Added chart versions:

dynatrace/dynatrace-operator:
    - 1.2.2
  haproxy/haproxy:
    - 1.41.0
  jfrog/artifactory-ha:
    - 107.90.7
  jfrog/artifactory-jcr:
    - 107.90.7
  mongodb/community-operator:
    - 0.11.0
  redpanda/redpanda:
    - 5.8.15

charts/dynatrace/dynatrace-operator/1.2.2/.helmignore

@@ -0,0 +1,25 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+
+tests/

charts/dynatrace/dynatrace-operator/1.2.2/Chart.yaml

@@ -0,0 +1,23 @@
+annotations:
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Dynatrace Operator
+  catalog.cattle.io/kube-version: '>=1.19.0-0'
+  catalog.cattle.io/release-name: dynatrace-operator
+apiVersion: v2
+appVersion: 1.2.2
+description: The Dynatrace Operator Helm chart for Kubernetes and OpenShift
+home: https://www.dynatrace.com/
+icon: file://assets/icons/dynatrace-operator.png
+kubeVersion: '>=1.19.0-0'
+maintainers:
+- email: marcell.sevcsik@dynatrace.com
+  name: 0sewa0
+- email: christoph.muellner@dynatrace.com
+  name: chrismuellner
+- email: lukas.hinterreiter@dynatrace.com
+  name: luhi-DT
+name: dynatrace-operator
+sources:
+- https://github.com/Dynatrace/dynatrace-operator
+type: application
+version: 1.2.2

charts/dynatrace/dynatrace-operator/1.2.2/README.md

@@ -0,0 +1,48 @@
+# Dynatrace Operator Helm Chart
+
+The Dynatrace Operator supports rollout and lifecycle of various Dynatrace components in Kubernetes and OpenShift.
+
+This Helm Chart requires Helm 3.
+
+## Quick Start
+
+Migration instructions can be found in the [official help page](https://www.dynatrace.com/support/help/shortlink/k8s-dto-helm#migrate).
+
+Install the Dynatrace Operator via Helm by running the following commands.
+
+### Installation
+
+> For instructions on how to install the dynatrace-operator on Openshift, head to the
+> [official help page](https://www.dynatrace.com/support/help/shortlink/k8s-helm)
+
+#### For versions older than 0.15.0
+
+Add `dynatrace` helm repository:
+
+```console
+helm repo add dynatrace https://raw.githubusercontent.com/Dynatrace/dynatrace-operator/main/config/helm/repos/stable
+```
+
+Install `dynatrace-operator` helm chart and create the corresponding `dynatrace` namespace:
+
+```console
+helm install dynatrace-operator dynatrace/dynatrace-operator -n dynatrace --create-namespace --atomic
+```
+
+#### For versions 0.15.0 and after
+
+Install `dynatrace-operator` helm chart using the OCI repository and create the corresponding `dynatrace` namespace:
+
+```console
+helm install dynatrace-operator oci://public.ecr.aws/dynatrace/dynatrace-operator  -n dynatrace --create-namespace --atomic
+```
+
+## Uninstall chart
+
+> Full instructions can be found in the [official help page](https://www.dynatrace.com/support/help/shortlink/k8s-helm#uninstall-dynatrace-operator)
+
+Uninstall the Dynatrace Operator by running the following command:
+
+```console
+helm uninstall dynatrace-operator -n dynatrace
+```

charts/dynatrace/dynatrace-operator/1.2.2/app-readme.md

@@ -0,0 +1,5 @@
+# Dynatrace Operator
+
+The Dynatrace Operator supports rollout and lifecycle of various Dynatrace components in Kubernetes and OpenShift.
+
+As of launch, the Dynatrace Operator can be used to deploy a containerized ActiveGate for Kubernetes API monitoring. New capabilities will be added to the Dynatrace Operator over time including metric routing, and API monitoring for AWS, Azure, GCP, and vSphere.

