nindent 8 }}
+    spec:
+      {{- if $values.rbac.enabled }}
+      serviceAccountName: {{ template "runtime.fullname" . }}-cleanup
+      {{- end }}
+      securityContext:
+        {{- toYaml $values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: cleanup
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
+        imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
+        command:
+        - "/bin/bash"
+        args:
+        - -ec
+        - | {{ .Files.Get "files/cleanup-runtime.sh" | nindent 10 }}
+        env:
+        - name: AGENT_NAME
+          value: {{ include "runtime.runtime-environment-spec.agent-name" . }}
+        - name: RUNTIME_NAME
+          value: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+        - name: API_HOST
+          value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+        - name: API_TOKEN
+          {{- include "runtime.installation-token-env-var-value" . | indent 10}}
+        - name: AGENT
+          value: {{ .Values.runtime.agent | quote }}
+        - name: AGENT_SECRET_NAME
+          value: {{ include "runner.fullname" . }}
+        - name: DIND_SECRET_NAME
+          value: codefresh-certs-server
+          {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }}
+      {{- with $values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      restartPolicy: OnFailure
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/hooks/pre-delete/rbac-cleanup-resources.yaml

@@ -0,0 +1,46 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.patch }}
+{{- if and $values.enabled }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "runtime.fullname" . }}-cleanup
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "runtime.fullname" . }}-cleanup
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+rules:
+  - apiGroups:
+      - "*"
+    resources:
+      - "*"
+    verbs:
+      - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "runtime.fullname" . }}-cleanup
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "runtime.fullname" . }}-cleanup
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "runtime.fullname" . }}-cleanup
+    namespace: {{ .Release.Namespace }}
+{{ end }}

charts/codefresh/cf-runtime/7.0.1/templates/monitor/deployment.yaml

@@ -0,0 +1,9 @@
+{{- $monitorContext := deepCopy . }}
+{{- $_ := set $monitorContext "Values" (get .Values "monitor") }}
+{{- $_ := set $monitorContext.Values "global" (get .Values "global") }}
+{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $monitorContext.Values.enabled }}
+{{- include "monitor.resources.deployment" $monitorContext }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/monitor/rbac.yaml

@@ -0,0 +1,9 @@
+{{- $monitorContext := deepCopy . }}
+{{- $_ := set $monitorContext "Values" (get .Values "monitor") }}
+{{- $_ := set $monitorContext.Values "global" (get .Values "global") }}
+{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $monitorContext.Values.enabled }}
+{{- include "monitor.resources.rbac" $monitorContext }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/monitor/service.yaml

@@ -0,0 +1,9 @@
+{{- $monitorContext := deepCopy . }}
+{{- $_ := set $monitorContext "Values" (get .Values "monitor") }}
+{{- $_ := set $monitorContext.Values "global" (get .Values "global") }}
+{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $monitorContext.Values.enabled }}
+{{- include "monitor.resources.service" $monitorContext }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/other/external-secrets.yaml

@@ -0,0 +1,2 @@
+{{ $templateName := printf "cf-common-%s.external-secrets" (index .Subcharts "cf-common").Chart.Version }}
+{{- include $templateName . -}}

charts/codefresh/cf-runtime/7.0.1/templates/other/podMonitor.yaml

@@ -0,0 +1,2 @@
+{{ $templateName := printf "cf-common-%s.podMonitor" (index .Subcharts "cf-common").Chart.Version }}
+{{- include $templateName . -}}

charts/codefresh/cf-runtime/7.0.1/templates/other/serviceMonitor.yaml

@@ -0,0 +1,2 @@
+{{ $templateName := printf "cf-common-%s.serviceMonitor" (index .Subcharts "cf-common").Chart.Version }}
+{{- include $templateName . -}}

charts/codefresh/cf-runtime/7.0.1/templates/runner/deployment.yaml

@@ -0,0 +1,9 @@
+{{- $runnerContext := deepCopy . }}
+{{- $_ := set $runnerContext "Values" (get .Values "runner") }}
+{{- $_ := set $runnerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $runnerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $runnerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $runnerContext.Values.enabled .Values.runtime.agent }}
+{{- include "runner.resources.deployment" $runnerContext }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/runner/rbac.yaml

@@ -0,0 +1,9 @@
+{{- $runnerContext := deepCopy . }}
+{{- $_ := set $runnerContext "Values" (get .Values "runner") }}
+{{- $_ := set $runnerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $runnerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $runnerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $runnerContext.Values.enabled .Values.runtime.agent }}
+{{- include "runner.resources.rbac" $runnerContext }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/runtime/_helpers.tpl

@@ -0,0 +1,123 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "runtime.name" -}}
+    {{- printf "%s" (include "cf-runtime.name" .)  | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "runtime.fullname" -}}
+    {{- printf "%s" (include "cf-runtime.fullname" .) | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "runtime.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: runtime
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "runtime.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: runtime
+{{- end }}
+
+{{/*
+Return runtime image (classic runtime) with private registry prefix
+*/}}
+{{- define "runtime.runtimeImageName" -}}
+  {{- if .registry -}}
+    {{- $imageName :=  (trimPrefix "quay.io/" .imageFullName) -}}
+    {{- printf "%s/%s" .registry $imageName -}}
+  {{- else -}}
+    {{- printf "%s" .imageFullName -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Environment variable value of Codefresh installation token
+*/}}
+{{- define "runtime.installation-token-env-var-value" -}}
+  {{- if .Values.global.codefreshToken }}
+valueFrom:
+  secretKeyRef:
+    name: {{ include "runtime.installation-token-secret-name" . }}
+    key: codefresh-api-token
+  {{- else if .Values.global.codefreshTokenSecretKeyRef  }}
+valueFrom:
+  secretKeyRef:
+  {{- .Values.global.codefreshTokenSecretKeyRef | toYaml | nindent 4 }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Environment variable value of Codefresh agent token
+*/}}
+{{- define "runtime.agent-token-env-var-value" -}}
+  {{- if .Values.global.agentToken }}
+{{- printf "%s" .Values.global.agentToken | toYaml }}
+  {{- else if .Values.global.agentTokenSecretKeyRef  }}
+valueFrom:
+  secretKeyRef:
+  {{- .Values.global.agentTokenSecretKeyRef | toYaml | nindent 4 }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Print Codefresh API token secret name
+*/}}
+{{- define "runtime.installation-token-secret-name" }}
+{{- print "codefresh-user-token" }}
+{{- end }}
+
+{{/*
+Print Codefresh host
+*/}}
+{{- define "runtime.runtime-environment-spec.codefresh-host" }}
+{{- if and (not .Values.global.codefreshHost) }}
+  {{- fail "ERROR: .global.codefreshHost is required" }}
+{{- else }}
+  {{- printf "%s" (trimSuffix "/" .Values.global.codefreshHost) }}
+{{- end }}
+{{- end }}
+
+{{/*
+Print runtime-environment name
+*/}}
+{{- define "runtime.runtime-environment-spec.runtime-name" }}
+{{- if and (not .Values.global.runtimeName) }}
+  {{- printf "%s/%s" .Values.global.context .Release.Namespace }}
+{{- else }}
+  {{- printf "%s" .Values.global.runtimeName }}
+{{- end }}
+{{- end }}
+
+{{/*
+Print agent name
+*/}}
+{{- define "runtime.runtime-environment-spec.agent-name" }}
+{{- if and (not .Values.global.agentName) }}
+  {{- printf "%s_%s" .Values.global.context .Release.Namespace }}
+{{- else }}
+  {{- printf "%s" .Values.global.agentName }}
+{{- end }}
+{{- end }}
+
+{{/*
+Print context
+*/}}
+{{- define "runtime.runtime-environment-spec.context-name" }}
+{{- if and (not .Values.global.context) }}
+  {{- fail "ERROR: .global.context is required" }}
+{{- else }}
+  {{- printf "%s" .Values.global.context }}
+{{- end }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/runtime/cm-dind-daemon.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  {{- /* has to be a constant */}}
+  name: codefresh-dind-config
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+data:
+  daemon.json: |
+{{ coalesce .Values.re.dindDaemon .Values.runtime.dindDaemon | toPrettyJson | indent 4 }}

charts/codefresh/cf-runtime/7.0.1/templates/runtime/rbac.yaml

@@ -0,0 +1,48 @@
+{{ $values := .Values.runtime }}
+---
+{{- if or $values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  {{- /* has to be a constant */}}
+  name: codefresh-engine
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  {{- with $values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if $values.rbac.create }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: codefresh-engine
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "get" ]
+{{- with $values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and $values.serviceAccount.create $values.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: codefresh-engine
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: codefresh-engine
+roleRef:
+  kind: Role
+  name: codefresh-engine
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+

charts/codefresh/cf-runtime/7.0.1/templates/runtime/runtime-env-spec-tmpl.yaml

@@ -0,0 +1,206 @@
+{{- define "runtime.runtime-environment-spec.template" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version -}}
+{{- $kubeconfigFilePath := (include "runtime.runtime-environment-spec.runtime-name" .) -}}
+{{- $name := (include "runtime.runtime-environment-spec.runtime-name" .) -}}
+{{- $engineContext := .Values.runtime.engine -}}
+{{- $dindContext := .Values.runtime.dind -}}
+{{- $imageRegistry := .Values.global.imageRegistry -}}
+metadata:
+  name: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+  agent: {{ .Values.runtime.agent }}
+runtimeScheduler:
+  type: KubernetesPod
+  {{- if $engineContext.image }}
+  image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $engineContext.image "context" .) | squote }}
+  {{- end }}
+  imagePullPolicy: {{ $engineContext.image.pullPolicy }}
+  {{- with $engineContext.command }}
+  command: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  envVars:
+  {{- with $engineContext.env }}
+    {{- range $key, $val := . }}
+    {{ $key }}: {{ $val | squote }}
+    {{- end }}
+  {{- end }}
+    COMPOSE_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.COMPOSE_IMAGE) | squote }}
+    CONTAINER_LOGGER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.CONTAINER_LOGGER_IMAGE) | squote }}
+    DOCKER_BUILDER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_BUILDER_IMAGE) | squote }}
+    DOCKER_PULLER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_PULLER_IMAGE) | squote }}
+    DOCKER_PUSHER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_PUSHER_IMAGE) | squote }}
+    DOCKER_TAG_PUSHER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) | squote }}
+    FS_OPS_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.FS_OPS_IMAGE) | squote }}
+    GIT_CLONE_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.GIT_CLONE_IMAGE) | squote }}
+    KUBE_DEPLOY: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.KUBE_DEPLOY) | squote }}
+    PIPELINE_DEBUGGER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.PIPELINE_DEBUGGER_IMAGE) | squote }}
+    TEMPLATE_ENGINE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.TEMPLATE_ENGINE) | squote }}
+    CR_6177_FIXER: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.CR_6177_FIXER) | squote }}
+    GC_BUILDER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.GC_BUILDER_IMAGE) | squote }}
+    COSIGN_IMAGE_SIGNER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.COSIGN_IMAGE_SIGNER_IMAGE) | squote }}
+  {{- with $engineContext.userEnvVars }}
+  userEnvVars:  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $engineContext.workflowLimits }}
+  workflowLimits: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  cluster:
+    namespace: {{ .Release.Namespace }}
+    serviceAccount: {{ $engineContext.serviceAccount }}
+    {{- if .Values.runtime.agent }}
+    clusterProvider:
+      accountId: {{ .Values.global.accountId }}
+      selector: {{ include "runtime.runtime-environment-spec.context-name" . }}
+    {{- else }}
+      {{- if .Values.runtime.inCluster }}
+    inCluster: true
+    kubeconfigFilePath: null
+      {{- else }}
+    name: {{ $name }}
+    kubeconfigFilePath: {{ printf "/etc/kubeconfig/%s" $kubeconfigFilePath }}
+      {{- end }}
+    {{- end }}
+    {{- with $engineContext.nodeSelector }}
+    nodeSelector: {{- toYaml . | nindent 6 }}
+    {{- end }}
+  {{- with $engineContext.affinity }}
+  affinity:  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $engineContext.tolerations }}
+  tolerations:  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $engineContext.podAnnotations }}
+  annotations:
+    {{- range $key, $val := . }}
+    {{ $key }}: {{ $val | squote }}
+    {{- end }}
+  {{- end }}
+  {{- with $engineContext.podLabels }}
+  labels: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if $engineContext.schedulerName }}
+  schedulerName: {{ $engineContext.schedulerName }}
+  {{- end }}
+  resources:
+  {{- if $engineContext.resources}}
+  {{- toYaml $engineContext.resources | nindent 4 }}
+  {{- end }}
+  {{- with $engineContext.terminationGracePeriodSeconds }}
+  terminationGracePeriodSeconds: {{ . }}
+  {{- end }}
+dockerDaemonScheduler:
+  type: DindKubernetesPod
+  {{- if $dindContext.image }}
+  dindImage: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $dindContext.image "context" .) | squote }}
+  {{- end }}
+  imagePullPolicy: {{ $dindContext.image.pullPolicy }}
+  {{- with $dindContext.userAccess }}
+  userAccess: {{ . }}
+  {{- end }}
+  {{- with $dindContext.env }}
+  envVars:
+    {{- range $key, $val := . }}
+    {{ $key }}: {{ $val | squote }}
+    {{- end }}
+  {{- end }}
+  cluster:
+    namespace: {{ .Release.Namespace }}
+    serviceAccount: {{ $dindContext.serviceAccount }}
+    {{- if .Values.runtime.agent }}
+    clusterProvider:
+      accountId: {{ .Values.global.accountId }}
+      selector: {{ include "runtime.runtime-environment-spec.context-name" . }}
+    {{- else }}
+      {{- if .Values.runtime.inCluster }}
+    inCluster: true
+    kubeconfigFilePath: null
+      {{- else }}
+    name: {{ $name }}
+    kubeconfigFilePath: {{ printf "/etc/kubeconfig/%s" $kubeconfigFilePath }}
+      {{- end }}
+    {{- end }}
+    {{- with $dindContext.nodeSelector }}
+    nodeSelector: {{- toYaml . | nindent 6 }}
+    {{- end }}
+  {{- with $dindContext.affinity }}
+  affinity:  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $dindContext.tolerations }}
+  tolerations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $dindContext.podAnnotations }}
+  annotations:
+    {{- range $key, $val := . }}
+    {{ $key }}: {{ $val | squote }}
+    {{- end }}
+  {{- end }}
+  {{- with $dindContext.podLabels }}
+  labels: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if $dindContext.schedulerName }}
+  schedulerName: {{ $dindContext.schedulerName }}
+  {{- end }}
+  {{- if $dindContext.pvcs }}
+  pvcs:
+  {{- range $index, $pvc := $dindContext.pvcs }}
+    - name: {{ $pvc.name }}
+      reuseVolumeSelector: {{ $pvc.reuseVolumeSelector | squote }}
+      reuseVolumeSortOrder: {{ $pvc.reuseVolumeSortOrder }}
+      storageClassName: {{ include (printf "%v.tplrender" $cfCommonTplSemver) (dict "Values" $pvc.storageClassName "context" $) }}
+      volumeSize: {{ $pvc.volumeSize }}
+      {{- with $pvc.annotations }}
+      annotations: {{ . | toYaml | nindent 8 }}
+      {{- end }}
+  {{- end }}
+  {{- end }}
+  defaultDindResources:
+  {{- with $dindContext.resources }}
+  {{- if not .requests }}
+    limits: {{- toYaml .limits | nindent 6 }}
+    requests: null
+  {{- else }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- end }}
+  {{- with $dindContext.terminationGracePeriodSeconds }}
+  terminationGracePeriodSeconds: {{ . }}
+  {{- end }}
+  {{- with $dindContext.userVolumeMounts }}
+  userVolumeMounts: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $dindContext.userVolumes }}
+  userVolumes: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if and (not .Values.runtime.agent)  }}
+  clientCertPath: /etc/ssl/cf/
+  volumeMounts:
+    codefresh-certs-server:
+      name: codefresh-certs-server
+      mountPath: /etc/ssl/cf
+      readOnly: false
+  volumes:
+    codefresh-certs-server:
+      name: codefresh-certs-server
+      secret:
+        secretName: codefresh-certs-server
+  {{- end }}
+extends: {{- toYaml .Values.runtime.runtimeExtends | nindent 2 }}
+  {{- if .Values.runtime.description }}
+description: {{ .Values.runtime.description }}
+  {{- else }}
+description: null
+  {{- end }}
+{{- if .Values.global.accountId }}
+accountId: {{ .Values.global.accountId }}
+{{- end }}
+{{- if not .Values.runtime.agent }}
+accounts: {{- toYaml .Values.runtime.accounts | nindent 2 }}
+{{- end }}
+{{- if .Values.appProxy.enabled }}
+appProxy:
+  externalIP: >-
+    {{ printf "https://%s%s" .Values.appProxy.ingress.host (.Values.appProxy.ingress.pathPrefix | default "/") }}
+{{- end }}
+{{- if not .Values.runtime.agent }}
+systemHybrid: true
+{{- end }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/runtime/secret.yaml