charts/dynatrace/dynatrace-operator/1.2.2/questions.yml

@@ -0,0 +1,236 @@
+categories:
+  - APM
+  - Monitoring
+questions:
+
+  #################### Global Configuration ####################
+  - variable: installCRD
+    label: "Install Custom Resource Definitions"
+    description: "Installs the Custom Resource Definitions for the Dynakube. This is recommended if you haven't installed it manually yet. Default: true"
+    default: true
+    type: boolean
+    group: "Global Configuration"
+
+  - variable: image
+    label: "Set a custom image for operator components"
+    description: "Set a custom image for operator. Defaults to public.ecr.aws/dynatrace/dynatrace-operator"
+    default: ""
+    type: string
+    group: "Global Configuration"
+
+  - variable: customPullSecret
+    label: "Set a custom pull secret for operator image"
+    description: "Set a custom pull secret for the operator image"
+    default: ""
+    type: string
+    group: "Global Configuration"
+
+  #################### Operator Deployment Configuration ####################
+  - variable: operator.nodeSelector
+    label: "Assign the Dynatrace Operator's pod to certain nodes"
+    description: "Defines a NodeSelector to customize to which nodes the Dynatrace Operator can be deployed on - Please edit as Yaml for the best experience - see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector"
+    default: ""
+    type: string
+    group: "Operator Deployment Configuration"
+
+  - variable: operator.tolerations
+    label: "Custom tolerations for the Dynatrace Operator's pod"
+    description: "Defines custom tolerations to the Dynatrace Operator - Please edit as Yaml for the best experience - see https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/"
+    default: ""
+    type: string
+    group: "Operator Deployment Configuration"
+
+  - variable: operator.apparmor
+    label: "Enable AppArmor for the Dynatrace Operator's pod"
+    description: "Adds AppArmor security annotations to the Dynatrace Operator's pod. Default: false"
+    default: false
+    type: boolean
+    group: "Operator Deployment Configuration"
+
+  - variable: operator.requests.cpu
+    label: "CPU resource requests settings for Dynatrace Operator's pods"
+    description: "The minimum amount of CPU resources that the Dynatrace Operator's pods should request. Affects scheduling. Default: 50m"
+    default: "50m"
+    type: string
+    group: "Operator Deployment Configuration"
+
+  - variable: operator.requests.memory
+    label: "Memory resource requests settings for Dynatrace Operator's pods"
+    description: "The minimum amount of memory that the Dynatrace Operator's pods should request. Affects scheduling. Default: 64Mi"
+    default: "64Mi"
+    type: string
+    group: "Operator Deployment Configuration"
+
+  - variable: operator.limits.cpu
+    label: "CPU resource limits settings for Dynatrace Operator's pods"
+    description: "The maximum amount of CPU resources that the Dynatrace Operator's pods can use. Default: 100m"
+    default: "100m"
+    type: string
+    group: "Operator Deployment Configuration"
+
+  - variable: operator.limits.memory
+    label: "Memory resource limits settings for Dynatrace Operator's pods"
+    description: "The maximum amount of memory that the Dynatrace Operator's pods can use. Pod restarted if exceeded. Default: 128Mi"
+    default: "128Mi"
+    type: string
+    group: "Operator Deployment Configuration"
+
+
+  #################### Webhook Deployment Configuration ####################
+
+  - variable: webhook.apparmor
+    label: "Enable AppArmor for the Dynatrace Webhook's pod"
+    description: "Adds AppArmor security annotations to the Dynatrace Webhook's pod. Default: false"
+    default: false
+    type: boolean
+    group: "Webhook Deployment Configuration"
+
+  - variable: webhook.highAvailability
+    label: "Enable high availability for the Dynatrace Webhook's pod"
+    description: "Adds topologySpreadConstraints and increases the replicas to 2 for the Dynatrace Webhook's pod. Default: false"
+    default: false
+    type: boolean
+    group: "Webhook Deployment Configuration"
+
+  - variable: webhook.hostNetwork
+    label: "Enable hostNetwork for the Dynatrace Webhook's pod"
+    description: "Enables hostNetwork for the Dynatrace Webhook's pod. Default: false"
+    default: false
+    type: boolean
+    group: "Webhook Deployment Configuration"
+
+  - variable: webhook.requests.cpu
+    label: "CPU resource requests settings for Dynatrace Webhook's pods"
+    description: "The minimum amount of CPU resources that the Dynatrace Webhook's pods should request. Affects scheduling. Default: 300m"
+    default: "300m"
+    type: string
+    group: "Webhook Deployment Configuration"
+
+  - variable: webhook.requests.memory
+    label: "Memory resource requests settings for Dynatrace Webhook's pods"
+    description: "The minimum amount of memory that the Dynatrace Webhook's pods should request. Affects scheduling. Default: 128Mi"
+    default: "128Mi"
+    type: string
+    group: "Webhook Deployment Configuration"
+
+  - variable: webhook.limits.cpu
+    label: "CPU resource limits settings for Dynatrace Webhook's pods"
+    description: "The maximum amount of CPU resources that the Dynatrace Webhook's pods can use. Default: 300m"
+    default: "300m"
+    type: string
+    group: "Webhook Deployment Configuration"
+
+  - variable: webhook.limits.memory
+    label: "Memory resource limits settings for Dynatrace Webhook's pods"
+    description: "The maximum amount of memory that the Dynatrace Webhook's pods can use. Pod restarted if exceeded. Default: 128Mi"
+    default: "128Mi"
+    type: string
+    group: "Webhook Deployment Configuration"
+
+
+  #################### CSI Driver Deployment Configuration ####################
+
+  - variable: csidriver.enabled
+    label: "Deploy the Dynatrace CSI Driver"
+    description: "Deploys the Dynatrace CSI Driver via a DaemonSet to enable Cloud Native FullStack. Default: false"
+    default: false
+    type: boolean
+    group: "CSI Driver Deployment Configuration"
+
+  - variable: csidriver.server.requests.cpu
+    label: "CPU resource requests settings for Dynatrace CSI Driver's server container"
+    description: "The minimum amount of CPU resources that the Dynatrace CSI Driver's server container should request. Affects scheduling. Default: 50m"
+    default: "50m"
+    type: string
+    group: "CSI Driver Deployment Configuration"
+
+  - variable: csidriver.server.requests.memory
+    label: "Memory resource requests settings for Dynatrace CSI Driver's server container"
+    description: "The minimum amount of memory that the Dynatrace CSI Driver's server container should request. Affects scheduling. Default: 100Mi"
+    default: "100Mi"
+    type: string
+    group: "CSI Driver Deployment Configuration"
+
+  - variable: csidriver.server.limits.cpu
+    label: "CPU resource limits settings for Dynatrace CSI Driver's server container"
+    description: "The maximum amount of CPU resources that the Dynatrace CSI Driver's server container can use. Default: 50m"
+    default: "50m"
+    type: string
+    group: "CSI Driver Deployment Configuration"
+
+  - variable: csidriver.server.limits.memory
+    label: "Memory resource limits settings for Dynatrace CSI Driver's server container"
+    description: "The maximum amount of memory that the Dynatrace CSI Driver's server container can use. Pod restarted if exceeded. Default: 100Mi"
+    default: "100Mi"
+    type: string
+    group: "CSI Driver Deployment Configuration"
+
+  - variable: csidriver.provisioner.requests.cpu
+    label: "CPU resource requests settings for Dynatrace CSI Driver's provisioner container"
+    description: "The minimum amount of CPU resources that the Dynatrace CSI Driver's provisioner container should request. Affects scheduling. Default: 300m"
+    default: "300m"
+    type: string
+    group: "CSI Driver Deployment Configuration"
+
+  - variable: csidriver.provisioner.requests.memory
+    label: "Memory resource requests settings for Dynatrace CSI Driver's provisioner container"
+    description: "The minimum amount of memory that the Dynatrace CSI Driver's provisioner container should request. Affects scheduling. Default: 100Mi"
+    default: "100Mi"
+    type: string
+    group: "CSI Driver Deployment Configuration"
+
+  - variable: csidriver.registrar.requests.cpu
+    label: "CPU resource requests settings for Dynatrace CSI Driver's registrar container"
+    description: "The minimum amount of CPU resources that the Dynatrace CSI Driver's registrar container should request. Affects scheduling. Default: 20m"
+    default: "20m"
+    type: string
+    group: "CSI Driver Deployment Configuration"
+
+  - variable: csidriver.registrar.requests.memory
+    label: "Memory resource requests settings for Dynatrace CSI Driver's registrar container"
+    description: "The minimum amount of memory that the Dynatrace CSI Driver's registrar container should request. Affects scheduling. Default: 30Mi"
+    default: "30Mi"
+    type: string
+    group: "CSI Driver Deployment Configuration"
+
+  - variable: csidriver.registrar.limits.cpu
+    label: "CPU resource limits settings for Dynatrace CSI Driver's registrar container"
+    description: "The maximum amount of CPU resources that the Dynatrace CSI Driver's registrar container can use. Default: 20m"
+    default: "20m"
+    type: string
+    group: "CSI Driver Deployment Configuration"
+
+  - variable: csidriver.registrar.limits.memory
+    label: "Memory resource limits settings for Dynatrace CSI Driver's registrar container"
+    description: "The maximum amount of memory that the Dynatrace CSI Driver's registrar container can use. Pod restarted if exceeded. Default: 30Mi"
+    default: "30Mi"
+    type: string
+    group: "CSI Driver Deployment Configuration"
+
+  - variable: csidriver.livenessprobe.requests.cpu
+    label: "CPU resource requests settings for Dynatrace CSI Driver's livenessprobe container"
+    description: "The minimum amount of CPU resources that the Dynatrace CSI Driver's livenessprobe container should request. Affects scheduling. Default: 20m"
+    default: "20m"
+    type: string
+    group: "CSI Driver Deployment Configuration"
+
+  - variable: csidriver.livenessprobe.requests.memory
+    label: "Memory resource requests settings for Dynatrace CSI Driver's livenessprobe container"
+    description: "The minimum amount of memory that the Dynatrace CSI Driver's livenessprobe container should request. Affects scheduling. Default: 30Mi"
+    default: "30Mi"
+    type: string
+    group: "CSI Driver Deployment Configuration"
+
+  - variable: csidriver.livenessprobe.limits.cpu
+    label: "CPU resource limits settings for Dynatrace CSI Driver's livenessprobe container"
+    description: "The maximum amount of CPU resources that the Dynatrace CSI Driver's livenessprobe container can use. Default: 20m"
+    default: "20m"
+    type: string
+    group: "CSI Driver Deployment Configuration"
+
+  - variable: csidriver.livenessprobe.limits.memory
+    label: "Memory resource limits settings for Dynatrace CSI Driver's livenessprobe container"
+    description: "The maximum amount of memory that the Dynatrace CSI Driver's livenessprobe container can use. Pod restarted if exceeded. Default: 30Mi"
+    default: "30Mi"
+    type: string
+    group: "CSI Driver Deployment Configuration"

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/activegate/clusterrole-activegate.yaml

@@ -0,0 +1,48 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{- if (eq (include "dynatrace-operator.openshiftOrOlm" .) "true") }}
+
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: dynatrace-activegate
+  labels:
+  {{- include "dynatrace-operator.activegateLabels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - privileged
+      - nonroot-v2
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: dynatrace-activegate
+  labels:
+    {{- include "dynatrace-operator.activegateLabels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: dynatrace-activegate
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: dynatrace-activegate
+  apiGroup: rbac.authorization.k8s.io
+{{- end -}}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/activegate/serviceaccount-activegate.yaml

@@ -0,0 +1,23 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.partial" .) "false" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dynatrace-activegate
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "dynatrace-operator.activegateLabels" . | nindent 4 }}
+{{ end }}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/csi/clusterrole-csi.yaml

@@ -0,0 +1,90 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.needCSI" .) "true" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: dynatrace-oneagent-csi-driver
+  labels:
+    {{- include "dynatrace-operator.csiLabels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - list
+      - watch
+      - create
+      - update
+      - patch
+  - apiGroups:
+      - storage.k8s.io
+    resources:
+      - csinodes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+  {{- if (eq (include "dynatrace-operator.platform" .) "openshift") }}
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - privileged
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+  {{ end }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: dynatrace-oneagent-csi-driver
+  labels:
+    {{- include "dynatrace-operator.csiLabels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: dynatrace-oneagent-csi-driver
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: dynatrace-oneagent-csi-driver
+  apiGroup: rbac.authorization.k8s.io
+{{- end -}}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/csi/csidriver.yaml

@@ -0,0 +1,30 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.needCSI" .) "true" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: storage.k8s.io/v1
+kind: CSIDriver
+metadata:
+  name: csi.oneagent.dynatrace.com
+  labels:
+    {{- if eq (include "dynatrace-operator.platform" .) "openshift" }}
+    security.openshift.io/csi-ephemeral-volume-profile: "restricted"
+    {{- end }}
+    {{- include "dynatrace-operator.csiLabels" . | nindent 4 }}
+spec:
+  attachRequired: false
+  podInfoOnMount: true
+  volumeLifecycleModes:
+    - Ephemeral
+{{- end -}}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/csi/daemonset.yaml