@@ -0,0 +1,11 @@
+{{- if and .Values.global.codefreshToken }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "runtime.installation-token-secret-name" . }}
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+stringData:
+  codefresh-api-token: {{ .Values.global.codefreshToken }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/runtime/svc-dind.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+    app: dind
+  {{/* has to be a constant */}}
+  name: dind
+spec:
+  ports:
+  - name: "dind-port"
+    port: 1300
+    protocol: TCP
+  clusterIP: None
+  selector:
+    app: dind

charts/codefresh/cf-runtime/7.0.1/templates/volume-provisioner/cronjob.yaml

@@ -0,0 +1,11 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values.volumeProvisioner "dind-volume-cleanup") }}
+{{- $_ := set $volumeProvisionerContext.Values "serviceAccount" (get .Values.volumeProvisioner "serviceAccount") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $volumeProvisionerContext.Values.enabled .Values.volumeProvisioner.enabled }}
+{{- include "dind-volume-provisioner.resources.cronjob" $volumeProvisionerContext }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/volume-provisioner/daemonset.yaml

@@ -0,0 +1,11 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values.volumeProvisioner "dind-lv-monitor") }}
+{{- $_ := set $volumeProvisionerContext.Values "serviceAccount" (get .Values.volumeProvisioner "serviceAccount") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $volumeProvisionerContext.Values.enabled .Values.volumeProvisioner.enabled }}
+{{- include "dind-volume-provisioner.resources.daemonset" $volumeProvisionerContext }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/volume-provisioner/deployment.yaml

@@ -0,0 +1,10 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $volumeProvisionerContext.Values.enabled }}
+{{- include "dind-volume-provisioner.resources.deployment" $volumeProvisionerContext }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/volume-provisioner/rbac.yaml

@@ -0,0 +1,9 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $volumeProvisionerContext.Values.enabled }}
+{{- include "dind-volume-provisioner.resources.rbac" $volumeProvisionerContext }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/volume-provisioner/secret.yaml

@@ -0,0 +1,10 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $volumeProvisionerContext.Values.enabled }}
+{{- include "dind-volume-provisioner.resources.secret" $volumeProvisionerContext }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/templates/volume-provisioner/storageclass.yaml

@@ -0,0 +1,10 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $volumeProvisionerContext.Values.enabled }}
+{{- include "dind-volume-provisioner.resources.storageclass" $volumeProvisionerContext }}
+{{- end }}