@@ -0,0 +1,278 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.needCSI" .) "true" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+      {{- include "dynatrace-operator.csiLabels" . | nindent 4 }}
+  {{- if .Values.csidriver.labels }}
+      {{- toYaml .Values.csidriver.labels | nindent 4 }}
+  {{- end}}
+  name: dynatrace-oneagent-csi-driver
+  namespace: {{ .Release.Namespace }}
+spec:
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      {{- include "dynatrace-operator.csiSelectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        dynatrace.com/inject: "false"
+        kubectl.kubernetes.io/default-container: provisioner
+        cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false"
+        {{- if and (eq (default false .Values.apparmor) true) (ne (include "dynatrace-operator.platform" .) "openshift") }}
+        container.apparmor.security.beta.kubernetes.io/csi-init: runtime/default
+        container.apparmor.security.beta.kubernetes.io/server: runtime/default
+        container.apparmor.security.beta.kubernetes.io/provisioner: runtime/default
+        container.apparmor.security.beta.kubernetes.io/registrar: runtime/default
+        container.apparmor.security.beta.kubernetes.io/liveness-probe: runtime/default
+        {{- end}}
+        {{- if .Values.csidriver.annotations }}
+        {{- toYaml .Values.csidriver.annotations | nindent 8 }}
+        {{- end }}
+      labels:
+        {{- include "dynatrace-operator.csiLabels" . | nindent 8 }}
+        {{- include "dynatrace-operator.csiSelectorLabels" . | nindent 8 }}
+        {{- if .Values.csidriver.labels }}
+        {{- toYaml .Values.csidriver.labels | nindent 8 }}
+        {{- end }}
+    spec:
+      initContainers:
+      - name: csi-init
+        image: {{ include "dynatrace-operator.image" . }}
+        imagePullPolicy: Always
+        args:
+        - csi-init
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        resources:
+          {{- if .Values.csidriver.csiInit.resources }}
+          {{- toYaml .Values.csidriver.csiInit.resources | nindent 10 }}
+          {{- end }}
+        securityContext:
+        {{- toYaml .Values.csidriver.csiInit.securityContext| nindent 10 }}
+        volumeMounts:
+        - mountPath: /data
+          name: data-dir
+      containers:
+        # Used to receive/execute gRPC requests (NodePublishVolume/NodeUnpublishVolume) from kubelet to mount/unmount volumes for a pod
+        # - Needs access to the csi socket, needs to read/write to it, needs root permissions to do so.
+        # - Needs access to the filesystem of pods on the node, and mount stuff to it,needs to read/write to it, needs root permissions to do so
+        # - Needs access to a dedicated folder on the node to persist data, needs to read/write to it.
+      - name: server
+        image: {{ include "dynatrace-operator.image" . }}
+        imagePullPolicy: Always
+        args:
+        - csi-server
+        - --endpoint=unix://csi/csi.sock
+        - --node-id=$(KUBE_NODE_NAME)
+        - --health-probe-bind-address=:10080
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: KUBE_NODE_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /livez
+            port: livez
+            scheme: HTTP
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 1
+        ports:
+        - containerPort: 10080
+          name: livez
+          protocol: TCP
+        resources:
+          {{- if .Values.csidriver.server.resources }}
+          {{- toYaml .Values.csidriver.server.resources | nindent 10 }}
+          {{- end }}
+        securityContext:
+        {{- toYaml .Values.csidriver.server.securityContext | nindent 10 }}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /csi
+          name: plugin-dir
+        - mountPath: {{ include "dynatrace-operator.CSIMountPointDir" . }}
+          mountPropagation: Bidirectional
+          name: mountpoint-dir
+        - mountPath: /data
+          name: data-dir
+          mountPropagation: Bidirectional
+        - name: tmp-dir
+          mountPath: /tmp
+      - name: provisioner
+        image: {{ include "dynatrace-operator.image" . }}
+        imagePullPolicy: Always
+        args:
+          - csi-provisioner
+          - --health-probe-bind-address=:10090
+        env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          {{- if .Values.csidriver.maxUnmountedVolumeAge }}
+          - name: MAX_UNMOUNTED_VOLUME_AGE
+            value: "{{ .Values.csidriver.maxUnmountedVolumeAge}}"
+          {{- end }}
+        {{- include "dynatrace-operator.startupProbe" . | nindent 8 }}
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /livez
+            port: livez
+            scheme: HTTP
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 1
+        ports:
+          - containerPort: 10090
+            name: livez
+            protocol: TCP
+        resources:
+          {{- if .Values.csidriver.provisioner.resources }}
+          {{- toYaml .Values.csidriver.provisioner.resources | nindent 10 }}
+          {{- end }}
+        securityContext:
+        {{- toYaml .Values.csidriver.provisioner.securityContext | nindent 10 }}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+          - mountPath: /data
+            name: data-dir
+            mountPropagation: Bidirectional
+          - mountPath: /tmp
+            name: tmp-dir
+
+        # Used to make a gRPC request (GetPluginInfo()) to the driver to get driver name and driver contain
+        # - Needs access to the csi socket, needs to read/write to it, needs root permissions to do so.
+        # Used for registering the driver with kubelet
+        # - Needs access to the registration socket, needs to read/write to it, needs root permissions to do so.
+      - name: registrar
+        image: {{ include "dynatrace-operator.image" . }}
+        imagePullPolicy: Always
+        env:
+        - name: DRIVER_REG_SOCK_PATH
+          value: {{ include "dynatrace-operator.CSISocketPath" . }}
+        args:
+        - --csi-address=/csi/csi.sock
+        - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
+        command:
+        - csi-node-driver-registrar
+        resources:
+          {{- if .Values.csidriver.registrar.resources }}
+          {{- toYaml .Values.csidriver.registrar.resources | nindent 10 }}
+          {{- end }}
+        securityContext:
+        {{- toYaml .Values.csidriver.registrar.securityContext | nindent 10 }}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /csi
+          name: plugin-dir
+        - mountPath: /registration
+          name: registration-dir
+        - mountPath: {{ include "dynatrace-operator.CSIPluginDir" . }}
+          name: lockfile-dir
+        # Used to make a gRPC request (Probe()) to the driver to check if its running
+        # - Needs access to the csi socket, needs to read/write to it, needs root permissions to do so.
+      - name: liveness-probe
+        image: {{ include "dynatrace-operator.image" . }}
+        imagePullPolicy: Always
+        args:
+        - --csi-address=/csi/csi.sock
+        - --health-port=9898
+        command:
+        - livenessprobe
+        resources:
+          {{- if .Values.csidriver.livenessprobe.resources }}
+          {{- toYaml .Values.csidriver.livenessprobe.resources | nindent 10 }}
+          {{- end }}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        securityContext:
+        {{- toYaml .Values.csidriver.livenessprobe.securityContext| nindent 10 }}
+        volumeMounts:
+        - mountPath: /csi
+          name: plugin-dir
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      serviceAccountName: dynatrace-oneagent-csi-driver
+      terminationGracePeriodSeconds: 30
+      priorityClassName: {{ include "dynatrace-operator.CSIPriorityClassName" . }}
+      volumes:
+      # This volume is where the registrar registers the plugin with kubelet
+      - name: registration-dir
+        hostPath:
+          path: {{ include "dynatrace-operator.CSIRegistrationDir" . }}
+          type: Directory
+        # This volume is where the socket for kubelet->driver communication is done
+      - name: plugin-dir
+        hostPath:
+          path: {{ include "dynatrace-operator.CSIPluginDir" . }}
+          type: DirectoryOrCreate
+      - name: data-dir
+        hostPath:
+          path: {{ include "dynatrace-operator.CSIDataDir" . }}
+          type: DirectoryOrCreate
+        # This volume is where the driver mounts volumes
+      - name: mountpoint-dir
+        hostPath:
+          path: {{ include "dynatrace-operator.CSIMountPointDir" . }}
+          type: DirectoryOrCreate
+        # Used by the registrar to create its lockfile
+      - name: lockfile-dir
+        emptyDir: {}
+        # A volume for the driver to write temporary files to
+      - name: tmp-dir
+        emptyDir: {}
+      {{- if .Values.customPullSecret }}
+      imagePullSecrets:
+        - name: {{ .Values.customPullSecret }}
+      {{- end }}
+      {{- if .Values.csidriver.nodeSelector }}
+      nodeSelector: {{- toYaml .Values.csidriver.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- include "dynatrace-operator.nodeAffinity" . | nindent 6 }}
+      tolerations:
+        {{- if .Values.csidriver.tolerations }}
+        {{- toYaml .Values.csidriver.tolerations | nindent 8 }}
+        {{- end }}
+        {{- include "dynatrace-operator.defaultTolerations" . | nindent 8 }}
+        - key: ToBeDeletedByClusterAutoscaler
+          operator: Exists
+          effect: NoSchedule
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
+{{- end -}}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/csi/priority-class.yaml

@@ -0,0 +1,24 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if (eq (include "dynatrace-operator.needPriorityClass" .) "true") }}
+
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+kind: PriorityClass
+apiVersion: scheduling.k8s.io/v1
+metadata:
+  name: dynatrace-high-priority
+value: {{ default 1000000 (int (.Values.csidriver).priorityClassValue) }}
+globalDefault: false
+description: "This priority class is used for Dynatrace Components in order to make sure they are not evicted in favor of other pods"
+{{- end -}}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/csi/role-csi.yaml

@@ -0,0 +1,86 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.needCSI" .) "true" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: dynatrace-oneagent-csi-driver
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "dynatrace-operator.csiLabels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - get
+      - watch
+      - list
+      - delete
+      - update
+      - create
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - watch
+      - list
+      - delete
+      - update
+      - create
+  - apiGroups:
+      - dynatrace.com
+    resources:
+      - dynakubes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: dynatrace-oneagent-csi-driver
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "dynatrace-operator.csiLabels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: dynatrace-oneagent-csi-driver
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: dynatrace-oneagent-csi-driver
+  apiGroup: rbac.authorization.k8s.io
+{{- end -}}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/csi/serviceaccount-csi.yaml

@@ -0,0 +1,23 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.needCSI" .) "true" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dynatrace-oneagent-csi-driver
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "dynatrace-operator.csiLabels" . | nindent 4 }}
+{{- end -}}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/edge-connect/serviceaccount-operator.yaml

@@ -0,0 +1,23 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.partial" .) "false" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dynatrace-edgeconnect
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "dynatrace-operator.operatorLabels" . | nindent 4 }}
+{{ end }}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/kubernetes-monitoring/clusterrole-kubernetes-monitoring.yaml

@@ -0,0 +1,117 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.partial" .) "false" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dynatrace-kubernetes-monitoring
+  labels:
+    {{- include "dynatrace-operator.activegateLabels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+      - pods
+      - namespaces
+      - replicationcontrollers
+      - events
+      - resourcequotas
+      - pods/proxy
+      - nodes/proxy
+      - nodes/metrics
+      - services
+    verbs:
+      - list
+      - watch
+      - get
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+      - cronjobs
+    verbs:
+      - list
+      - watch
+      - get
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - replicasets
+      - statefulsets
+      - daemonsets
+    verbs:
+      - list
+      - watch
+      - get
+  - apiGroups:
+      - apps.openshift.io
+    resources:
+      - deploymentconfigs
+    verbs:
+      - list
+      - watch
+      - get
+  - apiGroups:
+      - config.openshift.io
+    resources:
+      - clusterversions
+    verbs:
+      - list
+      - watch
+      - get
+  - apiGroups:
+      - dynatrace.com
+    resources:
+      - dynakubes
+    verbs:
+      - list
+      - watch
+      - get
+  - nonResourceURLs:
+      - /metrics
+      - /version
+      - /readyz
+      - /livez
+    verbs:
+      - get
+  {{- if (eq (include "dynatrace-operator.openshiftOrOlm" .) "true") }}
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - privileged
+      - nonroot-v2
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+  {{ end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dynatrace-kubernetes-monitoring
+  labels:
+    {{- include "dynatrace-operator.activegateLabels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: dynatrace-kubernetes-monitoring
+subjects:
+  - kind: ServiceAccount
+    name: dynatrace-kubernetes-monitoring
+    namespace: {{ .Release.Namespace }}
+{{ end }}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/kubernetes-monitoring/serviceaccount-kubernetes-monitoring.yaml

@@ -0,0 +1,23 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.partial" .) "false" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dynatrace-kubernetes-monitoring
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "dynatrace-operator.activegateLabels" . | nindent 4 }}
+{{ end }}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/oneagent/clusterrole-oneagent.yaml

@@ -0,0 +1,46 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{- if (eq (include "dynatrace-operator.openshiftOrOlm" .) "true") }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dynatrace-dynakube-oneagent
+  labels:
+    {{- include "dynatrace-operator.oneagentLabels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - privileged
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dynatrace-dynakube-oneagent
+  labels:
+    {{- include "dynatrace-operator.oneagentLabels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: dynatrace-dynakube-oneagent
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: dynatrace-dynakube-oneagent
+{{ end }}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/oneagent/serviceaccount-oneagent.yaml

@@ -0,0 +1,24 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.partial" .) "false" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dynatrace-dynakube-oneagent
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "dynatrace-operator.oneagentLabels" . | nindent 4 }}
+automountServiceAccountToken: false
+{{ end }}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/operator/clusterrole-operator.yaml

@@ -0,0 +1,129 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.partial" .) "false" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dynatrace-operator
+  labels:
+    {{- include "dynatrace-operator.operatorLabels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - dynatrace-dynakube-config
+      - dynatrace-metadata-enrichment-endpoint
+      - dynatrace-data-ingest-endpoint
+      - dynatrace-internal-proxy
+    verbs:
+      - get
+      - update
+      - delete
+      - list
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    resourceNames:
+      - kubernetes
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations
+    resourceNames:
+      - dynatrace-webhook
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+    resourceNames:
+      - dynatrace-webhook
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    resourceNames:
+      - dynakubes.dynatrace.com
+      - edgeconnects.dynatrace.com
+    verbs:
+      - get
+      - update
+  {{- if (eq (include "dynatrace-operator.openshiftOrOlm" .) "true") }}
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - privileged
+      - nonroot-v2
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+  {{ end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dynatrace-operator
+  labels:
+    {{- include "dynatrace-operator.operatorLabels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: dynatrace-operator
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: dynatrace-operator
+  apiGroup: rbac.authorization.k8s.io
+{{ end }}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/operator/deployment-operator.yaml

@@ -0,0 +1,107 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.partial" .) "false" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dynatrace-operator
+  namespace: {{ .Release.Namespace }}
+  labels:
+      {{- include "dynatrace-operator.operatorLabels" . | nindent 4 }}
+  {{- if .Values.operator.labels }}
+      {{- toYaml .Values.operator.labels | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      {{- include "dynatrace-operator.operatorSelectorLabels" . | nindent 6 }}
+  strategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        dynatrace.com/inject: "false"
+      {{- if (.Values.operator).apparmor}}
+        container.apparmor.security.beta.kubernetes.io/operator: runtime/default
+      {{- end }}
+      {{- if .Values.operator.annotations }}
+        {{- toYaml .Values.operator.annotations | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "dynatrace-operator.operatorLabels" . | nindent 8 }}
+        {{- include "dynatrace-operator.operatorSelectorLabels" . | nindent 8 }}
+        {{- if .Values.operator.labels }}
+        {{- toYaml .Values.operator.labels | nindent 8 }}
+        {{- end }}
+    spec:
+      containers:
+        - name: operator
+          args:
+            - operator
+          # Replace this with the built image name
+          image: {{ include "dynatrace-operator.image" . }}
+          imagePullPolicy: Always
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          ports:
+            - containerPort: 10080
+              name: server-port
+          resources:
+            requests:
+              {{- toYaml (.Values.operator).requests | nindent 14 }}
+            limits:
+              {{- toYaml (.Values.operator).limits | nindent 14 }}
+          volumeMounts:
+            - name: tmp-cert-dir
+              mountPath: /tmp/dynatrace-operator
+          livenessProbe:
+            httpGet:
+              path: /livez
+              port: server-port
+              scheme: HTTP
+            initialDelaySeconds: 15
+            periodSeconds: 10
+          {{- include "dynatrace-operator.startupProbe" . | nindent 10 }}
+          securityContext:
+          {{- toYaml .Values.operator.securityContext | nindent 12 }}
+      {{- include "dynatrace-operator.nodeAffinity" . | nindent 6 }}
+      volumes:
+        - emptyDir: { }
+          name: tmp-cert-dir
+      serviceAccountName: dynatrace-operator
+      securityContext:
+        {{- toYaml .Values.operator.podSecurityContext | nindent 8 }}
+      {{- if .Values.customPullSecret }}
+      imagePullSecrets:
+        - name: {{ .Values.customPullSecret }}
+      {{- end }}
+      {{- if .Values.operator.nodeSelector }}
+      nodeSelector: {{- toYaml .Values.operator.nodeSelector | nindent 8 }}
+      {{- end }}
+      tolerations:
+        {{- if .Values.operator.tolerations }}
+        {{- toYaml .Values.operator.tolerations | nindent 8 }}
+        {{- end }}
+        {{- include "dynatrace-operator.defaultTolerations" . | nindent 8 }}
+  {{ end }}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/operator/role-operator.yaml