charts/codefresh/cf-runtime/7.0.1/values.yaml

@@ -0,0 +1,898 @@
+# -- String to partially override cf-runtime.fullname template (will maintain the release name)
+nameOverride: ""
+# -- String to fully override cf-runtime.fullname template
+fullnameOverride: ""
+# -- Global parameters
+# @default -- See below
+global:
+  # -- Global Docker image registry
+  imageRegistry: ""
+  # -- Global Docker registry secret names as array
+  imagePullSecrets: []
+  # -- URL of Codefresh Platform (required!)
+  codefreshHost: "https://g.codefresh.io"
+  # -- User token in plain text (required if `global.codefreshTokenSecretKeyRef` is omitted!)
+  # Ref: https://g.codefresh.io/user/settings (see API Keys)
+  # Minimal API key scopes: Runner-Installation(read+write), Agent(read+write), Agents(read+write)
+  codefreshToken: ""
+  # -- User token that references an existing secret containing API key (required if `global.codefreshToken` is omitted!)
+  codefreshTokenSecretKeyRef: {}
+  # E.g.
+  # codefreshTokenSecretKeyRef:
+  #   name: my-codefresh-api-token
+  #   key: codefresh-api-token
+
+  # -- Account ID (required!)
+  # Can be obtained here https://g.codefresh.io/2.0/account-settings/account-information
+  accountId: ""
+  # -- K8s context name (required!)
+  context: ""
+  # E.g.
+  # context: prod-ue1-runtime-1
+
+  # -- Agent Name (optional!)
+  # If omitted, the following format will be used `{{ .Values.global.context }}_{{ .Release.Namespace }}`
+  agentName: ""
+  # E.g.
+  # agentName: prod-ue1-runtime-1
+
+  # -- Runtime name (optional!)
+  # If omitted, the following format will be used `{{ .Values.global.context }}/{{ .Release.Namespace }}`
+  runtimeName: ""
+  # E.g.
+  # runtimeName: prod-ue1-runtime-1/namespace
+
+  # -- DEPRECATED Agent token in plain text.
+  # !!! MUST BE provided if migrating from < 6.x chart version
+  agentToken: ""
+  # -- DEPRECATED Agent token that references an existing secret containing API key.
+  # !!! MUST BE provided if migrating from < 6.x chart version
+  agentTokenSecretKeyRef: {}
+  # E.g.
+  # agentTokenSecretKeyRef:
+  #   name: my-codefresh-agent-secret
+  #   key: codefresh-agent-token
+# DEPRECATED -- Use `.Values.global.imageRegistry` instead
+dockerRegistry: ""
+# DEPRECATED -- Use `.Values.runtime` instead
+re: {}
+# -- Runner parameters
+# @default -- See below
+runner:
+  # -- Enable the runner
+  enabled: true
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: RollingUpdate
+  # -- Set pod annotations
+  podAnnotations: {}
+  # -- Set image
+  image:
+    registry: quay.io
+    repository: codefresh/venona
+    tag: 1.10.2
+    digest: sha256:f7768390d3368aff0843519368c10a0a97cf98a98f2753a89509cf8f6c9798e1
+  # -- Init container
+  init:
+    image:
+      registry: quay.io
+      repository: codefresh/cli
+      tag: 0.85.0-rootless
+      digest: sha256:27281df44814d837fbcc41ba53ee8010ce5496eb758c29f775958d713c79c41a
+    resources:
+      limits:
+        memory: 512Mi
+        cpu: '1'
+      requests:
+        memory: 256Mi
+        cpu: '0.2'
+  # -- Sidecar container
+  # Reconciles runtime spec from Codefresh API for drift detection
+  sidecar:
+    enabled: false
+    image:
+      registry: quay.io
+      repository: codefresh/codefresh-shell
+      tag: 0.0.2
+      digest: sha256:1f2d1f9effa751601a004e69bc9059a848b7428df379d2ef0c3e7858dc5989d0
+    env:
+      RECONCILE_INTERVAL: 300
+    resources: {}
+  # -- Add additional env vars
+  env: {}
+  # E.g.
+  # env:
+  #   WORKFLOW_CONCURRENCY: 50 # The number of workflow creation and termination tasks the Runner can handle in parallel. Defaults to 50
+
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Additional service account annotations
+    annotations: {}
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Add custom rule to the role
+    rules: []
+  # -- Set security context for the pod
+  # @default -- See below
+  podSecurityContext:
+    enabled: true
+    runAsUser: 10001
+    runAsGroup: 10001
+    fsGroup: 10001
+  # -- Readiness probe configuration
+  # @default -- See below
+  readinessProbe:
+    failureThreshold: 5
+    initialDelaySeconds: 5
+    periodSeconds: 5
+    successThreshold: 1
+    timeoutSeconds: 5
+  # -- Set requests and limits
+  resources: {}
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+# -- Volume Provisioner parameters
+# @default -- See below
+volumeProvisioner:
+  # -- Enable volume-provisioner
+  enabled: true
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: Recreate
+  # -- Set pod annotations
+  podAnnotations: {}
+  # -- Set image
+  image:
+    registry: quay.io
+    repository: codefresh/dind-volume-provisioner
+    tag: 1.35.0
+    digest: sha256:c036ad717391debdf43f8da337b81b5df0e79de274d2d9af1425c675b0296dda
+  # -- Add additional env vars
+  env: {}
+  # E.g.
+  # env:
+  #   THREADINESS: 4 # The number of PVC requests the dind-volume-provisioner can process in parallel. Defaults to 4
+
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Additional service account annotations
+    annotations: {}
+    # E.g.
+    #   serviceAccount:
+    #     annotations:
+    #       eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Add custom rule to the role
+    rules: []
+  # -- Set security context for the pod
+  # @default -- See below
+  podSecurityContext:
+    enabled: true
+    runAsUser: 3000
+    runAsGroup: 3000
+    fsGroup: 3000
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set resources
+  resources: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+  # -- `dind-lv-monitor` DaemonSet parameters
+  # (local volumes cleaner)
+  # @default -- See below
+  dind-lv-monitor:
+    enabled: true
+    image:
+      registry: quay.io
+      repository: codefresh/dind-volume-utils
+      tag: 1.29.4
+      digest: sha256:42e5b032b743e191a1ee1077b8096d6ee298859d4593d3f4fa06fe7fa60061eb
+    podAnnotations: {}
+    podSecurityContext:
+      enabled: true
+      runAsUser: 1000
+      fsGroup: 1000
+    containerSecurityContext: {}
+    env: {}
+    resources: {}
+    nodeSelector: {}
+    tolerations:
+      - key: 'codefresh/dind'
+        operator: 'Exists'
+        effect: 'NoSchedule'
+    volumePermissions:
+      enabled: true
+      image:
+        registry: docker.io
+        repository: alpine
+        tag: 3.18
+        digest: sha256:2995c82e8e723d9a5c8585cb8e901d1c50e3c2759031027d3bff577449435157
+      resources: {}
+      securityContext:
+        runAsUser: 0 # auto
+  # `dind-volume-cleanup` CronJob parameters
+  # (external volumes cleaner)
+  # @default -- See below
+  dind-volume-cleanup:
+    enabled: true
+    image:
+      registry: quay.io
+      repository: codefresh/dind-volume-cleanup
+      tag: 1.2.0
+      digest: sha256:1af3e3ecc87bf2e26ba07ecef68f54ad100d7e3b5fcf074099f627fd5d917369
+    env: {}
+    concurrencyPolicy: Forbid
+    schedule: "*/10 * * * *"
+    successfulJobsHistory: 3
+    failedJobsHistory: 1
+    suspend: false
+    podAnnotations: {}
+    podSecurityContext:
+      enabled: true
+      fsGroup: 3000
+      runAsGroup: 3000
+      runAsUser: 3000
+    nodeSelector: {}
+    affinity: {}
+    tolerations: []
+# Storage parameters for volume-provisioner
+# @default -- See below
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: local
+  # -- Set filesystem type (`ext4`/`xfs`)
+  fsType: "ext4"
+  # Storage parametrs example for local volumes on the K8S nodes filesystem (i.e. `storage.backend=local`)
+  # https://kubernetes.io/docs/concepts/storage/volumes/#local
+  # @default -- See below
+  local:
+    # -- Set volume path on the host filesystem
+    volumeParentDir: /var/lib/codefresh/dind-volumes
+  # Storage parameters example for aws ebs disks (i.e. `storage.backend=ebs`/`storage.backend=ebs-csi`)
+  # https://aws.amazon.com/ebs/
+  # https://codefresh.io/docs/docs/installation/codefresh-runner/#aws-backend-volume-configuration
+  # @default -- See below
+  ebs:
+    # -- Set EBS volume type (`gp2`/`gp3`/`io1`) (required)
+    volumeType: "gp2"
+    # -- Set EBS volumes availability zone (required)
+    availabilityZone: "us-east-1a"
+    # -- Enable encryption (optional)
+    encrypted: "false"
+    # -- Set KMS encryption key ID (optional)
+    kmsKeyId: ""
+    # -- Set AWS_ACCESS_KEY_ID for volume-provisioner (optional)
+    # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions
+    accessKeyId: ""
+    # -- Existing secret containing AWS_ACCESS_KEY_ID.
+    accessKeyIdSecretKeyRef: {}
+    # E.g.
+    # accessKeyIdSecretKeyRef:
+    #   name:
+    #   key:
+
+    # -- Set AWS_SECRET_ACCESS_KEY for volume-provisioner (optional)
+    # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions
+    secretAccessKey: ""
+    # -- Existing secret containing AWS_SECRET_ACCESS_KEY
+    secretAccessKeySecretKeyRef: {}
+    # E.g.
+    # secretAccessKeySecretKeyRef:
+    #   name:
+    #   key:
+  # E.g.
+  # ebs:
+  #   volumeType: gp3
+  #   availabilityZone: us-east-1c
+  #   encrypted: false
+  #   iops: "5000"
+  #   # I/O operations per second. Only effetive when gp3 volume type is specified.
+  #   # Default value - 3000.
+  #   # Max - 16,000
+  #   throughput: "500"
+  #   # Throughput in MiB/s. Only effective when gp3 volume type is specified.
+  #   # Default value - 125.
+  #   # Max - 1000.
+  # ebs:
+  #   volumeType: gp2
+  #   availabilityZone: us-east-1c
+  #   encrypted: true
+  #   kmsKeyId: "1234abcd-12ab-34cd-56ef-1234567890ab"
+  #   accessKeyId: "MYKEYID"
+  #   secretAccessKey: "MYACCESSKEY"
+
+  # Storage parameters example for gce disks
+  # https://cloud.google.com/compute/docs/disks#pdspecs
+  # https://codefresh.io/docs/docs/installation/codefresh-runner/#gke-google-kubernetes-engine-backend-volume-configuration
+  # @default -- See below
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "pd-ssd"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-west1-a"
+    # -- Set Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJson: ""
+    # -- Existing secret containing containing Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJsonSecretKeyRef: {}
+    # E.g.
+    # gcedisk:
+    #   volumeType: pd-ssd
+    #   availabilityZone: us-central1-c
+    #   serviceAccountJson: |-
+    #          {
+    #           "type": "service_account",
+    #           "project_id": "...",
+    #           "private_key_id": "...",
+    #           "private_key": "...",
+    #           "client_email": "...",
+    #           "client_id": "...",
+    #           "auth_uri": "...",
+    #           "token_uri": "...",
+    #           "auth_provider_x509_cert_url": "...",
+    #           "client_x509_cert_url": "..."
+    #           }
+  # Storage parameters example for Azure Disks
+  # https://codefresh.io/docs/docs/installation/codefresh-runner/#install-codefresh-runner-on-azure-kubernetes-service-aks
+  # @default -- See below
+  azuredisk:
+    # -- Set storage type (`Premium_LRS`)
+    skuName: Premium_LRS
+    cachingMode: None
+    # availabilityZone: northeurope-1
+    # resourceGroup:
+    # DiskIOPSReadWrite: 500
+    # DiskMBpsReadWrite: 100
+  mountAzureJson: false
+# -- Set runtime parameters
+# @default -- See below
+runtime:
+  # -- Set annotation on engine Service Account
+  # Ref: https://codefresh.io/docs/docs/administration/codefresh-runner/#injecting-aws-arn-roles-into-the-cluster
+  serviceAccount:
+    create: true
+    annotations: {}
+    # E.g.
+    #   serviceAccount:
+    #     annotations:
+    #       eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
+  # -- Set parent runtime to inherit.
+  # Should not be changes. Parent runtime is controlled from Codefresh side.
+  runtimeExtends:
+    - system/default/hybrid/k8s_low_limits
+  # -- Runtime description
+  description: ""
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Add custom rule to the engine role
+    rules: []
+  # -- (for On-Premise only) Enable agent
+  agent: true
+  # -- (for On-Premise only) Set inCluster runtime
+  inCluster: true
+  # -- (for On-Premise only) Assign accounts to runtime (list of account ids)
+  accounts: []
+  # -- Parameters for DinD (docker-in-docker) pod (aka "runtime" pod).
+  dind:
+    # -- Set dind image.
+    image:
+      registry: quay.io
+      repository: codefresh/dind
+      tag: 26.1.4-1.28.7 # use `latest-rootless/rootless/26.1.4-1.28.7-rootless` tags for rootless-dind
+      pullPolicy: IfNotPresent
+      digest: sha256:ccaf26ab24db0e00760beba79ce1810a12aef5be296f538ceab416af9ec481f7
+    # -- Set dind resources.
+    resources:
+      requests: null
+      limits:
+        cpu: 400m
+        memory: 800Mi
+    # -- Set termination grace period.
+    terminationGracePeriodSeconds: 30
+    # -- PV claim spec parametes.
+    pvcs:
+      # -- Default dind PVC parameters
+      dind:
+        # -- PVC name prefix.
+        # Keep `dind` as default! Don't change!
+        name: dind
+        # -- PVC storage class name.
+        # Change ONLY if you need to use storage class NOT from Codefresh volume-provisioner
+        storageClassName: '{{ include "dind-volume-provisioner.storageClassName" . }}'
+        # -- PVC size.
+        volumeSize: 16Gi
+        # -- PV reuse selector.
+        # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#volume-reuse-policy
+        reuseVolumeSelector: codefresh-app,io.codefresh.accountName
+        reuseVolumeSortOrder: pipeline_id
+        # -- PV annotations.
+        annotations: {}
+        # E.g.:
+        # annotations:
+        #   codefresh.io/volume-retention: 7d
+    # -- Set additional env vars.
+    env:
+      DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE: true
+    # -- Set pod annotations.
+    podAnnotations: {}
+    # -- Set pod labels.
+    podLabels: {}
+    # -- Set node selector.
+    nodeSelector: {}
+    # -- Set affinity
+    affinity: {}
+    # -- Set tolerations.
+    tolerations: []
+    # -- Set scheduler name.
+    schedulerName: ""
+    # -- Set service account for pod.
+    serviceAccount: codefresh-engine
+    # -- Keep `true` as default!
+    userAccess: true
+    # -- Add extra volumes
+    userVolumes: {}
+    # E.g.:
+    # userVolumes:
+    #   regctl-docker-registry:
+    #     name: regctl-docker-registry
+    #     secret:
+    #       items:
+    #         - key: .dockerconfigjson
+    #           path: config.json
+    #       secretName: regctl-docker-registry
+    #       optional: true
+    # -- Add extra volume mounts
+    userVolumeMounts: {}
+    # E.g.:
+    # userVolumeMounts:
+    #   regctl-docker-registry:
+    #     name: regctl-docker-registry
+    #     mountPath: /home/appuser/.docker/
+    #     readOnly: true
+  # -- Parameters for Engine pod (aka "pipeline" orchestrator).
+  engine:
+    # -- Set image.
+    image:
+      registry: quay.io
+      repository: codefresh/engine
+      tag: 1.174.15
+      pullPolicy: IfNotPresent
+      digest: sha256:d547c2044c1488e911ff726462cc417adf2dda731cafd736493c4de4eb9e357b
+    # -- Set container command.
+    command:
+      - npm
+      - run
+      - start
+    # -- Set resources.
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 1000m
+        memory: 2048Mi
+    # -- Set termination grace period.
+    terminationGracePeriodSeconds: 180
+    # -- Set system(base) runtime images.
+    # @default -- See below.
+    runtimeImages:
+      COMPOSE_IMAGE: quay.io/codefresh/compose:v2.28.1-1.5.0@sha256:362977564c096b7c2c007b8478ec87cac13d781839adc271d858290213bd89f2
+      CONTAINER_LOGGER_IMAGE: quay.io/codefresh/cf-container-logger:1.11.7@sha256:1e7bcee65203f9fdfc7ee5231cb4d29b179479d70dd42ec9855d20c57ab43c48
+      DOCKER_BUILDER_IMAGE: quay.io/codefresh/cf-docker-builder:1.3.14@sha256:e61f0694fb7477244014be971a0bad724242e4fdefe810f38e58990d7db6bdc5
+      DOCKER_PULLER_IMAGE: quay.io/codefresh/cf-docker-puller:8.0.18@sha256:1a15c3ae0952d3986de7866a3def8ac7e3e39f668fe87fd46c63d886ca06c6d7
+      DOCKER_PUSHER_IMAGE: quay.io/codefresh/cf-docker-pusher:6.0.16@sha256:05efc1af8b1196f1b9b3f0781b4dcc1aa2cdd0ffc1347ee5fa81b16d029ec5c2
+      DOCKER_TAG_PUSHER_IMAGE: quay.io/codefresh/cf-docker-tag-pusher:1.3.14@sha256:801caf9100218c9ed638fb5ca205fcc133f54d00468ed81093b22a4f0a0ffae9
+      FS_OPS_IMAGE: quay.io/codefresh/fs-ops:1.2.3@sha256:57374ccd5275325fc36b237fb38c77dd1f65c84d5aebfe88c9ea0e434ea20fc9
+      GIT_CLONE_IMAGE: quay.io/codefresh/cf-git-cloner:10.2.0@sha256:a3ec854823f17d0fd817d978219122e644b1abd6db778fd835688fcb6d88c515
+      KUBE_DEPLOY: quay.io/codefresh/cf-deploy-kubernetes:16.1.11@sha256:b6b3fc6cc5fad3ba9e36055278ce99a74a86876be116574503c6fbb4c1b4aa76
+      PIPELINE_DEBUGGER_IMAGE: quay.io/codefresh/cf-debugger:1.3.6@sha256:4892d72afc0e27718134eff2cb3c1276f731f3d2a41fd76cd73b500310326e47
+      TEMPLATE_ENGINE: quay.io/codefresh/pikolo:0.14.1@sha256:fb7173cfed7536f7de68e75996106e2ce3a0a204e6c5609cba0d7eb62c9db9e1
+      CR_6177_FIXER: alpine:edge@sha256:8431297eedca8df8f1e6144803c6d7e057ecff2408aa6861213cb9e507acadf8
+      GC_BUILDER_IMAGE: quay.io/codefresh/cf-gc-builder:0.5.3@sha256:33ac914e6b844909f188a208cf90e569358cafa5aaa60f49848f49d99bcaf875
+      COSIGN_IMAGE_SIGNER_IMAGE: quay.io/codefresh/cf-cosign-image-signer:2.4.0-cf.2@sha256:5e0993207aa809c25ed70cf89af444d9720892fb4a29deb82db45618b0cae4a9
+    # -- Set additional env vars.
+    env:
+      # -- Interval to check the exec status in the container-logger
+      CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS: 1000
+      # -- Timeout while doing requests to the Docker daemon
+      DOCKER_REQUEST_TIMEOUT_MS: 30000
+      # -- If "true", composition images will be pulled sequentially
+      FORCE_COMPOSE_SERIAL_PULL: false
+      # -- Level of logging for engine
+      LOGGER_LEVEL: debug
+      # -- Enable debug-level logging of outgoing HTTP/HTTPS requests
+      LOG_OUTGOING_HTTP_REQUESTS: false
+      # -- Enable emitting metrics from engine
+      METRICS_PROMETHEUS_ENABLED: true
+      # -- Enable legacy metrics
+      METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS: false
+      # -- Enable collecting process metrics
+      METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS: false
+      # -- Host for Prometheus metrics server
+      METRICS_PROMETHEUS_HOST: '0.0.0.0'
+      # -- Port for Prometheus metrics server
+      METRICS_PROMETHEUS_PORT: 9100
+    # -- Set workflow limits.
+    workflowLimits:
+      # -- Maximum time allowed to the engine to wait for the pre-steps (aka "Initializing Process") to succeed; seconds.
+      MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS: 600
+      # -- Maximum time for workflow execution; seconds.
+      MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION: 86400
+      # -- Maximum time allowed to workflow to spend in "elected" state; seconds.
+      MAXIMUM_ELECTED_STATE_AGE_ALLOWED: 900
+      # -- Maximum retry attempts allowed for workflow.
+      MAXIMUM_RETRY_ATTEMPTS_ALLOWED: 20
+      # -- Maximum time allowed to workflow to spend in "terminating" state until force terminated; seconds.
+      MAXIMUM_TERMINATING_STATE_AGE_ALLOWED: 900
+      # -- Maximum time allowed to workflow to spend in "terminating" state without logs activity until force terminated; seconds.
+      MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE: 300
+      # -- Time since the last health check report after which workflow is terminated; seconds.
+      TIME_ENGINE_INACTIVE_UNTIL_TERMINATION: 300
+      # -- Time since the last health check report after which the engine is considered unhealthy; seconds.
+      TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY: 60
+      # -- Time since the last workflow logs activity after which workflow is terminated; seconds.
+      TIME_INACTIVE_UNTIL_TERMINATION: 2700
+    # -- Set pod annotations.
+    podAnnotations: {}
+    # -- Set pod labels.
+    podLabels: {}
+    # -- Set node selector.
+    nodeSelector: {}
+    # -- Set affinity
+    affinity: {}
+    # -- Set tolerations.
+    tolerations: []
+    # -- Set scheduler name.
+    schedulerName: ""
+    # -- Set service account for pod.
+    serviceAccount: codefresh-engine
+    # -- Set extra env vars
+    userEnvVars: []
+    # E.g.
+    # userEnvVars:
+    # - name: GITHUB_TOKEN
+    #   valueFrom:
+    #     secretKeyRef:
+    #       name: github-token
+    #       key: token
+  # -- Parameters for `runtime-patch` post-upgrade/install hook
+  # @default -- See below
+  patch:
+    enabled: true
+    image:
+      registry: quay.io
+      repository: codefresh/cli
+      tag: 0.85.0-rootless
+      digest: sha256:27281df44814d837fbcc41ba53ee8010ce5496eb758c29f775958d713c79c41a
+    rbac:
+      enabled: true
+    annotations: {}
+    affinity: {}
+    nodeSelector: {}
+    podSecurityContext: {}
+    resources: {}
+    tolerations: []
+    ttlSecondsAfterFinished: 180
+    env:
+      HOME: /tmp
+  # -- Parameters for `gencerts-dind` post-upgrade/install hook
+  # @default -- See below
+  gencerts:
+    enabled: true
+    image:
+      registry: quay.io
+      repository: codefresh/kubectl
+      tag: 1.28.4
+      digest: sha256:753e434a8e51c58d3f5daca2dff88073bc7b3bde3a45e0f00d74181176302e37
+    rbac:
+      enabled: true
+    annotations: {}
+    affinity: {}
+    nodeSelector: {}
+    podSecurityContext: {}
+    resources: {}
+    tolerations: []
+    ttlSecondsAfterFinished: 180
+  # -- DinD pod daemon config
+  # @default -- See below
+  dindDaemon:
+    hosts:
+      - unix:///var/run/docker.sock
+      - tcp://0.0.0.0:1300
+    tlsverify: true
+    tls: true
+    tlscacert: /etc/ssl/cf-client/ca.pem
+    tlscert: /etc/ssl/cf/server-cert.pem
+    tlskey: /etc/ssl/cf/server-key.pem
+    insecure-registries:
+      - 192.168.99.100:5000
+    metrics-addr: 0.0.0.0:9323
+    experimental: true
+# App-Proxy parameters
+# Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#app-proxy-installation
+# @default -- See below
+appProxy:
+  # -- Enable app-proxy
+  enabled: false
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: RollingUpdate
+  # -- Set pod annotations
+  podAnnotations: {}
+  # -- Set image
+  image:
+    registry: quay.io
+    repository: codefresh/cf-app-proxy
+    tag: 0.0.47
+    digest: sha256:324a9b89924152cce195c7239ddd8501c8aa5f901d19bc4d9f3936cbe5dac14f
+  # -- Add additional env vars
+  env: {}
+  # Set app-proxy ingress parameters
+  # @default -- See below
+  ingress:
+    # -- Set path prefix for ingress (keep empty for default `/` path)
+    pathPrefix: ""
+    # -- Set ingress class
+    class: ""
+    # -- Set DNS hostname the ingress will use
+    host: ""
+    # -- Set k8s tls secret for the ingress object
+    tlsSecret: ""
+    # -- Set extra annotations for ingress object
+    annotations: {}
+    # E.g.
+    # ingress:
+    #   pathPrefix: "/cf-app-proxy"
+    #   class: "nginx"
+    #   host: "mydomain.com"
+    #   tlsSecret: "tls-cert-app-proxy"
+    #   annotations:
+    #     nginx.ingress.kubernetes.io/whitelist-source-range: 123.123.123.123/130
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Use Role(true)/ClusterRole(true)
+    namespaced: true
+    # -- Additional service account annotations
+    annotations: {}
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Use Role(true)/ClusterRole(true)
+    namespaced: true
+    # -- Add custom rule to the role
+    rules: []
+  # -- Set security context for the pod
+  podSecurityContext: {}
+  # -- Readiness probe configuration
+  # @default -- See below
+  readinessProbe:
+    failureThreshold: 5
+    initialDelaySeconds: 5
+    periodSeconds: 5
+    successThreshold: 1
+    timeoutSeconds: 5
+  # -- Set requests and limits
+  resources: {}
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+# Monitor parameters
+# @default -- See below
+monitor:
+  # -- Enable monitor
+  # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#install-monitoring-component
+  enabled: false
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: RollingUpdate
+  # -- Set pod annotations
+  podAnnotations: {}
+  # -- Set image
+  image:
+    registry: quay.io
+    repository: codefresh/cf-k8s-agent
+    tag: 1.3.19
+    digest: sha256:5be2b798d583abdae68271f57724dd7f2b0251a238845c466fa7b67f078f59ad
+  # -- Add additional env vars
+  env: {}
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Additional service account annotations
+    annotations: {}
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Use Role(true)/ClusterRole(true)
+    namespaced: true
+    # -- Add custom rule to the role
+    rules: []
+  # -- Readiness probe configuration
+  # @default -- See below
+  readinessProbe:
+    failureThreshold: 5
+    initialDelaySeconds: 5
+    periodSeconds: 5
+    successThreshold: 1
+    timeoutSeconds: 5
+  podSecurityContext: {}
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set resources
+  resources: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+# -- Add serviceMonitor
+# @default -- See below
+serviceMonitor:
+  main:
+    # -- Enable service monitor for dind pods
+    enabled: false
+    nameOverride: dind
+    selector:
+      matchLabels:
+        app: dind
+    endpoints:
+      - path: /metrics
+        targetPort: 9100
+        relabelings:
+          - action: labelmap
+            regex: __meta_kubernetes_pod_label_(.+)
+# -- Add podMonitor (for engine pods)
+# @default -- See below
+podMonitor:
+  main:
+    # -- Enable pod monitor for engine pods
+    enabled: false
+    nameOverride: engine
+    selector:
+      matchLabels:
+        app: runtime
+    podMetricsEndpoints:
+      - path: /metrics
+        targetPort: 9100
+  runner:
+    # -- Enable pod monitor for runner pod
+    enabled: false
+    nameOverride: runner
+    selector:
+      matchLabels:
+        codefresh.io/application: runner
+    podMetricsEndpoints:
+      - path: /metrics
+        targetPort: 8080
+  volume-provisioner:
+    # -- Enable pod monitor for volumeProvisioner pod
+    enabled: false
+    nameOverride: volume-provisioner
+    selector:
+      matchLabels:
+        codefresh.io/application: volume-provisioner
+    podMetricsEndpoints:
+      - path: /metrics
+        targetPort: 8080
+# -- Event exporter parameters
+# @default -- See below
+event-exporter:
+  # -- Enable event-exporter
+  enabled: false
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: Recreate
+  # -- Set pod annotations
+  podAnnotations: {}
+  # -- Set image
+  image:
+    registry: docker.io
+    repository: codefresh/k8s-event-exporter
+    tag: latest
+    digest: sha256:cf52048f1378fb6659dffd1394d68fdf23a7ea709585dc14b5007f3e5a1b7584
+  # -- Add additional env vars
+  env: {}
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Additional service account annotations
+    annotations: {}
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Add custom rule to the role
+    rules: []
+  # -- Set security context for the pod
+  # @default -- See below
+  podSecurityContext:
+    enabled: false
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set resources
+  resources: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+# -- Array of extra objects to deploy with the release
+extraResources: []
+# E.g.
+# extraResources:
+# - apiVersion: rbac.authorization.k8s.io/v1
+#   kind: ClusterRole
+#   metadata:
+#     name: codefresh-role
+#   rules:
+#     - apiGroups: [ "*"]
+#       resources: ["*"]
+#       verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# - apiVersion: v1
+#   kind: ServiceAccount
+#   metadata:
+#     name: codefresh-user
+#     namespace: "{{ .Release.Namespace }}"
+# - apiVersion: rbac.authorization.k8s.io/v1
+#   kind: ClusterRoleBinding
+#   metadata:
+#     name: codefresh-user
+#   roleRef:
+#     apiGroup: rbac.authorization.k8s.io
+#     kind: ClusterRole
+#     name: codefresh-role
+#   subjects:
+#   - kind: ServiceAccount
+#     name: codefresh-user
+#     namespace: "{{ .Release.Namespace }}"
+# - apiVersion: v1
+#   kind: Secret
+#   type: kubernetes.io/service-account-token
+#   metadata:
+#     name: codefresh-user-token
+#     namespace: "{{ .Release.Namespace }}"
+#     annotations:
+#       kubernetes.io/service-account.name: "codefresh-user"

charts/instana/instana-agent/2.0.0/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+# OWNERS file for helm
+OWNERS