@@ -0,0 +1,186 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.partial" .) "false" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dynatrace-operator
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "dynatrace-operator.operatorLabels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - dynatrace.com
+    resources:
+      - dynakubes
+      - edgeconnects
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - create
+  - apiGroups:
+      - dynatrace.com
+    resources:
+      - dynakubes/finalizers
+      - dynakubes/status
+      - edgeconnects/finalizers
+      - edgeconnects/status
+    verbs:
+      - update
+
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - delete
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - delete
+  - apiGroups:
+      - apps
+    resources:
+      - replicasets
+      - deployments
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - delete
+  - apiGroups:
+      - apps
+    resources:
+      - deployments/finalizers
+    verbs:
+      - update
+
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+      - delete
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - list
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - create
+      - update
+      - delete
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods/log
+    verbs:
+      - get
+
+  - apiGroups:
+      - monitoring.coreos.com
+    resources:
+      - servicemonitors
+    verbs:
+      - get
+      - create
+
+  - apiGroups:
+      - networking.istio.io
+    resources:
+      - serviceentries
+      - virtualservices
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - delete
+
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - update
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dynatrace-operator
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "dynatrace-operator.operatorLabels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: dynatrace-operator
+roleRef:
+  kind: Role
+  name: dynatrace-operator
+  apiGroup: rbac.authorization.k8s.io
+{{ end }}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/operator/serviceaccount-operator.yaml

@@ -0,0 +1,23 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.partial" .) "false" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dynatrace-operator
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "dynatrace-operator.operatorLabels" . | nindent 4 }}
+{{ end }}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/webhook/clusterrole-webhook.yaml

@@ -0,0 +1,112 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.partial" .) "false" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dynatrace-webhook
+  labels:
+    {{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - dynatrace-dynakube-config
+      - dynatrace-metadata-enrichment-endpoint
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+  # metadata-enrichment workload owner lookup
+  - apiGroups:
+      - ""
+    resources:
+      - replicationcontrollers
+    verbs:
+      - get
+  - apiGroups:
+      - apps
+    resources:
+      - replicasets
+      - statefulsets
+      - daemonsets
+      - deployments
+    verbs:
+      - get
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+      - cronjobs
+    verbs:
+      - get
+  - apiGroups:
+      - apps.openshift.io
+    resources:
+      - deploymentconfigs
+    verbs:
+      - get
+  {{- if (eq (include "dynatrace-operator.openshiftOrOlm" .) "true") }}
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - privileged
+      - nonroot-v2
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+  {{ end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dynatrace-webhook
+  labels:
+    {{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: dynatrace-webhook
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: dynatrace-webhook
+  apiGroup: rbac.authorization.k8s.io
+{{ end }}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/webhook/deployment-webhook.yaml

@@ -0,0 +1,135 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.partial" .) "false" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dynatrace-webhook
+  namespace: {{ .Release.Namespace }}
+  labels:
+      {{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
+  {{- if .Values.webhook.labels }}
+      {{- toYaml .Values.webhook.labels | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ (default false (.Values.webhook).highAvailability) | ternary 2 1 }}
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      {{- include "dynatrace-operator.webhookSelectorLabels" . | nindent 6 }}
+  strategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        dynatrace.com/inject: "false"
+        kubectl.kubernetes.io/default-container: webhook
+        {{- if (.Values.webhook).apparmor}}
+        container.apparmor.security.beta.kubernetes.io/webhook: runtime/default
+        {{- end }}
+        {{- if .Values.webhook.annotations}}
+        {{- toYaml .Values.webhook.annotations | nindent 8 }}
+        {{- end }}
+      labels:
+        {{- include "dynatrace-operator.webhookLabels" . | nindent 8 }}
+        {{- include "dynatrace-operator.webhookSelectorLabels" . | nindent 8 }}
+        {{- if .Values.webhook.labels }}
+        {{- toYaml .Values.webhook.labels | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- if (.Values.webhook).highAvailability }}
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: "topology.kubernetes.io/zone"
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              {{- include "dynatrace-operator.webhookSelectorLabels" . | nindent 14 }}
+        - maxSkew: 1
+          topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              {{- include "dynatrace-operator.webhookSelectorLabels" . | nindent 14 }}
+      {{- end }}
+      volumes:
+      - emptyDir: {}
+        name: certs-dir
+      {{- include "dynatrace-operator.nodeAffinity" . | nindent 6 }}
+      containers:
+        - name: webhook
+          args:
+            - webhook-server
+            # OLM mounts the certificates here, so we reuse it for simplicity
+            - --certs-dir=/tmp/k8s-webhook-server/serving-certs/
+          image: {{ include "dynatrace-operator.image" . }}
+          imagePullPolicy: Always
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: livez
+              scheme: HTTP
+            initialDelaySeconds: 15
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /livez
+              port: livez
+              scheme: HTTP
+            initialDelaySeconds: 15
+            periodSeconds: 10
+          ports:
+            - name: server-port
+              containerPort: 8443
+            - name: livez
+              containerPort: 10080
+          resources:
+            requests:
+              {{- toYaml (.Values.webhook).requests | nindent 14 }}
+            limits:
+              {{- toYaml (.Values.webhook).limits | nindent 14 }}
+          volumeMounts:
+            - name: certs-dir
+              mountPath: /tmp/k8s-webhook-server/serving-certs/
+          securityContext:
+          {{- toYaml .Values.webhook.securityContext | nindent 12 }}
+      serviceAccountName: dynatrace-webhook
+      {{- if (.Values.webhook).hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.webhook.podSecurityContext | nindent 8 }}
+      {{- if .Values.customPullSecret }}
+      imagePullSecrets:
+        - name: {{ .Values.customPullSecret }}
+      {{- end }}
+      {{- if .Values.webhook.nodeSelector }}
+      nodeSelector: {{- toYaml .Values.webhook.nodeSelector | nindent 8 }}
+      {{- end }}
+      tolerations:
+        {{- if .Values.webhook.tolerations }}
+        {{- toYaml .Values.webhook.tolerations | nindent 8 }}
+        {{- end }}
+        {{- include "dynatrace-operator.defaultTolerations" . | nindent 8 }}
+  {{ end }}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/webhook/mutatingwebhookconfiguration.yaml

@@ -0,0 +1,61 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.partial" .) "false" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: dynatrace-webhook
+  labels:
+  {{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
+webhooks:
+  - name: webhook.pod.dynatrace.com
+    reinvocationPolicy: IfNeeded
+    failurePolicy: Ignore
+    timeoutSeconds: {{.Values.webhook.mutatingWebhook.timeoutSeconds}}
+    rules:
+      - apiGroups: [ "" ]
+        apiVersions: [ "v1" ]
+        operations: [ "CREATE" ]
+        resources: [ "pods" ]
+        scope: Namespaced
+    namespaceSelector:
+      matchExpressions:
+        - key: dynakube.internal.dynatrace.com/instance
+          operator: Exists
+    clientConfig:
+      service:
+        name: dynatrace-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /inject
+    admissionReviewVersions: [ "v1beta1", "v1" ]
+    sideEffects: None
+  - name: webhook.ns.dynatrace.com
+    reinvocationPolicy: IfNeeded
+    failurePolicy: Ignore
+    timeoutSeconds: {{.Values.webhook.mutatingWebhook.timeoutSeconds}}
+    rules:
+      - apiGroups: [ "" ]
+        apiVersions: [ "v1" ]
+        operations: [ "CREATE", "UPDATE"]
+        resources: [ "namespaces" ]
+        scope: Cluster
+    clientConfig:
+      service:
+        name: dynatrace-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /label-ns
+    admissionReviewVersions: [ "v1beta1", "v1" ]
+    sideEffects: None
+{{ end }}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/webhook/poddisruptionbudget-webhook.yaml