charts/instana/instana-agent/2.0.0/Chart.yaml

@@ -0,0 +1,27 @@
+annotations:
+  artifacthub.io/links: |
+    - name: Instana website
+      url: https://www.ibm.com/products/instana
+    - name: Instana Helm charts
+      url: https://github.com/instana/helm-charts
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Instana Agent
+  catalog.cattle.io/kube-version: '>=1.21-0'
+  catalog.cattle.io/release-name: instana-agent
+apiVersion: v2
+appVersion: 1.285.0
+description: Instana Agent for Kubernetes
+home: https://www.instana.com/
+icon: file://assets/icons/instana-agent.png
+kubeVersion: '>=1.21-0'
+maintainers:
+- email: felix.marx@ibm.com
+  name: FelixMarxIBM
+- email: henning.treu@ibm.com
+  name: htreu
+- email: konrad.ohms@de.ibm.com
+  name: Konrad-Ohms
+name: instana-agent
+sources:
+- https://github.com/instana/instana-agent-docker
+version: 2.0.0

charts/instana/instana-agent/2.0.0/DEPLOYMENT.md

@@ -0,0 +1,54 @@
+# Kubernetes Deployment Mode (tech preview)
+
+Instana has always endeavored to make the experience of using Instana as seamless as possible from auto-instrumentation to one-liner installs. To date for our customers with Kubernetes clusters containing more than 1,000 entities this wasn’t the case. The Kubernetes sensor as a deployment is one of many steps we’re taking to improve the experience of operating Instana in Kubernetes. This is a tech preview however we have a high degree of confidence it will work well in your production workloads. The fundamental change moves the Kubernetes sensor from the DaemonSet responsible for monitoring your hosts and processes into its own dedicated Deployment where it does not contend for resources with other sensors. An overview of this deployment is below:
+
+![kubernetes.deployment.enabled=true](kubernetes.deployment.enabled.png)
+
+This change provides a few primary benefits including:
+
+* Lower load on the Kubernetes api-server as it eliminates per node pod monitoring.
+* Lower load on the Kubernetes api-server as it reduces the endpoint watch to 2 leader elector side cars.
+* Lower memory and CPU requests in the DaemonSet as it is no longer responsible for monitoring Kubernetes.
+* Elimination of the leader elector sidecar in the DaemonSet as it is only required for the Kubernetes sensor.
+* Better performance of the Kubernetes sensor as it is isolated from other sensors and does not contend for CPU and memory.
+* Better scaling behaviour as you can adjust the memory and CPU requirements to monitor your clusters without overprovisioning utilisation cluster wide.
+
+The primary drawback of this model in the tech preview include:
+
+* Reduced control and observability of the Kubernetes specific Agents in the Agent dashboard.
+* Some unnecessary features are still enabled in the Kubernetes sensor (e.g. trace sinks, and host monitoring).
+
+Some limitations remain unchanged from the previous sensor:
+
+* Clusters with a high number of entities (e.g. pods, deployments, etc) are likely to have non-deterministic behaviour due to limitations we impose on message sizes. This is unlikely to be experienced in clusters with fewer than 500 hosts.
+* The ServiceAccount is shared between both the DaemonSet and Deployment meaning no change in the security posture. We plan to add an additional service account to limit access to the api-server to only the Kubernetes sensor Deployment.
+
+## Installation
+
+For clusters with minimal controls you can install the tech preview with the following Helm install command:
+
+```
+helm template instana-agent \
+    --repo https://agents.instana.io/helm \
+    --namespace instana-agent \
+    --create-namespace \
+    --set agent.key=${AGENT_KEY} \
+    --set agent.endpointHost=${BACKEND_URL} \
+    --set agent.endpointPort=443 \
+    --set cluster.name=${CLUSTER_NAME} \
+    --set zone.name=${ZONE_NAME} \
+    --set kubernetes.deployment.enabled=true \
+    instana-agent
+```
+
+If your cluster employs Pod Security Policies you will need the following additional flag:
+
+```
+--set podSecurityPolicy.enable=true
+```
+
+If you are deploying into an OpenShift 4.x cluster you will need the following additional flag:
+
+```
+--set openshift=true
+```