@@ -0,0 +1,14 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if and (.Values.webhook).highAvailability (eq (include "dynatrace-operator.partial" .) "false") }}
+# v1 version supported since k8s 1.21
+apiVersion: {{ .Capabilities.APIVersions.Has "policy/v1" | ternary "policy/v1" "policy/v1beta1" }}
+kind: PodDisruptionBudget
+metadata:
+  name: dynatrace-webhook
+  namespace: {{ .Release.Namespace }}
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: webhook
+{{ end }}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/webhook/role-webhook.yaml

@@ -0,0 +1,90 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.partial" .) "false" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dynatrace-webhook
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - configmaps
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - dynatrace.com
+    resources:
+      - dynakubes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - list
+      - create
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - update
+      - create
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
+    verbs:
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dynatrace-webhook
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: dynatrace-webhook
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: dynatrace-webhook
+  apiGroup: rbac.authorization.k8s.io
+{{ end }}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/webhook/service.yaml

@@ -0,0 +1,30 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.partial" .) "false" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v1
+kind: Service
+metadata:
+  name: dynatrace-webhook
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
+spec:
+  selector:
+  {{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
+  ports:
+    - port: 443
+      protocol: TCP
+      targetPort: server-port
+{{ end }}

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/webhook/serviceaccount-webhook.yaml

@@ -0,0 +1,24 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.partial" .) "false" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dynatrace-webhook
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
+{{ end }}
+

charts/dynatrace/dynatrace-operator/1.2.2/templates/Common/webhook/validatingwebhookconfiguration.yaml

@@ -0,0 +1,67 @@
+{{- include "dynatrace-operator.platformRequired" . }}
+{{ if eq (include "dynatrace-operator.partial" .) "false" }}
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: dynatrace-webhook
+  labels:
+  {{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
+webhooks:
+  - admissionReviewVersions:
+      - v1
+      - v1beta1
+      - v1alpha1
+    clientConfig:
+      service:
+        name: dynatrace-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /validate
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - dynatrace.com
+        apiVersions:
+          - v1beta2
+        resources:
+          - dynakubes
+    name: webhook.dynatrace.com
+    timeoutSeconds: {{.Values.webhook.validatingWebhook.timeoutSeconds}}
+    sideEffects: None
+  - admissionReviewVersions:
+      - v1
+      - v1beta1
+      - v1alpha1
+    clientConfig:
+      service:
+        name: dynatrace-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /validate/edgeconnect
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - dynatrace.com
+        apiVersions:
+          - v1alpha1
+        resources:
+          - edgeconnects
+    name: edgeconnect.webhook.dynatrace.com
+    timeoutSeconds: {{.Values.webhook.validatingWebhook.timeoutSeconds}}
+    sideEffects: None
+{{ end }}

charts/dynatrace/dynatrace-operator/1.2.2/templates/NOTES.txt

@@ -0,0 +1,10 @@
+Thank you for installing {{ .Chart.Name }}.
+
+Your release is named {{ .Release.Name }}.
+
+To find more information about the Dynatrace Operator, try:
+https://github.com/Dynatrace/dynatrace-operator
+
+To verify the current state of the deployments, try:
+  $ kubectl get pods -n {{ .Release.Namespace }}
+  $ kubectl logs -f deployment/dynatrace-operator -n {{ .Release.Namespace }}

charts/dynatrace/dynatrace-operator/1.2.2/templates/_csidriver.tpl

@@ -0,0 +1,74 @@
+// Copyright 2020 Dynatrace LLC
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+{{/*
+Check if we need the csi driver.
+*/}}
+{{- define "dynatrace-operator.needCSI" -}}
+	{{- if or (.Values.csidriver.enabled) (eq (include "dynatrace-operator.partial" .) "csi") -}}
+		{{- printf "true" -}}
+	{{- end -}}
+{{- end -}}
+
+{{/*
+CSI PriorityClassName
+*/}}
+{{- define "dynatrace-operator.CSIPriorityClassName" -}}
+	{{- default "dynatrace-high-priority" .Values.csidriver.existingPriorityClassName -}}
+{{- end -}}
+
+{{/*
+Check if we need the csi default priority class
+*/}}
+{{- define "dynatrace-operator.needPriorityClass" -}}
+	{{- if and (eq (include "dynatrace-operator.needCSI" .) "true") (not .Values.csidriver.existingPriorityClassName) -}}
+		{{- printf "true" -}}
+	{{- end -}}
+{{- end -}}
+
+{{/*
+CSI plugin-dir path
+*/}}
+{{- define "dynatrace-operator.CSIPluginDir" -}}
+	{{ printf "%s/plugins/csi.oneagent.dynatrace.com/" (trimSuffix "/" (default "/var/lib/kubelet" .Values.csidriver.kubeletPath)) }}
+{{- end -}}
+
+
+{{/*
+CSI data-dir path
+*/}}
+{{- define "dynatrace-operator.CSIDataDir" -}}
+	{{ printf "%s/data" (trimSuffix "/" (include "dynatrace-operator.CSIPluginDir" .)) }}
+{{- end -}}
+
+{{/*
+CSI socket path
+*/}}
+{{- define "dynatrace-operator.CSISocketPath" -}}
+	{{ printf "%s/csi.sock" (trimSuffix "/" (include "dynatrace-operator.CSIPluginDir" .)) }}
+{{- end -}}
+
+{{/*
+CSI mountpoint-dir path
+*/}}
+{{- define "dynatrace-operator.CSIMountPointDir" -}}
+	{{ printf "%s/pods/" (trimSuffix "/" (default "/var/lib/kubelet" .Values.csidriver.kubeletPath)) }}
+{{- end -}}
+
+{{/*
+CSI registration-dir path
+*/}}
+{{- define "dynatrace-operator.CSIRegistrationDir" -}}
+	{{ printf "%s/plugins_registry/" (trimSuffix "/" (default "/var/lib/kubelet" .Values.csidriver.kubeletPath)) }}
+{{- end -}}