charts/instana/instana-agent/2.0.0/README.md

@@ -0,0 +1,697 @@
+# Instana
+
+Instana is an [APM solution](https://www.instana.com/) built for microservices that enables IT Ops to build applications faster and deliver higher quality services by automating monitoring, tracing and root cause analysis.
+This solution is optimized for [Kubernetes](https://www.instana.com/automatic-kubernetes-monitoring/).
+
+This chart adds the Instana Agent to all schedulable nodes in your cluster via a privileged `DaemonSet` and accompanying resources like `ConfigurationMap`s, `Secret`s and RBAC settings.
+
+## Prerequisites
+
+* Kubernetes 1.21+ OR OpenShift 4.8+
+* Helm 3
+
+## Installation
+
+To configure the installation you can either specify the options on the command line using the **--set** switch, or you can edit **values.yaml**.
+
+First, create a namespace for the instana-agent
+
+```bash
+$ kubectl create namespace instana-agent
+```
+
+**OpenShift:** When targetting an OpenShift 4.x cluster, ensure proper permission before installing the helm chart, otherwise the agent pods will not be scheduled correctly.
+
+```bash
+$ oc adm policy add-scc-to-user privileged -z instana-agent
+```
+
+To install the chart with the release name `instana-agent` and set the values on the command line run:
+
+```bash
+$ helm install instana-agent \
+--namespace instana-agent \
+--repo https://agents.instana.io/helm \
+--set agent.key=INSTANA_AGENT_KEY \
+--set agent.endpointHost=HOST \
+--set zone.name=ZONE_NAME \
+--set cluster.name="CLUSTER_NAME" \
+instana-agent
+```
+
+## Upgrade
+
+The helm chart deploys a Kubernetes Operator internally that reconciles the agent resources based on an agent CustomResource (CR) that is created based on the helm values. As the Operator pattern requires a CustomResourceDefinition (CRD) to be present in the cluster before defining any CRs, the CRD definition is included in the helm chart. On initial installations the chart deploys the CRD before submitting the rest of the artifacts.
+
+Helm has known limitations around handling the CRD lifecycle as outlined in their [documentation](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/).
+
+This leads to the problem, that CRD updates are only submitted to the Cluster on **initial installation**, but **NOT applied automatically during upgrades**.
+
+It is also worth noting, that CRDs must be removed manually if the chart should be removed completly, see more details in the [uninstall](#uninstallation) section.
+
+To ensure a proper update, apply the CRD updates before running the upgrade:
+
+```
+helm pull --repo https://agents.instana.io/helm --untar instana-agent; kubectl apply -f instana-agent/crds; helm upgrade instana-agent instana-agent \
+  --namespace instana-agent \
+  --repo https://agents.instana.io/helm \
+  --reuse-values
+```
+
+This is especially important when migrating from helm charts v1 to v2, as the upgrade will fail otherwise as the CR artifact cannot be created.
+
+### Required Settings
+
+#### Configuring the Instana Backend
+
+In order to report the data it collects to the Instana backend for analysis, the Instana agent must know which backend to report to, and which credentials to use to authenticate, known as "agent key".
+
+As described by the [Install Using the Helm Chart](https://www.instana.com/docs/setup_and_manage/host_agent/on/kubernetes#install-using-the-helm-chart) documentation, you will find the right values for the following fields inside Instana itself:
+
+* `agent.endpointHost`
+* `agent.endpointPort`
+* `agent.key`
+
+_Note:_ You can find the options mentioned in the [configuration section below](#configuration-reference)
+
+If your agents report into a self-managed Instana unit (also known as "on-prem"), you will also need to configure a "download key", which allows the agent to fetch its components from the Instana repository.
+The download key is set via the following value:
+
+* `agent.downloadKey`
+
+#### Zone and Cluster
+
+Instana needs to know how to name your Kubernetes cluster and, optionally, how to group your Instana agents in [Custom zones](https://www.instana.com/docs/setup_and_manage/host_agent/configuration/#custom-zones) using the following fields:
+
+* `zone.name`
+* `cluster.name`
+
+Either `zone.name` or `cluster.name` are required.
+If you omit `cluster.name`, the value of `zone.name` will be used as cluster name as well.
+If you omit `zone.name`, the host zone will be automatically determined by the availability zone information provided by the [supported Cloud providers](https://www.instana.com/docs/setup_and_manage/cloud_service_agents).
+
+## Uninstallation
+
+To uninstall/delete the `instana-agent` release:
+
+```bash
+helm uninstall instana-agent -n instana-agent && kubectl patch agent instana-agent -p '{"metadata":{"finalizers":null}}' --type=merge &&
+kubectl delete crd/agents.instana.io
+```
+
+## Configuration Reference
+
+The following table lists the configurable parameters of the Instana chart and their default values.
+
+| Parameter                                           | Description                                                                                                                                                                                                                                                                                                            | Default                                                                                                                                 |
+| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- |
+| `agent.configuration_yaml`                          | Custom content for the agent configuration.yaml file                                                                                                                                                                                                                                                                   | `nil` See [below](#agent-configuration) for more details                                                                                |
+| `agent.endpointHost`                                | Instana Agent backend endpoint host                                                                                                                                                                                                                                                                                    | `ingress-red-saas.instana.io` (US and ROW). If in Europe, please override with `ingress-blue-saas.instana.io`                           |
+| `agent.endpointPort`                                | Instana Agent backend endpoint port                                                                                                                                                                                                                                                                                    | `443`                                                                                                                                   |
+| `agent.key`                                         | Your Instana Agent key                                                                                                                                                                                                                                                                                                 | `nil` You must provide your own key unless `agent.keysSecret` is specified                                                              |
+| `agent.downloadKey`                                 | Your Instana Download key                                                                                                                                                                                                                                                                                              | `nil` Usually not required                                                                                                              |
+| `agent.keysSecret`                                  | As an alternative to specifying `agent.key` and, optionally, `agent.downloadKey`, you can instead specify the name of the secret in the namespace in which you install the Instana agent that carries the agent key and download key                                                                                   | `nil` Usually not required, see [Bring your own Keys secret](#bring-your-own-keys-secret) for more details                              |
+| `agent.additionalBackends`                          | List of additional backends to report to; it must specify the `endpointHost` and `key` fields, and optionally `endpointPort`                                                                                                                                                                                           | `[]` Usually not required; see [Configuring Additional Backends](#configuring-additional-backends) for more info and examples           |
+| `agent.tls.secretName`                              | The name of the secret of type `kubernetes.io/tls` which contains the TLS relevant data. If the name is provided, `agent.tls.certificate` and `agent.tls.key` will be ignored.                                                                                                                                         | `nil`                                                                                                                                   |
+| `agent.tls.certificate`                             | The certificate data encoded as base64. Which will be used to create a new secret of type `kubernetes.io/tls`.                                                                                                                                                                                                         | `nil`                                                                                                                                   |
+| `agent.tls.key`                                     | The private key data encoded as base64. Which will be used to create a new secret of type `kubernetes.io/tls`.                                                                                                                                                                                                         | `nil`                                                                                                                                   |
+| `agent.image.name`                                  | The image name to pull                                                                                                                                                                                                                                                                                                 | `instana/agent`                                                                                                                         |
+| `agent.image.digest`                                | The image digest to pull; if specified, it causes `agent.image.tag` to be ignored                                                                                                                                                                                                                                      | `nil`                                                                                                                                   |
+| `agent.image.tag`                                   | The image tag to pull; this property is ignored if `agent.image.digest` is specified                                                                                                                                                                                                                                   | `latest`                                                                                                                                |
+| `agent.image.pullPolicy`                            | Image pull policy                                                                                                                                                                                                                                                                                                      | `Always`                                                                                                                                |
+| `agent.image.pullSecrets`                           | Image pull secrets; if not specified (default) _and_ `agent.image.name` starts with `containers.instana.io`, it will be automatically set to `[{ "name": "containers-instana-io" }]` to match the default secret created in this case.                                                                                 | `nil`                                                                                                                                   |
+| `agent.listenAddress`                               | List of addresses to listen on, or "*" for all interfaces                                                                                                                                                                                                                                                              | `nil`                                                                                                                                   |
+| `agent.mode`                                        | Agent mode. Supported values are `APM`, `INFRASTRUCTURE`, `AWS`                                                                                                                                                                                                                                                        | `APM`                                                                                                                                   |
+| `agent.instanaMvnRepoUrl`                           | Override for the Maven repository URL when the Agent needs to connect to a locally provided Maven repository 'proxy'                                                                                                                                                                                                   | `nil` Usually not required                                                                                                              |
+| `agent.instanaMvnRepoFeaturesPath`                  | Override for the Maven repository features path the Agent needs to connect to a locally provided Maven repository 'proxy'                                                                                                                                                                                              | `nil` Usually not required                                                                                                              |
+| `agent.instanaMvnRepoSharedPath`                    | Override for the Maven repository shared path when the Agent needs to connect to a locally provided Maven repository 'proxy'                                                                                                                                                                                           | `nil` Usually not required                                                                                                              |
+| `agent.updateStrategy.type`                         | [DaemonSet update strategy type](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/); valid values are `OnDelete` and `RollingUpdate`                                                                                                                                                                   | `RollingUpdate`                                                                                                                         |
+| `agent.updateStrategy.rollingUpdate.maxUnavailable` | How many agent pods can be updated at once; this value is ignored if `agent.updateStrategy.type` is different than `RollingUpdate`                                                                                                                                                                                     | `1`                                                                                                                                     |
+| `agent.minReadySeconds`                             | The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available                                                                                                                                                                  | `0`                                                                                                                                     |
+| `agent.pod.annotations`                             | Additional annotations to apply to the pod                                                                                                                                                                                                                                                                             | `{}`                                                                                                                                    |
+| `agent.pod.labels`                                  | Additional labels to apply to the Agent pod                                                                                                                                                                                                                                                                            | `{}`                                                                                                                                    |
+| `agent.pod.priorityClassName`                       | Name of an _existing_ PriorityClass that should be set on the agent pods                                                                                                                                                                                                                                               | `nil`                                                                                                                                   |
+| `agent.proxyHost`                                   | Hostname/address of a proxy                                                                                                                                                                                                                                                                                            | `nil`                                                                                                                                   |
+| `agent.proxyPort`                                   | Port of a proxy                                                                                                                                                                                                                                                                                                        | `nil`                                                                                                                                   |
+| `agent.proxyProtocol`                               | Proxy protocol. Supported proxy types are `http` (for both HTTP and HTTPS proxies), `socks4`, `socks5`.                                                                                                                                                                                                                | `nil`                                                                                                                                   |
+| `agent.proxyUser`                                   | Username of the proxy auth                                                                                                                                                                                                                                                                                             | `nil`                                                                                                                                   |
+| `agent.proxyPassword`                               | Password of the proxy auth                                                                                                                                                                                                                                                                                             | `nil`                                                                                                                                   |
+| `agent.proxyUseDNS`                                 | Boolean if proxy also does DNS                                                                                                                                                                                                                                                                                         | `nil`                                                                                                                                   |
+| `agent.pod.limits.cpu`                              | Container cpu limits in cpu cores                                                                                                                                                                                                                                                                                      | `1.5`                                                                                                                                   |
+| `agent.pod.limits.memory`                           | Container memory limits in MiB                                                                                                                                                                                                                                                                                         | `768Mi`                                                                                                                                 |
+| `agent.pod.requests.cpu`                            | Container cpu requests in cpu cores                                                                                                                                                                                                                                                                                    | `0.5`                                                                                                                                   |
+| `agent.pod.requests.memory`                         | Container memory requests in MiB                                                                                                                                                                                                                                                                                       | `768Mi`                                                                                                                                 |
+| `agent.pod.tolerations`                             | Tolerations for pod assignment                                                                                                                                                                                                                                                                                         | `[]`                                                                                                                                    |
+| `agent.pod.affinity`                                | Affinity for pod assignment                                                                                                                                                                                                                                                                                            | `{}`                                                                                                                                    |
+| `agent.serviceMesh.enabled`                         | Activate Instana Agent JVM monitoring service mesh support for Istio or OpenShift ServiceMesh                                                                                                                                                                                                                          | `true`                                                                                                                                  |
+| `agent.env`                                         | Additional environment variables for the agent                                                                                                                                                                                                                                                                         | `{}`                                                                                                                                    |
+| `agent.redactKubernetesSecrets`                     | Enable additional secrets redaction for selected Kubernetes resources                                                                                                                                                                                                                                                  | `nil` See [Kubernetes secrets](https://docs.instana.io/setup_and_manage/host_agent/on/kubernetes/#secrets) for more details.            |
+| `cluster.name`                                      | Display name of the monitored cluster                                                                                                                                                                                                                                                                                  | Value of `zone.name`                                                                                                                    |
+| `k8s_sensor.deployment.enabled`                     | Isolate k8sensor with a deployment                                                                                                                                                                                                                                                                                     |
+| `k8s_sensor.deployment.minReadySeconds`             | The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available                                                                                                                                                                  | `0`                                                                                                                                     | `true` |
+| `k8s_sensor.image.name`                             | The k8sensor image name to pull                                                                                                                                                                                                                                                                                        | `gcr.io/instana/k8sensor`                                                                                                               |
+| `k8s_sensor.image.digest`                           | The image digest to pull; if specified, it causes `k8s_sensor.image.tag` to be ignored                                                                                                                                                                                                                                 | `nil`                                                                                                                                   |
+| `k8s_sensor.image.tag`                              | The image tag to pull; this property is ignored if `k8s_sensor.image.digest` is specified                                                                                                                                                                                                                              | `latest`                                                                                                                                |
+| `k8s_sensor.deployment.pod.limits.cpu`              | CPU request for the `k8sensor` pods                                                                                                                                                                                                                                                                                    | `4`                                                                                                                                     |
+| `k8s_sensor.deployment.pod.limits.memory`           | Memory request limits for the `k8sensor` pods                                                                                                                                                                                                                                                                          | `6144Mi`                                                                                                                                |
+| `k8s_sensor.deployment.pod.requests.cpu`            | CPU limit for the `k8sensor` pods                                                                                                                                                                                                                                                                                      | `1.5`                                                                                                                                   |
+| `k8s_sensor.deployment.pod.requests.memory`         | Memory limit for the `k8sensor` pods                                                                                                                                                                                                                                                                                   | `1024Mi`                                                                                                                                |
+| `podSecurityPolicy.enable`                          | Whether a PodSecurityPolicy should be authorized for the Instana Agent pods. Requires `rbac.create` to be `true` as well and it is available until Kubernetes version v1.25.                                                                                                                                           | `false` See [PodSecurityPolicy](https://docs.instana.io/setup_and_manage/host_agent/on/kubernetes/#podsecuritypolicy) for more details. |
+| `podSecurityPolicy.name`                            | Name of an _existing_ PodSecurityPolicy to authorize for the Instana Agent pods. If not provided and `podSecurityPolicy.enable` is `true`, a PodSecurityPolicy will be created for you.                                                                                                                                | `nil`                                                                                                                                   |
+| `rbac.create`                                       | Whether RBAC resources should be created                                                                                                                                                                                                                                                                               | `true`                                                                                                                                  |
+| `opentelemetry.grpc.enabled`                        | Whether to configure the agent to accept telemetry from OpenTelemetry applications via gRPC. This option also implies `service.create=true`, and requires Kubernetes 1.21+, as it relies on `internalTrafficPolicy`.                                                                                                   | `true`                                                                                                                                  |
+| `opentelemetry.http.enabled`                        | Whether to configure the agent to accept telemetry from OpenTelemetry applications via HTTP. This option also implies `service.create=true`, and requires Kubernetes 1.21+, as it relies on `internalTrafficPolicy`.                                                                                                   | `true`                                                                                                                                  |
+| `prometheus.remoteWrite.enabled`                    | Whether to configure the agent to accept metrics over its implementation of the `remote_write` Prometheus endpoint. This option also implies `service.create=true`, and requires Kubernetes 1.21+, as it relies on `internalTrafficPolicy`.                                                                            | `false`                                                                                                                                 |
+| `service.create`                                    | Whether to create a service that exposes the agents' Prometheus, OpenTelemetry and other APIs inside the cluster. Requires Kubernetes 1.21+, as it relies on `internalTrafficPolicy`. The `ServiceInternalTrafficPolicy` feature gate needs to be enabled (default: enabled).                                          | `true`                                                                                                                                  |
+| `serviceAccount.create`                             | Whether a ServiceAccount should be created                                                                                                                                                                                                                                                                             | `true`                                                                                                                                  |
+| `serviceAccount.name`                               | Name of the ServiceAccount to use                                                                                                                                                                                                                                                                                      | `instana-agent`                                                                                                                         |
+| `serviceAccount.annotations`                        | Annotations to add to the service account                                                                                                                                                                                                                                                                              | `{}`                                                                                                                                    |
+| `zone.name`                                         | Zone that detected technologies will be assigned to                                                                                                                                                                                                                                                                    | `nil` You must provide either `zone.name` or `cluster.name`, see [above](#installation) for details                                     |
+| `zones`                                             | Multi-zone daemonset configuration.                                                                                                                                                                                                                                                                                    | `nil` see [below](#multiple-zones) for details                                                                                          |
+| `k8s_sensor.podDisruptionBudget.enabled`            | Whether to create DisruptionBudget for k8sensor to limit the number of concurrent disruptions                                                                                                                                                                                                                          | `false`                                                                                                                                 |
+| `k8s_sensor.deployment.pod.affinity`                | `k8sensor` deployment affinity format                                                                                                                                                                                                                                                                                  | `podAntiAffinity` defined in `values.yaml`                                                                                              |
+
+### Agent Modes
+
+Agent can have either `APM` or `INFRASTRUCTURE`.
+Default is APM and if you want to override that, ensure you set value:
+
+* `agent.mode`
+
+For more information on agent modes, refer to the [Host Agent Modes](https://www.instana.com/docs/setup_and_manage/host_agent#host-agent-modes) documentation.
+
+### Agent Configuration
+
+Besides the settings listed above, there are many more settings that can be applied to the agent via the so-called "Agent Configuration File", often also referred to as `configuration.yaml` file.
+An overview of the settings that can be applied is provided in the [Agent Configuration File](https://www.instana.com/docs/setup_and_manage/host_agent/configuration#agent-configuration-file) documentation.
+To configure the agent, you can either:
+
+* edit the [config map](templates/agent-configmap.yaml), or
+* provide the configuration via the `agent.configuration_yaml` parameter in [values.yaml](values.yaml)
+
+This configuration will be used for all Instana Agents on all nodes. Visit the [agent configuration documentation](https://docs.instana.io/setup_and_manage/host_agent/#agent-configuration-file) for more details on configuration options.
+
+_Note:_ This Helm Chart does not support configuring [Multiple Configuration Files](https://www.instana.com/docs/setup_and_manage/host_agent/configuration#multiple-configuration-files).
+
+### Agent Pod Sizing
+
+The `agent.pod.requests.cpu`, `agent.pod.requests.memory`, `agent.pod.limits.cpu` and `agent.pod.limits.memory` settings allow you to change the sizing of the `instana-agent` pods.
+If you are using the [Kubernetes Sensor Deployment](#kubernetes-sensor-deployment) functionality, you may be able to reduce the default amount of resources, and especially memory, allocated to the Instana agents that monitor your applications.
+Actual sizing data depends very much on how many pods, containers and applications are monitored, and how much traces they generate, so we cannot really provide a rule of thumb for the sizing.
+
+### Bring your own Keys secret
+
+In case you have automation that creates secrets for you, it may not be desirable for this Helm chart to create a secret containing the `agent.key` and `agent.downloadKey`.
+In this case, you can instead specify the name of an alread-existing secret in the namespace in which you install the Instana agent that carries the agent key and download key.
+
+The secret you specify The secret you specify _must_ have a field called `key`, which would contain the value you would otherwise set to `agent.key`, and _may_ contain a field called `downloadKey`, which would contain the value you would otherwise set to `agent.downloadKey`.
+
+### Configuring Additional Configuration Files
+
+[Multiple configuration files](https://www.instana.com/docs/setup_and_manage/host_agent/configuration#multiple-configuration-files) is a capability of the Instana agent that allows for modularity in its configurations files.
+
+The experimental `agent.configuration.autoMountConfigEntries`, which uses functionality available in Helm 3.1+ to automatically look up the entries of the default `instana-agent` ConfigMap, and mount as agent configuration files in the `instana-agent` container under the `/opt/instana/agent/etc/instana` directory all ConfigMap entries with keys that match the `configuration-*.yaml` scheme.
+
+**IMPORTANT:** Needs Helm 3.1+ as it is built on the `lookup` function
+**IMPORTANT:** Editing the ConfigMap adding keys requires a `helm upgrade` to take effect
+
+### Configuring Additional Backends
+
+You may want to have your Instana agents report to multiple backends.
+The first backend must be configured as shown in the [Configuring the Instana Backend](#configuring-the-instana-backend); every backend after the first, is configured in the `agent.additionalBackends` list in the [values.yaml](values.yaml) as follows:
+
+```yaml
+agent:
+  additionalBackends:
+  # Second backend
+  - endpointHost: my-instana.instana.io # endpoint host; e.g., my-instana.instana.io
+    endpointPort: 443 # default is 443, so this line could be omitted
+    key: ABCDEFG # agent key for this backend
+  # Third backend
+  - endpointHost: another-instana.instana.io # endpoint host; e.g., my-instana.instana.io
+    endpointPort: 1444 # default is 443, so this line could be omitted
+    key: LMNOPQR # agent key for this backend
+```
+
+The snippet above configures the agent to report to two additional backends.
+The same effect as the above can be accomplished via the command line via:
+
+```sh
+$ helm install -n instana-agent instana-agent ... \
+    --repo https://agents.instana.io/helm \
+    --set 'agent.additionalBackends[0].endpointHost=my-instana.instana.io' \
+    --set 'agent.additionalBackends[0].endpointPort=443' \
+    --set 'agent.additionalBackends[0].key=ABCDEFG' \
+    --set 'agent.additionalBackends[1].endpointHost=another-instana.instana.io' \
+    --set 'agent.additionalBackends[1].endpointPort=1444' \
+    --set 'agent.additionalBackends[1].key=LMNOPQR' \
+    instana-agent
+```
+
+_Note:_ There is no hard limitation on the number of backends an Instana agent can report to, although each comes at the cost of a slight increase in CPU and memory consumption.
+
+### Configuring a Proxy between the Instana agents and the Instana backend
+
+If your infrastructure uses a proxy, you should ensure that you set values for:
+
+* `agent.proxyHost`
+* `agent.pod.proxyPort`
+* `agent.pod.proxyProtocol`
+* `agent.pod.proxyUser`
+* `agent.pod.proxyPassword`
+* `agent.pod.proxyUseDNS`
+
+#### Same Proxy for Repository and the Instana backend
+
+If the same proxy is utilized for both backend and repository, configure only the 'Agent' proxy settings  using the following parameter:
+ ```
+  --set agent.proxyHost='<Hostname/address of a proxy>' 
+ ```
+
+#### Separate Proxies for Repository and the Instana backend
+
+In scenarios where distinct proxy settings are employed for the backend and repository, both proxies must be configured separately. The key is to ensure that `INSTANA_REPOSITORY_PROXY_ENABLED=true` is set.
+
+To use this variant, execute helm install with the following additional parameters:
+
+```
+--set agent.proxyHost='Hostname/address of a proxy'
+--set agent.env.INSTANA_REPOSITORY_PROXY_ENABLED='true'
+--set agent.env.INSTANA_REPOSITORY_PROXY_HOST='Hostname/address of a proxy'
+```
+Make sure to replace 'Hostname/address of a proxy' with the actual hostname or address of your proxy.
+
+### Configuring which Networks the Instana Agent should listen on
+
+If your infrastructure has multiple networks defined, you might need to allow the agent to listen on all addresses (typically with value set to `*`):
+
+* `agent.listenAddress`
+
+### Setup TLS Encryption for Agent Endpoint
+
+TLS encryption can be added via two variants.
+Either an existing secret can be used or a certificate and a private key can be used during the installation.
+
+#### Using existing secret
+
+An existing secret of type `kubernetes.io/tls` can be used.
+Only the `secretName` must be provided during the installation with `--set 'agent.tls.secretName=<YOUR_SECRET_NAME>'`.
+The files from the provided secret are then mounted into the agent.
+
+#### Provide certificate and private key
+
+On the other side, a certificate and a private key can be added during the installation.
+The certificate and private key must be base64 encoded.
+
+To use this variant, execute `helm install` with the following additional parameters:
+
+```
+--set 'agent.tls.certificate=<YOUR_CERTIFICATE_BASE64_ENCODED>'
+--set 'agent.tls.key=<YOUR_PRIVATE_KEY_BASE64_ENCODED>'
+```
+
+If `agent.tls.secretName` is set, then `agent.tls.certificate` and `agent.tls.key` are ignored.
+
+### Development and debugging options
+
+These options will be rarely used outside of development or debugging of the agent.
+
+| Parameter               | Description                                      | Default |
+| ----------------------- | ------------------------------------------------ | ------- |
+| `agent.host.repository` | Host path to mount as the agent maven repository | `nil`   |
+
+### Kubernetes Sensor Deployment
+
+ _Note: leader-elector and kubernetes sensor are fully deprecated and can no longer be chosen. Instead, the k8s_sensor will be used._
+
+The Helm chart will schedule additional Instana agents running _only_ the Kubernetes sensor that runs in a dedicated `k8sensor` Deployment inside the `instana-agent` namespace.
+The pods containing agents that run only the Kubernetes sensor are called `k8sensor` pods.
+When `k8s_sensor.deployment.enabled=true`, the `instana-agent` pods running inside the daemonset do _not_ contain the `leader-elector` container, which is instead scheduled inside the `k8sensor` pods.
+
+The `instana-agent` and `k8sensor` pods share the same configurations in terms of backend-related configurations (including [additional backends](#configuring-additional-backends)).
+
+The `k8s_sensor.deployment.pod.requests.cpu`, `k8s_sensor.deployment.pod.requests.memory`, `k8s_sensor.deployment.pod.limits.cpu` and `k8s_sensor.deployment.pod.limits.memory` settings, allow you to change the sizing of the `k8sensor` pods.
+
+### Multiple Zones
+
+You can list zones to use affinities and tolerations as the basis to associate a specific daemonset per tainted node pool. Each zone will have the following data:
+
+* `name` (required) - zone name.
+* `mode` (optional) - instana agent mode (e.g. APM, INFRASTRUCTURE, etc).
+* `affinity` (optional) - standard kubernetes pod affinity list for the daemonset.
+* `tolerations` (optional) - standard kubernetes pod toleration list for the daemonset.
+
+The following is an example that will create 2 zones an api-server and a worker zone:
+
+```yaml
+zones:
+  - name: workers
+    mode: APM
+  - name: api-server
+    mode: INFRASTRUCTURE
+    affinity:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+            - matchExpressions:
+                - key: node-role.kubernetes.io/control-plane
+                  operator: Exists
+    tolerations:
+    - key: "node-role.kubernetes.io/master"
+      operator: "Exists"
+      effect: "NoSchedule"
+```
+
+## Changelog
+
+### 2.0.0
+
+* Deploy the instana-agent operator instead of managing agent artifacts directly
+* Always use the k8sensor, the deprecated kubernetes sensor is no longer supported (this is an internal change, Kubernetes clusters will still report into the Instana backend)
+* BREAKING CHANGE: Due to limitations of helm to manage Custom Resource Definition (CRD) updates, the upgrade requires to apply the CRD from the helm chart crds folder manually. Find more details in the [upgrade](#upgrade) section.
+
+### 1.2.74
+
+* Enable OTLP by default
+
+### 1.2.73
+
+* Fix label for `io.instana/zone` to reflect the real agent mode
+* Change the charts flag from ENABLE_AGENT_SOCKET to serviceMesh.enabled
+* Add type: DirectoryOrCreate to DaemonSet definitions to ensure required directories exist
+
+### 1.2.72
+
+* Add minReadySeconds field to agent daemonset yaml
+
+### 1.2.71
+
+* Fix usage of digest for pulling images
+
+### 1.2.70
+
+* Allow the configuration of `minReadySeconds` for the agent daemonset and deployment
+
+### 1.2.69
+
+* Add possibility to set annotations for the serviceAccount.
+
+### 1.2.68
+
+* Add leader elector configuration back to allow for proper deprecation
+
+### 1.2.67
+
+* Fix variable name in the K8s deployment
+
+### 1.2.66
+
+* Allign the default Memory requests to 768Mi for the Agent container.
+
+### 1.2.65
+
+* Ensure we have appropriate SCC when running with new K8s sensor.
+
+### 1.2.64
+
+* Remove RBAC not required by agent when kubernetes-sensor is disabed.
+* Add settings override for k8s-sensor affinity
+* Add optional pod disruption budget for k8s-sensor
+
+### 1.2.63
+
+* Add RBAC required to allow access to /metrics end-points.
+
+### 1.2.62
+
+* Include k8s-sensor resources in the default static YAML definitions
+
+### 1.2.61
+
+* Increase timeout and initialDelay for the Agent container
+* Add OTLP ports to headless service
+
+### 1.2.60
+
+* Enable the k8s_sensor by default
+
+### 1.2.59
+
+* Introduce unique selectorLabels and commonLabels for k8s-sensor deployment
+
+### 1.2.58
+
+* Default to `internalTrafficPolicy` instead of `topologyKeys` for rendering of static YAMLs
+
+### 1.2.57
+
+* Fix vulnerability in the leader-elector image
+
+### 1.2.49
+
+* Add zone name to label `io.instana/zone` in daemonset
+
+### 1.2.48
+
+* Set env var INSTANA_KUBERNETES_REDACT_SECRETS true if agent.redactKubernetesSecrets is enabled.
+* Use feature PSP flag in k8sensor ClusterRole only when podsecuritypolicy.enable is true.
+
+### 1.2.47
+
+* Roll back the changes from version 1.2.46 to be compatible with the Agent Operator installation
+
+### 1.2.46
+
+* Use K8sensor by default.
+* kubernetes.deployment.enabled setting overrides k8s_sensor.deployment.enabled setting.
+* Use feature PSP flag in k8sensor ClusterRole only when podsecuritypolicy.enable is true.
+* Throw failure if customer specifies proxy with k8sensor.
+* Set env var INSTANA_KUBERNETES_REDACT_SECRETS true if agent.redactKubernetesSecrets is enabled.
+
+### 1.2.45
+
+* Use agent key secret in k8sensor deployment.
+
+### 1.2.44
+
+* Add support for enabling the hot-reload of `configuration.yaml` when the default `instana-agent` ConfigMap changes
+* Enablement is done via the flag `--set agent.configuration.hotreloadEnabled=true`
+
+### 1.2.43
+
+* Bump leader-elector image to v0.5.16 (Update dependencies)
+
+### 1.2.42
+
+* Add support for creating multiple zones within the same cluster using affinity and tolerations.
+
+### 1.2.41
+
+* Add additional permissions (HPA, ResourceQuotas, etc) to k8sensor clusterrole.
+
+### 1.2.40
+
+* Mount all system mounts mountPropagation: HostToContainer.
+
+### 1.2.39
+
+* Add NO_PROXY to k8sensor deployment to prevent api-server requests from being routed to the proxy.
+
+### 1.2.38
+
+* Fix issue related to EKS version format when enabling OTel service.
+
+### 1.2.37
+
+* Fix issue where cluster_zone is used as cluster_name when `k8s_sensor.deployment.enabled=true`.
+* Set `HTTPS_PROXY` in k8s deployment when proxy information is set.
+
+### 1.2.36
+
+* Remove Service `topologyKeys`, which was removed in Kubernetes v1.22. Replaced by `internalTrafficPolicy` which is available with Kubernetes v1.21+.
+
+### 1.2.35
+
+* Fix invalid backend port for new Kubernetes sensor (k8sensor)
+
+### 1.2.34
+
+* Add support for new Kubernetes sensor (k8sensor)
+  * New Kubernetes sensor can be used via the flag `--set k8s_sensor.deployment.enabled=true`
+
+### 1.2.33
+
+* Bump leader-elector image to v0.5.15 (Update dependencies)
+
+### 1.2.32
+
+* Add support for containerd montoring on TKGI  
+
+### 1.2.31
+
+* Bump leader-elector image to v0.5.14 (Update dependencies)
+
+### 1.2.30
+
+* Pull agent image from IBM Cloud Container Registry (icr.io/instana/agent). No code changes have been made.
+* Bump leader-elector image to v0.5.13 and pull from IBM Cloud Container Registry (icr.io/instana/leader-elector). No code changes have been made.
+
+### 1.2.29
+
+* Add an additional port to the Instana Agent `Service` definition, for the OpenTelemetry registered IANA port 4317.
+
+### 1.2.28
+
+* Fix deployment when `cluster.name` is not specified. Should be allowed according to docs but previously broke the Pod
+    when starting up.
+
+### 1.2.27
+
+* Update leader elector image to `0.5.10` to tone down logging and make it configurable
+
+### 1.2.26
+
+* Add TLS support. An existing secret can be used of type `kubernetes.io/tls`. Or provide a certificate and a private key, which creates a new secret.
+* Update leader elector image version to 0.5.9 to support PPCle
+
+### 1.2.25
+
+* Add `agent.pod.labels` to add custom labels to the Instana Agent pods
+
+### 1.2.24
+
+* Bump leader-elector image to v0.5.8 which includes a health-check endpoint. Update the `livenessProbe`
+    correspondingly.
+
+### 1.2.23
+
+* Bump leader-elector image to v0.5.7 to fix a potential Golang bug in the elector
+
+### 1.2.22
+
+* Fix templating scope when defining multiple backends
+
+### 1.2.21
+
+* Internal updates
+
+### 1.2.20
+
+* upgrade leader-elector image to v0.5.6 to enable usage on s390x and arm64
+
+### 1.2.18 / 1.2.19
+
+* Internal change on generated DaemonSet YAML from the Helm charts
+
+### 1.2.17
+
+* Update Pod Security Policies as the `readOnly: true` appears not to be working for the mount points and
+  actually causes the Agent deployment to fail when these policies are enforced in the cluster.
+
+### 1.2.16
+
+* Add configuration option for `INSTANA_MVN_REPOSITORY_URL` setting on the Agent container.
+
+### 1.2.15
+
+* Internal pipeline changes. No significant changes to the Helm charts
+
+### v1.2.14
+
+* Update Agent container mounts. Make some read-only as we don't need all mounts with read-write permissions.
+    Additionally add the mount for `/var/data` which is needed in certain environments for the Agent to function
+    properly.
+
+### v1.2.13
+
+* Update memory settings specifically for the Kubernetes sensor (Technical Preview)
+
+### v1.2.11
+
+* Simplify setup for using OpenTelemetry and the Prometheus `remote_write` endpoint using the `opentelemetry.enabled` and `prometheus.remoteWrite.enabled` settings, respectively.
+
+### v1.2.9
+
+* **Technical Preview:** Introduce a new mode of running to the Kubernetes sensor using a dedicated deployment.
+  See the [Kubernetes Sensor Deployment](#kubernetes-sensor-deployment) section for more information.
+
+### v1.2.7
+
+* Fix: Make service opt-in, as it uses functionality (`topologyKeys`) that is available only in K8S 1.17+.
+
+### v1.2.6
+
+* Fix bug that might cause some OpenShift-specific resources to be created in other flavours of Kubernetes.
+
+### v1.2.5
+
+* Introduce the `instana-agent:instana-agent` Kubernetes service that allows you to talk to the Instana agent on the same node.
+
+### v1.2.3
+
+* Bug fix: Extend the built-in Pod Security Policy to cover the Docker socket mount for Tanzu Kubernetes Grid systems.
+
+### v1.2.1
+
+* Support OpenShift 4.x: just add --set openshift=true to the usual settings, and off you go :-)
+* Restructure documentation for consistency and readability
+* Deprecation: Helm 2 is no longer supported; the minimum Helm API version is now v2, which will make Helm 2 refuse to process the chart.
+
+### v1.1.10
+
+* Some linting of the whitespaces in the generated YAML
+
+### v1.1.9
+
+* Update the README to replace all references of `stable/instana-agent` with specifically setting the repo flag to `https://agents.instana.io/helm`.
+* Add support for TKGI and PKS systems, providing a workaround for the [unexpected Docker socket location](https://github.com/cloudfoundry-incubator/kubo-release/issues/329).
+
+### v1.1.7
+
+* Store the cluster name in a new `cluster-name` entry of the `instana-agent` ConfigMap rather than directly as the value of the `INSTANA_KUBERNETES_CLUSTER_NAME`, so that you can edit the cluster name in the ConfigMap in deployments like VMware Tanzu Kubernetes Grid in which, when installing the Instana agent over the [Instana tile](https://www.instana.com/docs/setup_and_manage/host_agent/on/vmware_tanzu), you do not have directly control to the configuration of the cluster name.
+If you edit the ConfigMap, you will need to delete the `instana-agent` pods for its new value to take effect.
+
+### v1.1.6
+
+* Allow to use user-specified memony measurement units in `agent.pod.requests.memory` and `agent.pod.limits.memory`.
+  If the value set is numerical, the Chart will assume it to be expressed in `Mi` for backwards compatibility.
+* Exposed `agent.updateStrategy.type` and `agent.updateStrategy.rollingUpdate.maxUnavailable` settings.
+
+### v1.1.5
+
+Restore compatibility with Helm 2 that was broken in v1.1.4 by the usage of the `lookup` function, a function actually introduced only with Helm 3.1.
+Coincidentally, this has been an _excellent_ opportunity to introduce `helm lint` to our validation pipeline and end-to-end tests with Helm 2 ;-)
+
+### v1.1.4
+
+* Bring-your-own secret for agent keys: using the new `agent.keysSecret` setting, you can specify the name of the secret that contains the agent key and, optionally, the download key; refer to [Bring your own Keys secret](#bring-your-own-keys-secret) for more details.
+* Add support for affinities for the instana agent pod via the `agent.pod.affinity` setting.
+* Put some love into the ArtifactHub.io metadata; likely to add some more improvements related to this over time.
+
+### v1.1.3
+
+* No new features, just ironing some wrinkles out of our release automation.
+
+### v1.1.2
+
+* Improvement: Seamless support for Instana static agent images: When using an `agent.image.name` starting with `containers.instana.io`, automatically create a secret called `containers-instana-io` containing the `.dockerconfigjson` for `containers.instana.io`, using `_` as username and `agent.downloadKey` or, if missing, `agent.key` as password. If you want to control the creation of the image pull secret, or disable it, you can use `agent.image.pullSecrets`, passing to it the YAML to use for the `imagePullSecrets` field of the Daemonset spec, including an empty array `[]` to mount no pull secrets, no matter what.
+
+### v1.1.1
+
+* Fix: Recreate the `instana-agent` pods when there is a change in one of the following configuration, which are mapped to the chart-managed ConfigMap:
+
+* `agent.configuration_yaml`
+* `agent.additional_backends`
+
+The pod recreation is achieved by annotating the `instana-agent` Pod with a new `instana-configuration-hash` annotation that has, as value, the SHA-1 hash of the configurations used to populate the ConfigMap.
+This way, when the configuration changes, the respective change in the `instana-configuration-hash` annotation will cause the agent pods to be recreated.
+This technique has been described at [1] (or, at least, that is were we learned about it) and it is pretty cool :-)
+
+### v1.1.0
+
+* Improvement: The `instana-agent` Helm chart has a new home at `https://agents.instana.io/helm` and `https://github.com/instana/helm-charts/instana-agent`!
+This release is functionally equivalent to `1.0.34`, but we bumped the major to denote the new location ;-)
+
+## References
+
+[1] ["Using Kubernetes Helm to push ConfigMap changes to your Deployments", by Sander Knape; Mar 7, 2019](https://sanderknape.com/2019/03/kubernetes-helm-configmaps-changes-deployments/)

charts/instana/instana-agent/2.0.0/app-readme.md

@@ -0,0 +1,5 @@
+# Instana
+
+Instana is an [APM solution(https://www.instana.com/) built for microservices that enables IT Ops to build applications faster and deliver higher quality services by automating monitoring tracing and root cause analysis. This solution is optimized for [Rancher](https://www.instana.com/rancher/).
+
+This chart adds the Instana Agent to all schedulable nodes in your cluster via a `DaemonSet`.

charts/instana/instana-agent/2.0.0/kubernetes_deployment_mode_diagram.py

@@ -0,0 +1,20 @@
+from diagrams import Cluster, Diagram
+from diagrams.k8s.compute import Deploy, DaemonSet, Pod
+from diagrams.k8s.podconfig import ConfigMap
+
+with Diagram("kubernetes.deployment.enabled", show=True, direction="LR"):
+    ds = None
+    deploy = None
+    with Cluster("Namespace\ninstana-agent"):
+        with Cluster("Deployment\nkubernetes-sensor"):
+            deploy = Pod("2 Replicas\nKubernetes Sensor")
+
+        with Cluster("DaemonSet\ninstana-agent"):
+            ds = Pod('Per Node\nHost & APM')
+
+        cm = ConfigMap("instana-agent")
+        dcm = ConfigMap("instana-agent-deployment")
+
+        cm >> deploy
+        cm >> ds
+        dcm >> deploy

charts/instana/instana-agent/2.0.0/questions.yml

@@ -0,0 +1,236 @@
+questions:
+# Basic agent configuration
+- variable: agent.key
+  label: agent.key
+  description: "Your Instana Agent key is the secret token which your agent uses to authenticate to Instana's servers"
+  type: string
+  required: true
+  group: "Agent Configuration"
+- variable: agent.endpointHost
+  label: agent.endpointHost
+  description: "The hostname of the Instana server your agents will connect to. Defaults to ingress-red-saas.instana.io for US and ROW. If in Europe, please use ingress-blue-saas.instana.io"
+  type: string
+  required: true
+  default: "ingress-red-saas.instana.io"
+  group: "Agent Configuration"
+- variable: zone.name
+  label: zone.name
+  description: "Custom zone that detected technologies will be assigned to"
+  type: string
+  required: true
+  group: "Agent Configuration"
+# Advanced agent configuration
+- variable: advancedAgentConfiguration
+  description: "Show advanced configuration for the Instana Agent"
+  label: Show advanced configuration
+  type: boolean
+  default: false
+  show_subquestion_if: true
+  group: "Advanced Agent Configuration"
+  subquestions:
+  - variable: agent.configuration_yaml
+    label: agent.configuration_yaml (Optional)
+    description: "Custom content for the agent configuration.yaml file in YAML format. Please use the 'Edit as YAML' feature in the Rancher UI for the best editing experience."
+    type: string
+    required: false
+    group: "Advanced Agent Configuration"
+  - variable: agent.downloadKey
+    label: agent.downloadKey (Optional)
+    description: "Your Instana download key"
+    type: string
+    required: false
+    group: "Advanced Agent Configuration"
+  - variable: agent.endpointPort
+    label: agent.endpointPort
+    description: "The Agent backend port number (as a string) of the Instana server your agents will connect to"
+    type: string
+    required: true
+    default: "443"
+    group: "Advanced Agent Configuration"
+  - variable: agent.image.name
+    label: agent.image.name
+    description: "The name of the Instana Agent container image"
+    type: string
+    required: true
+    default: "instana/agent"
+    group: "Advanced Agent Configuration"
+  - variable: agent.image.tag
+    label: agent.image.tag
+    description: "The tag name of the Instana Agent container image"
+    type: string
+    required: true
+    default: "latest"
+    group: "Advanced Agent Configuration"
+  - variable: agent.image.pullPolicy
+    label: agent.image.pullPolicy
+    description: "Specifies when to pull the Instana Agent image container"
+    type: string
+    required: true
+    default: "Always"
+    group: "Advanced Agent Configuration"
+  - variable: agent.listenAddress
+    label: agent.listenAddress (Optional)
+    description: "The IP address the agent HTTP server will listen to, or '*' for all interfaces"
+    type: string
+    required: false
+    group: "Advanced Agent Configuration"
+  - variable: agent.mode
+    label: agent.mode (Optional)
+    description: "Agent mode. Possible options are: APM, INFRASTRUCTURE or AWS"
+    type: enum
+    options:
+    - "APM"
+    - "INFRASTRUCTURE"
+    - "AWS"
+    required: false
+    group: "Advanced Agent Configuration"
+  - variable: agent.pod.annotations
+    label: agent.pod.annotations (Optional)
+    description: "Additional annotations to be added to the agent pods in YAML format. Please use the 'Edit as YAML' feature in the Rancher UI for the best editing experience."
+    type: string
+    required: false
+    group: "Advanced Agent Configuration"
+  - variable: agent.pod.limits.cpu
+    label: agent.pod.limits.cpu
+    description: "CPU units allocation limits for the agent pods"
+    type: string
+    required: true
+    default: "1.5"
+    group: "Advanced Agent Configuration"
+  - variable: agent.pod.limits.memory
+    label: agent.pod.limits.memory
+    description: "Memory allocation limits in MiB for the agent pods"
+    type: int
+    required: true
+    default: 512
+    group: "Advanced Agent Configuration"
+  - variable: agent.pod.proxyHost
+    label: agent.pod.proxyHost (Optional)
+    description: "Hostname/address of a proxy. Sets the INSTANA_AGENT_PROXY_HOST environment variable"
+    type: string
+    required: false
+    group: "Advanced Agent Configuration"
+  - variable: agent.pod.proxyPort
+    label: agent.pod.proxyPort (Optional)
+    description: "Port of a proxy. Sets the INSTANA_AGENT_PROXY_PORT environment variable"
+    type: string
+    required: false
+    group: "Advanced Agent Configuration"
+  - variable: agent.pod.proxyProtocol
+    label: agent.pod.proxyProtocol (Optional)
+    description: "Proxy protocol. Sets the INSTANA_AGENT_PROXY_PROTOCOL environment variable. Supported proxy types are http, socks4, socks5"
+    type: string
+    required: false
+    group: "Advanced Agent Configuration"
+  - variable: agent.pod.proxyUser
+    label: agent.pod.proxyUser (Optional)
+    description: "Username of the proxy auth. Sets the INSTANA_AGENT_PROXY_USER environment variable"
+    type: string
+    required: false
+    group: "Advanced Agent Configuration"
+  - variable: agent.pod.proxyPassword
+    label: agent.pod.proxyPassword (Optional)
+    description: "Password of the proxy auth. Sets the INSTANA_AGENT_PROXY_PASSWORD environment variable"
+    type: string
+    required: false
+    group: "Advanced Agent Configuration"
+  - variable: agent.pod.proxyUseDNS
+    label: agent.pod.proxyUseDNS. (Optional)
+    description: "Boolean if proxy also does DNS. Sets the INSTANA_AGENT_PROXY_USE_DNS environment variable"
+    type: enum
+    options:
+      - "true"
+      - "false"
+    required: false
+    group: "Advanced Agent Configuration"
+  - variable: agent.pod.requests.cpu
+    label: agent.pod.requests.cpu
+    description: "Requested CPU units allocation for the agent pods"
+    type: string
+    required: true
+    default: "0.5"
+    group: "Advanced Agent Configuration"
+  - variable: agent.pod.requests.memory
+    label: agent.pod.requests.memory
+    description: "Requested memory allocation in MiB for the agent pods"
+    type: int
+    required: true
+    default: 512
+    group: "Advanced Agent Configuration"
+  - variable: agent.pod.tolerations
+    label: agent.pod.tolerations (Optional)
+    description: "Tolerations to influence agent pod assignment in YAML format. Please use the 'Edit as YAML' feature in the Rancher UI for the best editing experience."
+    type: string
+    required: false
+    group: "Advanced Agent Configuration"
+  - variable: agent.redactKubernetesSecrets
+    label: agent.redactKubernetesSecrets (Optional)
+    description: "Enable additional secrets redaction for selected Kubernetes resources"
+    type: boolean
+    required: false
+    default: false
+    group: "Advanced Agent Configuration"
+  - variable: cluster.name
+    label: cluster.name (Optional)
+    description: "The name that will be assigned to this cluster in Instana. See the 'Installing the Chart' section in the 'Detailed Descriptions' tab for more details"
+    type: string
+    required: false
+    group: "Advanced Agent Configuration"
+  - variable: leaderElector.image.name
+    label: leaderElector.image.name
+    description: "The name of the leader elector container image"
+    type: string
+    required: true
+    default: "instana/leader-elector"
+    group: "Advanced Agent Configuration"
+  - variable: leaderElector.image.tag
+    label: leaderElector.image.tag
+    description: "The tag name of the leader elector container image"
+    type: string
+    required: true
+    default: "0.5.4"
+    group: "Advanced Agent Configuration"
+  - variable: leaderElector.port
+    label: leaderElector.port
+    description: "The port on which the leader elector sidecar is exposed"
+    type: int
+    required: true
+    default: 42655
+    group: "Advanced Agent Configuration"
+- variable: podSecurityPolicy.enable
+  label: podSecurityPolicy.enable (Optional)
+  description: "Specifies whether a PodSecurityPolicy should be authorized for the Instana Agent pods. Requires `rbac.create` to also be `true`"
+  type: boolean
+  show_if: "rbac.create=true"
+  required: false
+  default: false
+  group: "Pod Security Policy Configuration"
+- variable: podSecurityPolicy.name
+  label: podSecurityPolicy.name (Optional)
+  description: "The name of an existing PodSecurityPolicy you would like to authorize for the Instana Agent pods. If not set and `podSecurityPolicy.enable` is `true`, a PodSecurityPolicy will be created with a name generated using the fullname template"
+  type: string
+  show_if: "rbac.create=true&&podSecurityPolicy.enable=true"
+  required: false
+  group: "Pod Security Policy Configuration"
+- variable: rbac.create
+  label: rbac.create
+  description: "Specifies whether RBAC resources should be created"
+  type: boolean
+  required: true
+  default: true
+  group: "RBAC Configuration"
+- variable: serviceAccount.create
+  label: serviceAccount.create
+  description: "Specifies whether a ServiceAccount should be created"
+  type: boolean
+  required: true
+  default: true
+  show_subquestion_if: true
+  group: "RBAC Configuration"
+  subquestions:
+  - variable: serviceAccount.name
+    label: Name of the ServiceAccount (Optional)
+    description: "The name of the ServiceAccount to use. If not set and `serviceAccount.create` is true, a name is generated using the fullname template."
+    type: string
+    required: false
+    group: "RBAC Configuration"

charts/instana/instana-agent/2.0.0/templates/NOTES.txt

@@ -0,0 +1,73 @@
+{{- if (and (not (or .Values.agent.key .Values.agent.keysSecret )) (and (not .Values.zone.name) (not .Values.cluster.name))) }}
+##############################################################################
+####    ERROR: You did not specify your secret agent key.                 ####
+####    ERROR: You also did not specify a zone or name for this cluster.  ####
+##############################################################################
+
+This agent deployment will be incomplete until you set your agent key and zone or name for this cluster:
+
+    helm upgrade {{ .Release.Name }} --reuse-values \
+        --repo https://agents.instana.io/helm \
+        --set agent.key=$(YOUR_SECRET_AGENT_KEY) \
+        --set zone.name=$(YOUR_ZONE_NAME) instana-agent
+
+Alternatively, you may specify a cluster name and the zone will be detected from availability zone information on the host:
+
+    helm upgrade {{ .Release.Name }} --reuse-values \
+        --repo https://agents.instana.io/helm \
+        --set agent.key=$(YOUR_SECRET_AGENT_KEY) \
+        --set cluster.name=$(YOUR_CLUSTER_NAME) instana-agent
+
+- YOUR_SECRET_AGENT_KEY can be obtained from the Management Portal section of your Instana installation.
+- YOUR_ZONE_NAME should be the zone that detected technologies will be assigned to.
+- YOUR_CLUSTER_NAME should be the custom name of your cluster.
+
+At least one of zone.name or cluster.name is required. This cluster will be reported with the name of the zone unless you specify a cluster name.
+
+{{- else if (and (not .Values.zone.name) (not .Values.cluster.name))  }}
+##############################################################################
+####    ERROR: You did not specify a zone or name for this cluster.       ####
+##############################################################################
+
+This agent deployment will be incomplete until you set a zone for this cluster:
+
+    helm upgrade {{ .Release.Name }} --reuse-values \
+        --repo https://agents.instana.io/helm \
+        --set zone.name=$(YOUR_ZONE_NAME) instana-agent
+
+Alternatively, you may specify a cluster name and the zone will be detected from availability zone information on the host:
+
+    helm upgrade {{ .Release.Name }} --reuse-values \
+        --repo https://agents.instana.io/helm \
+        --set cluster.name=$(YOUR_CLUSTER_NAME) instana-agent
+
+- YOUR_ZONE_NAME should be the zone that detected technologies will be assigned to.
+- YOUR_CLUSTER_NAME should be the custom name of your cluster.
+
+At least one of zone.name or cluster.name is required. This cluster will be reported with the name of the zone unless you specify a cluster name.
+
+{{- else if not (or .Values.agent.key .Values.agent.keysSecret )}}
+##############################################################################
+####    ERROR: You did not specify your secret agent key.                 ####
+##############################################################################
+
+This agent deployment will be incomplete until you set your agent key:
+
+    helm upgrade {{ .Release.Name }} --reuse-values \
+        --repo https://agents.instana.io/helm \
+        --set agent.key=$(YOUR_SECRET_AGENT_KEY) instana-agent
+
+- YOUR_SECRET_AGENT_KEY can be obtained from the Management Portal section of your Instana installation.
+
+{{- else -}}
+Ensure to run `oc adm policy add-scc-to-user privileged -z instana-agent -n instana-agent` if running on OCP, otherwise agent pods will not be scheduled correctly.
+
+It may take a few moments for the agents to fully deploy. You can see what agents are running by listing resources in the {{ .Release.Namespace }} namespace:
+
+    kubectl get all -n {{ .Release.Namespace }}
+
+You can get the logs for all of the agents with `kubectl logs`:
+
+    kubectl logs -l app.kubernetes.io/name={{ .Release.Name }} -n {{ .Release.Namespace }} -c instana-agent
+
+{{- end }}

charts/instana/instana-agent/2.0.0/templates/agent.yml

@@ -0,0 +1,241 @@
+---
+apiVersion: instana.io/v1
+kind: InstanaAgent
+metadata:
+  name: instana-agent
+  namespace: instana-agent
+spec:
+  zone:
+    name: {{ .Values.zone.name }}
+{{- if .Values.zones }}
+{{- toYaml $.Values.zones | nindent 4 }}
+{{- end }}
+  cluster:
+    name: {{ .Values.cluster.name }}
+  agent:
+{{- if .Values.agent.mode }}
+    mode: {{ .Values.agent.mode }}
+{{- end }}
+{{- if .Values.agent.key }}
+    key: {{ .Values.agent.key }}
+{{- end }}
+{{- if .Values.agent.downloadKey }}
+    downloadKey: {{ .Values.agent.downloadKey }}
+{{- end }}
+{{- if .Values.agent.keysSecret }}
+    keysSecret: {{ .Values.agent.keysSecret }}
+{{- end }}
+{{- if .Values.agent.listenAddress }}
+    listenAddress: {{ .Values.agent.listenAddress }}
+{{- end }}
+    endpointHost: {{ .Values.agent.endpointHost }}
+    endpointPort: {{ .Values.agent.endpointPort | quote }}
+{{- if .Values.agent.additionalBackends }}
+    additionalBackends:
+    {{- toYaml $.Values.agent.additionalBackends | nindent 6 }}
+{{- end }}
+{{- if .Values.agent.tls }}
+{{- if or .Values.agent.tls.secretName (and .Values.agent.tls.certificate .Values.agent.tls.key) }}
+    tls:
+{{- if .Values.agent.tls.secretName }}
+      secretName: {{ .Values.agent.tls.secretName }}
+{{- end }}
+{{- if .Values.agent.tls.certificate }}
+      certificate: {{ .Values.agent.tls.certificate }}
+{{- end }}
+{{- if .Values.agent.tls.key }}
+      key: {{ .Values.agent.tls.key }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if .Values.agent.image }}
+{{- if or .Values.agent.image.name .Values.agent.image.digest .Values.agent.image.tag .Values.agent.image.pullPolicy .Values.agent.image.pullSecrets }}
+    image:
+{{- if .Values.agent.image.name }}
+      name: {{ .Values.agent.image.name }}
+{{- end }}
+{{- if .Values.agent.image.digest }}
+      digest: {{ .Values.agent.image.digest }}
+{{- end }}
+{{- if .Values.agent.image.tag }}
+      tag: {{ .Values.agent.image.tag }}
+{{- end }}
+{{- if .Values.agent.image.pullPolicy }}
+      pullPolicy: {{ .Values.agent.image.pullPolicy }}
+{{- end }}
+{{- if .Values.agent.image.pullSecrets }}
+      pullSecrets: {{ .Values.agent.image.pullSecrets }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if .Values.agent.minReadySeconds }}
+    minReadySeconds: {{ .Values.agent.minReadySeconds }}
+{{- end }}
+{{- if .Values.agent.updateStrategy }}
+    updateStrategy:
+{{- if .Values.agent.updateStrategy.type }}
+      type: {{ .Values.agent.updateStrategy.type }}
+{{- end }}
+{{- if .Values.agent.updateStrategy.rollingUpdate }}
+{{- if .Values.agent.updateStrategy.rollingUpdate.maxUnavailable }}
+      rollingUpdate:
+        maxUnavailable: {{ .Values.agent.updateStrategy.maxUnavailable }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if .Values.agent.pod }}
+{{- if or .Values.agent.pod.annotations .Values.agent.pod.labels .Values.agent.pod.tolerations .Values.agent.pod.affinity .Values.agent.pod.priorityClassName .Values.agent.pod.requests .Values.agent.pod.limits .Values.agent.pod.nodeSelector }}
+    pod:
+{{- if .Values.agent.pod.annotations }}
+      annotations:
+      {{- toYaml $.Values.agent.pod.annotations | nindent 8 }}
+{{- end }}
+{{- if .Values.agent.pod.labels }}
+      labels:
+      {{- toYaml $.Values.agent.pod.labels | nindent 8 }}
+{{- end }}
+{{- if .Values.agent.pod.tolerations }}
+      tolerations:
+      {{- toYaml $.Values.agent.pod.tolerations | nindent 8 }}
+{{- end }}
+{{- if .Values.agent.pod.affinity }}
+      affinity:
+      {{- toYaml $.Values.agent.pod.affinity | nindent 8 }}
+{{- end }}
+{{- if .Values.agent.pod.priorityClassName }}
+      priorityClassName: {{ .Values.agent.pod.priorityClassName }}
+{{- end }}
+{{- if or .Values.agent.pod.requests.memory .Values.agent.pod.requests.cpu }}
+      requests:
+{{- if .Values.agent.pod.requests.memory }}
+        memory: {{ .Values.agent.pod.requests.memory }}
+{{- end }}
+{{- if .Values.agent.pod.requests.cpu }}
+        cpu: {{ .Values.agent.pod.requests.cpu | quote }}
+{{- end }}
+{{- end }}
+{{- if or .Values.agent.pod.limits.memory .Values.agent.pod.limits.cpu }}
+      limits:
+{{- if .Values.agent.pod.limits.memory }}
+        memory: {{ .Values.agent.pod.limits.memory }}
+{{- end }}
+{{- if .Values.agent.pod.limits.cpu }}
+        cpu: {{ .Values.agent.pod.limits.cpu | quote }}
+{{- end }}
+{{- if .Values.agent.pod.nodeSelector }}
+      nodeSelector:
+      {{- toYaml $.Values.agent.pod.nodeSelector | nindent 8 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if .Values.agent.proxyHost }}
+    proxyHost: {{ .Values.agent.proxyHost }}
+{{- end }}
+{{- if .Values.agent.proxyPort }}
+    proxyPort: {{ .Values.agent.proxyPort }}
+{{- end }}
+{{- if .Values.agent.proxyProtocol }}
+    proxyProtocol: {{ .Values.agent.proxyProtocol }}
+{{- end }}
+{{- if .Values.agent.proxyUser }}
+    proxyUser: {{ .Values.agent.proxyUser }}
+{{- end }}
+{{- if .Values.agent.proxyPassword }}
+    proxyPassword: {{ .Values.agent.proxyPassword }}
+{{- end }}
+{{- if .Values.agent.proxyUseDNS }}
+    proxyUseDNS: {{ .Values.agent.proxyUseDNS }}
+{{- end }}
+{{- if .Values.agent.env }}
+    env: {{ .Values.agent.env }}
+{{- end }}
+{{- if .Values.agent.configuration_yaml }}
+    configuration_yaml: {{ .Values.agent.configuration_yaml }}
+{{- end }}
+{{- if and .Values.agent.host .Values.agent.host.repository }}
+    host:
+      repository: {{ .Values.agent.host.repository }}
+{{- end }}
+{{- if .Values.agent.serviceMesh}}
+{{- if .Values.agent.serviceMesh.enabled }}
+    serviceMesh:
+      enabled: {{ .Values.agent.serviceMesh.enabled }}
+{{- end }}
+{{- end }}
+{{- if .Values.opentelemetry }}
+{{- if or .Values.opentelemetry.grpc .Values.opentelemetry.http }}
+  opentelemetry:
+{{- if .Values.opentelemetry.grpc.enabled }}
+    grpc:
+      enabled: {{ .Values.opentelemetry.grpc.enabled }}
+{{- end }}
+{{- if .Values.opentelemetry.http.enabled }}
+    http:
+      enabled: {{ .Values.opentelemetry.http.enabled }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if .Values.prometheus }}
+{{- if .Values.prometheus.remoteWrite }}
+{{- if .Values.prometheus.remoteWrite.enabled }}
+  prometheus:
+    remoteWrite:
+      enabled: {{ .Values.prometheus.remoteWrite.enabled }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if .Values.serviceAccount }}
+{{- if or .Values.serviceAccount.create .Values.serviceAccount.annotations }}
+  serviceAccount:
+{{- if .Values.serviceAccount.create }}
+    create: {{ .Values.serviceAccount.create }}
+{{- end }}
+{{- if .Values.serviceAccount.name }}
+    name: {{ .Values.serviceAccount.name }}
+{{- end }}
+{{- if .Values.serviceAccount.annotations }}
+    annotations: {{ .Values.serviceAccount.annotations }}
+      {{- toYaml $.Values.serviceAccount.annotations | nindent 6 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if .Values.podSecurityPolicy }}
+{{- if or .Values.podSecurityPolicy.enable .Values.podSecurityPolicy.name }}
+  podSecurityPolicy:
+{{- if .Values.podSecurityPolicy.enable }}
+    enable: {{ .Values.podSecurityPolicy.enable }}
+{{- end }}
+{{- if .Values.podSecurityPolicy.name }}
+    name: {{ .Values.podSecurityPolicy.name }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if .Values.k8s_sensor }}
+{{- if or .Values.k8s_sensor.image .Values.k8s_sensor.deployment .Values.k8s_sensor.podDisruptionBudget }}
+  k8s_sensor:
+{{- if .Values.k8s_sensor.image }}
+    image:
+{{- if .Values.k8s_sensor.image.name }}
+      name: {{ .Values.k8s_sensor.image.name }}
+{{- end }}
+{{- if .Values.k8s_sensor.image.digest }}
+      digest: {{ .Values.k8s_sensor.image.digest }}
+{{- end }}
+{{- if .Values.k8s_sensor.image.tag }}
+      tag: {{ .Values.k8s_sensor.image.tag }}
+{{- end }}
+{{- if .Values.k8s_sensor.image.pullPolicy }}
+      pullPolicy: {{ .Values.k8s_sensor.image.pullPolicy }}
+{{- end }}
+{{- if .Values.k8s_sensor.deployment }}
+    deployment:
+    {{- toYaml $.Values.k8s_sensor.deployment | nindent 6 }}
+{{- end }}
+{{- if .Values.k8s_sensor.podDisruptionBudget }}
+    podDisruptionBudget:
+    {{- toYaml $.Values.k8s_sensor.podDisruptionBudget | nindent 6 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/instana/instana-agent/2.0.0/templates/operator_clusterrole_leader-election-role.yml

@@ -0,0 +1,27 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: leader-election-role
+rules:
+  - apiGroups:
+      - ""
+      - coordination.k8s.io
+    resources:
+      - configmaps
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch

charts/instana/instana-agent/2.0.0/templates/operator_clusterrole_manager-role.yml

@@ -0,0 +1,176 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: manager-role
+rules:
+  - nonResourceURLs:
+      - /healthz
+      - /version
+    verbs:
+      - get
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
+      - deployments
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
+      - deployments
+      - replicasets
+      - statefulsets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps.openshift.io
+    resources:
+      - deploymentconfigs
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - autoscaling
+    resources:
+      - horizontalpodautoscalers
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - batch
+    resources:
+      - cronjobs
+      - jobs
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - endpoints
+      - events
+      - namespaces
+      - nodes
+      - persistentvolumeclaims
+      - persistentvolumes
+      - pods
+      - pods/log
+      - replicationcontrollers
+      - resourcequotas
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - secrets
+      - serviceaccounts
+      - services
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - deployments
+      - ingresses
+      - replicasets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - instana.io
+    resources:
+      - agents
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - instana.io
+    resources:
+      - agents/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - instana.io
+    resources:
+      - agents/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - policy
+    resourceNames:
+      - instana-agent-k8sensor
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - use
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterrolebindings
+      - clusterroles
+    verbs:
+      - bind
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - privileged
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use

charts/instana/instana-agent/2.0.0/templates/operator_clusterrolebinding_leader-election-rolebinding.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: leader-election-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: leader-election-role
+subjects:
+  - kind: ServiceAccount
+    name: instana-agent-operator
+    namespace: instana-agent

charts/instana/instana-agent/2.0.0/templates/operator_clusterrolebinding_manager-rolebinding.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: manager-role
+subjects:
+  - kind: ServiceAccount
+    name: instana-agent-operator
+    namespace: instana-agent

charts/instana/instana-agent/2.0.0/templates/operator_configmap_manager-config.yml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+data:
+  controller_manager_config.yaml: |
+    apiVersion: controller-runtime.sigs.k8s.io/v1alpha1
+    kind: ControllerManagerConfig
+    health:
+      healthProbeBindAddress: :8081
+    metrics:
+      bindAddress: 127.0.0.1:8080
+    leaderElection:
+      leaderElect: true
+      resourceName: 819a9291.instana.io
+kind: ConfigMap
+metadata:
+  name: manager-config
+  namespace: instana-agent

charts/instana/instana-agent/2.0.0/templates/operator_deployment_controller-manager.yml

@@ -0,0 +1,66 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: instana-agent-operator
+  name: controller-manager
+  namespace: instana-agent
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: instana-agent-operator
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: instana-agent-operator
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: kubernetes.io/os
+                    operator: In
+                    values:
+                      - linux
+              - matchExpressions:
+                  - key: kubernetes.io/arch
+                    operator: In
+                    values:
+                      - amd64
+                      - ppc64le
+                      - s390x
+                      - arm64
+      containers:
+        - args:
+            - --leader-elect
+          command:
+            - /manager
+          image: icr.io/instana/instana-agent-operator:2.1.9
+          imagePullPolicy: Always
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          name: manager
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            limits:
+              cpu: 200m
+              memory: 600Mi
+            requests:
+              cpu: 200m
+              memory: 200Mi
+          securityContext:
+            allowPrivilegeEscalation: true
+      serviceAccountName: instana-agent-operator
+      terminationGracePeriodSeconds: 10

charts/instana/instana-agent/2.0.0/templates/operator_serviceaccount_instana-agent-operator.yml

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: instana-agent-operator
+  namespace: instana-agent

charts/instana/instana-agent/2.0.0/values.yaml

@@ -0,0 +1,271 @@
+# name is the value which will be used as the base resource name for various resources associated with the agent.
+# name: instana-agent
+
+agent:
+  # agent.mode is used to set agent mode and it can be APM, INFRASTRUCTURE or AWS
+  # mode: APM
+
+  # agent.key is the secret token which your agent uses to authenticate to Instana's servers.
+  key: null
+  # agent.downloadKey is key, sometimes known as "sales key", that allows you to download,
+  # software from Instana.
+  # downloadKey: null
+
+  # Rather than specifying the agent key and optionally the download key, you can "bring your
+  # own secret" creating it in the namespace in which you install the `instana-agent` and
+  # specify its name in the `keysSecret` field. The secret you create must contains
+  # a field called `key` and optionally one called `downloadKey`, which contain, respectively,
+  # the values you'd otherwise set in `.agent.key` and `agent.downloadKey`.
+  # keysSecret: null
+
+  # agent.listenAddress is the IP address the agent HTTP server will listen to.
+  # listenAddress: "*"
+
+  # agent.endpointHost is the hostname of the Instana server your agents will connect to.
+  # endpointHost: ingress-red-saas.instana.io
+  # agent.endpointPort is the port number (as a String) of the Instana server your agents will connect to.
+  # endpointPort: 443
+
+  # These are additional backends the Instana agent will report to besides
+  # the one configured via the `agent.endpointHost`, `agent.endpointPort` and `agent.key` setting
+  # additionalBackends: []
+    # - endpointHost: ingress.instana.io
+    #   endpointPort: 443
+    #   key: <agent_key>
+
+  # TLS for end-to-end encryption between Instana agent and clients accessing the agent.
+  # The Instana agent does not yet allow enforcing TLS encryption.
+  # TLS is only enabled on a connection when requested by the client.
+  # tls:
+    # In order to enable TLS, a secret of type kubernetes.io/tls must be specified.
+    # secretName is the name of the secret that has the relevant files.
+    # secretName: null
+    # Otherwise,  the certificate and the private key must be provided as base64 encoded.
+    # certificate: null
+    # key: null
+
+  # image:
+    # agent.image.name is the name of the container image of the Instana agent.
+    # name: icr.io/instana/agent
+    # agent.image.digest is the digest (a.k.a. Image ID) of the agent container image; if specified, it has priority over agent.image.tag, which will be ignored.
+    # digest:
+    # agent.image.tag is the tag name of the agent container image; if agent.image.digest is specified, this property is ignored.
+    # tag: latest
+    # agent.image.pullPolicy specifies when to pull the image container.
+    # pullPolicy: Always
+    # agent.image.pullSecrets allows you to override the default pull secret that is created when agent.image.name starts with "containers.instana.io"
+    # Setting agent.image.pullSecrets prevents the creation of the default "containers-instana-io" secret.
+    # pullSecrets:
+    #   - name: my_awesome_secret_instead
+    # If you want no imagePullSecrets to be specified in the agent pod, you can just pass an empty array to agent.image.pullSecrets
+    # pullSecrets: []
+
+  # The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available
+  # minReadySeconds: 0
+
+  # updateStrategy:
+  #   type: RollingUpdate
+  #   rollingUpdate:
+  #     maxUnavailable: 1
+
+  # pod:
+    # agent.pod.annotations are additional annotations to be added to the agent pods.
+    # annotations: {}
+
+    # agent.pod.labels are additional labels to be added to the agent pods.
+    # labels: {}
+
+    # agent.pod.tolerations are tolerations to influence agent pod assignment.
+    #   https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+    # tolerations: []
+
+    # agent.pod.affinity are affinities to influence agent pod assignment.
+    # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+    # affinity: {}
+
+    # agent.pod.priorityClassName is the name of an existing PriorityClass that should be set on the agent pods
+    #   https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
+    # priorityClassName: null
+
+    # agent.pod.nodeSelector are selectors to influence where agent pods should be scheduled.
+    # nodeSelector:
+    #   location: 'us-central1-c'
+    #nodeSelector: null
+
+    # agent.pod.requests and agent.pod.limits adjusts the resource assignments for the DaemonSet agent
+    #   regardless of the kubernetes.deployment.enabled setting
+    # requests:
+      # agent.pod.requests.memory is the requested memory allocation in MiB for the agent pods.
+      # memory: 768Mi
+      # agent.pod.requests.cpu are the requested CPU units allocation for the agent pods.
+      # cpu: 0.5
+    # limits:
+      # agent.pod.limits.memory set the memory allocation limits in MiB for the agent pods.
+      # memory: 768Mi
+      # agent.pod.limits.cpu sets the CPU units allocation limits for the agent pods.
+      # cpu: 1.5
+
+  # agent.proxyHost sets the INSTANA_AGENT_PROXY_HOST environment variable.
+  # proxyHost: null
+  # agent.proxyPort sets the INSTANA_AGENT_PROXY_PORT environment variable.
+  # proxyPort: 80
+  # agent.proxyProtocol sets the INSTANA_AGENT_PROXY_PROTOCOL environment variable.
+  # proxyProtocol: HTTP
+  # agent.proxyUser sets the INSTANA_AGENT_PROXY_USER environment variable.
+  # proxyUser: null
+  # agent.proxyPassword sets the INSTANA_AGENT_PROXY_PASSWORD environment variable.
+  # proxyPassword: null
+  # agent.proxyUseDNS sets the INSTANA_AGENT_PROXY_USE_DNS environment variable.
+  # proxyUseDNS: false
+
+  # use this to set additional environment variables for the instana agent
+  # for example:
+  # env:
+  #   INSTANA_AGENT_TAGS: dev
+  # env: {}
+
+  configuration_yaml: |
+    # Manual a-priori configuration. Configuration will be only used when the sensor
+    # is actually installed by the agent.
+    # The commented out example values represent example configuration and are not
+    # necessarily defaults. Defaults are usually 'absent' or mentioned separately.
+    # Changes are hot reloaded unless otherwise mentioned.
+
+    # It is possible to create files called 'configuration-abc.yaml' which are
+    # merged with this file in file system order. So 'configuration-cde.yaml' comes
+    # after 'configuration-abc.yaml'. Only nested structures are merged, values are
+    # overwritten by subsequent configurations.
+
+    # Secrets
+    # To filter sensitive data from collection by the agent, all sensors respect
+    # the following secrets configuration. If a key collected by a sensor matches
+    # an entry from the list, the value is redacted.
+    #com.instana.secrets:
+    #  matcher: 'contains-ignore-case' # 'contains-ignore-case', 'contains', 'regex'
+    #  list:
+    #    - 'key'
+    #    - 'password'
+    #    - 'secret'
+
+    # Host
+    #com.instana.plugin.host:
+    #  tags:
+    #    - 'dev'
+    #    - 'app1'
+
+  # agent.redactKubernetesSecrets sets the INSTANA_KUBERNETES_REDACT_SECRETS environment variable.
+  # redactKubernetesSecrets: null
+
+  # agent.host.repository sets a host path to be mounted as the agent maven repository (for debugging or development purposes)
+  host:
+    repository: null
+
+  # agent.serviceMesh.enabled sets the ENABLE_AGENT_SOCKET environment variable.
+  serviceMesh:
+    # enabled: true
+
+cluster:
+  # cluster.name represents the name that will be assigned to this cluster in Instana
+  name: null
+
+# openshift specifies whether the cluster role should include openshift permissions and other tweaks to the YAML.
+# The chart will try to auto-detect if the cluster is OpenShift, so you will likely not even need to set this explicitly.
+# openshift: true
+
+# rbac:
+  # Specifies whether RBAC resources should be created
+  # create: true
+
+# opentelemetry:
+  # enabled: false # legacy setting, will only enable grpc, defaults to false
+  # grpc:
+  #   enabled: true # takes precedence over legacy settings above, defaults to true if "grpc:" is present
+  # http:
+  #   enabled: true # allows to enable http endpoints, defaults to true if "http:" is present
+
+# prometheus:
+#   remoteWrite:
+#     enabled: false # If true, it will also apply `service.create=true`
+
+# serviceAccount:
+  # Specifies whether a ServiceAccount should be created
+  # create: true
+  # The name of the ServiceAccount to use.
+  # If not set and `create` is true, a name is generated using the fullname template
+  # name: instana-agent
+  # Annotations to add to the service account
+  # annotations: {}
+
+# podSecurityPolicy:
+  # Specifies whether a PodSecurityPolicy should be authorized for the Instana Agent pods.
+  # Requires `rbac.create` to be `true` as well and K8s version below v1.25.
+  # enable: false
+  # The name of an existing PodSecurityPolicy you would like to authorize for the Instana Agent pods.
+  # If not set and `enable` is true, a PodSecurityPolicy will be created with a name generated using the fullname template.
+  # name: null
+
+zone:
+  # zone.name is the custom zone that detected technologies will be assigned to
+  name: null
+
+# k8s_sensor:
+#   image:
+    # k8s_sensor.image.name is the name of the container image of the Instana agent.
+    # name: icr.io/instana/k8sensor
+    # k8s_sensor.image.digest is the digest (a.k.a. Image ID) of the agent container image; if specified, it has priority over agent.image.tag, which will be ignored.
+    #digest:
+    # k8s_sensor.image.tag is the tag name of the agent container image; if agent.image.digest is specified, this property is ignored.
+    # tag: latest
+    # k8s_sensor.image.pullPolicy specifies when to pull the image container.
+    # pullPolicy: Always
+  # deployment:
+    # Specifies whether or not to enable the Deployment and turn off the Kubernetes sensor in the DaemonSet
+    # enabled: true
+    # Use three replicas to ensure the HA by the default.
+    # replicas: 3
+    # k8s_sensor.deployment.pod adjusts the resource assignments for the agent independently of the DaemonSet agent when k8s_sensor.deployment.enabled=true
+    # pod:
+      # requests:
+        # k8s_sensor.deployment.pod.requests.memory is the requested memory allocation in MiB for the agent pods.
+        # memory: 128Mi
+        # k8s_sensor.deployment.pod.requests.cpu are the requested CPU units allocation for the agent pods.
+        # cpu: 120m
+      # limits:
+        # k8s_sensor.deployment.pod.limits.memory set the memory allocation limits in MiB for the agent pods.
+        # memory: 2048Mi
+        # k8s_sensor.deployment.pod.limits.cpu sets the CPU units allocation limits for the agent pods.
+        # cpu: 500m
+      # affinity:
+        # podAntiAffinity:
+          # Soft anti-affinity policy: try not to schedule multiple kubernetes-sensor pods on the same node.
+          # If the policy is set to "requiredDuringSchedulingIgnoredDuringExecution", if the cluster has
+          # fewer nodes than the amount of desired replicas, `helm install/upgrade --wait` will not return.
+          # preferredDuringSchedulingIgnoredDuringExecution:
+          # - weight: 100
+          #   podAffinityTerm:
+          #     labelSelector:
+          #       matchExpressions:
+          #       - key: instana/agent-mode
+          #         operator: In
+          #         values: [ KUBERNETES ]
+          #     topologyKey: "kubernetes.io/hostname"
+    # The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available
+  #   minReadySeconds: 0
+  # podDisruptionBudget:
+    # Specifies whether or not to setup a pod disruption budget for the k8sensor deployment
+    # enabled: false
+
+# zones:
+#  # Configure use of zones to use tolerations as the basis to associate a specific daemonset per tainted node pool
+#  - name: pool-01
+#    tolerations:
+#    - key: "pool"
+#      operator: "Equal"
+#      value: "pool-01"
+#      effect: "NoExecute"
+#  - name: pool-02
+#    tolerations:
+#    - key: "pool"
+#      operator: "Equal"
+#      value: "pool-02"
+#      effect: "NoExecute"