charts/dynatrace/dynatrace-operator/1.2.2/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+// Copyright 2020 Dynatrace LLC
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "dynatrace-operator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Check if default image or imageref is used
+*/}}
+{{- define "dynatrace-operator.image" -}}
+{{- if .Values.image -}}
+	{{- printf "%s" .Values.image -}}
+{{- else -}}
+    {{- if (.Values.imageRef).repository -}}
+        {{- .Values.imageRef.tag | default (printf "v%s" .Chart.AppVersion) | printf "%s:%s" .Values.imageRef.repository -}}
+    {{- else if eq (include "dynatrace-operator.platform" .) "google-marketplace" -}}
+    	{{- printf "%s:%s" "gcr.io/dynatrace-marketplace-prod/dynatrace-operator" .Chart.AppVersion }}
+    {{- else if eq (include "dynatrace-operator.platform" .) "azure-marketplace" -}}
+        {{- printf "%s/%s@%s" .Values.global.azure.images.operator.registry .Values.global.azure.images.operator.image .Values.global.azure.images.operator.digest }}
+	{{- else -}}
+		{{- printf "%s:v%s" "public.ecr.aws/dynatrace/dynatrace-operator" .Chart.AppVersion }}
+	{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Check if we are generating only a part of the yamls
+*/}}
+{{- define "dynatrace-operator.partial" -}}
+	{{- if (default false .Values.partial) -}}
+		{{- printf "%s" .Values.partial -}}
+	{{- else -}}
+	    {{- printf "false" -}}
+	{{- end -}}
+{{- end -}}
+
+{{- define "dynatrace-operator.startupProbe" -}}
+startupProbe:
+  exec:
+    command:
+    - /usr/local/bin/dynatrace-operator
+    - startup-probe
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 1
+{{- end -}}

charts/dynatrace/dynatrace-operator/1.2.2/templates/_labels.tpl

@@ -0,0 +1,102 @@
+// Copyright 2020 Dynatrace LLC
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+{{/*
+Selector labels
+*/}}
+{{- define "dynatrace-operator.futureSelectorLabels" -}}
+app.kubernetes.io/name: dynatrace-operator
+{{- if not (.Values).manifests }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "dynatrace-operator.commonLabels" -}}
+{{ include "dynatrace-operator.futureSelectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if not (.Values).manifests }}
+helm.sh/chart: {{ include "dynatrace-operator.chart" . }}
+{{- end -}}
+{{- if eq (include "dynatrace-operator.platform" .) "azure-marketplace" }}
+azure-extensions-usage-release-identifier: {{ .Release.Name | quote }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Operator labels
+*/}}
+{{- define "dynatrace-operator.operatorLabels" -}}
+{{ include "dynatrace-operator.commonLabels" . }}
+app.kubernetes.io/component: operator
+{{- end -}}
+
+{{/*
+Operator selector labels
+*/}}
+{{- define "dynatrace-operator.operatorSelectorLabels" -}}
+name: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Webhook labels
+*/}}
+{{- define "dynatrace-operator.webhookLabels" -}}
+{{ include "dynatrace-operator.commonLabels" . }}
+app.kubernetes.io/component: webhook
+{{- end -}}
+
+{{/*
+Webhook selector labels
+*/}}
+{{- define "dynatrace-operator.webhookSelectorLabels" -}}
+internal.dynatrace.com/component: webhook
+internal.dynatrace.com/app: webhook
+{{- end -}}
+
+{{/*
+CSI labels
+*/}}
+{{- define "dynatrace-operator.csiLabels" -}}
+{{ include "dynatrace-operator.commonLabels" . }}
+app.kubernetes.io/component: csi-driver
+{{- end -}}
+
+{{/*
+CSI selector labels
+*/}}
+{{- define "dynatrace-operator.csiSelectorLabels" -}}
+internal.oneagent.dynatrace.com/app: csi-driver
+internal.oneagent.dynatrace.com/component: csi-driver
+{{- end -}}
+
+{{/*
+ActiveGate labels
+*/}}
+{{- define "dynatrace-operator.activegateLabels" -}}
+{{ include "dynatrace-operator.commonLabels" . }}
+app.kubernetes.io/component: activegate
+{{- end -}}
+
+{{/*
+OneAgent labels
+*/}}
+{{- define "dynatrace-operator.oneagentLabels" -}}
+{{ include "dynatrace-operator.commonLabels" . }}
+app.kubernetes.io/component: oneagent
+{{- end -}}

charts/dynatrace/dynatrace-operator/1.2.2/templates/_platform.tpl

@@ -0,0 +1,86 @@
+// Copyright 2020 Dynatrace LLC
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+{{/*
+Auto-detect the platform (if not set), according to the available APIVersions
+*/}}
+{{- define "dynatrace-operator.platform" -}}
+    {{- if .Values.platform}}
+        {{- printf .Values.platform -}}
+    {{- else if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
+        {{- printf "openshift" -}}
+    {{- else }}
+        {{- printf "kubernetes" -}}
+    {{- end -}}
+{{- end }}
+
+{{/*
+Exclude Kubernetes manifest not running on OLM
+*/}}
+{{- define "dynatrace-operator.openshiftOrOlm" -}}
+{{- if and (or (eq (include "dynatrace-operator.platform" .) "openshift") (.Values.olm)) (eq (include "dynatrace-operator.partial" .) "false") -}}
+    {{ default "true" }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Check if platform is set to a valid one
+*/}}
+{{- define "dynatrace-operator.platformIsValid" -}}
+{{- $validPlatforms := list "kubernetes" "openshift" "google-marketplace" "gke-autopilot" "azure-marketplace" -}}
+{{- if has (include "dynatrace-operator.platform" .) $validPlatforms -}}
+    {{ default "set" }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Enforces that platform is set to a valid one
+*/}}
+{{- define "dynatrace-operator.platformRequired" -}}
+{{- $platformIsSet := printf "%s" (required "Platform needs to be set to kubernetes, openshift, google-marketplace, azure-marketplace or gke-autopilot" (include "dynatrace-operator.platformIsValid" .))}}
+{{- end -}}
+
+{{- define "dynatrace-operator.nodeAffinity" -}}
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/arch
+              operator: In
+              values:
+                - amd64
+                - arm64
+                - ppc64le
+                - s390x
+            - key: kubernetes.io/os
+              operator: In
+              values:
+                - linux
+{{- end -}}
+
+{{- define "dynatrace-operator.defaultTolerations" -}}
+- key: kubernetes.io/arch
+  value: arm64
+  effect: NoSchedule
+- key: kubernetes.io/arch
+  value: amd64
+  effect: NoSchedule
+- key: kubernetes.io/arch
+  value: ppc64le
+  effect: NoSchedule
+- key: kubernetes.io/arch
+  value: s390x
+  effect: NoSchedule
+{{- end -}}

charts/dynatrace/dynatrace-operator/1.2.2/templates/application.yaml

@@ -0,0 +1,98 @@
+{{- if eq (include "dynatrace-operator.platform" .) "google-marketplace" }}
+# Copyright 2020 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#     http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: app.k8s.io/v1beta1
+kind: Application
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "dynatrace-operator.operatorLabels" . | nindent 4 }}
+  annotations:
+    kubernetes-engine.cloud.google.com/icon: data:image/png;base64,{{ .Files.Get "logo.png" | b64enc }}
+    marketplace.cloud.google.com/deploy-info: '{"partner_id": "dynatrace-marketplace-prod", "product_id": "dynatrace-operator", "partner_name": "Dynatrace LLC"}'
+spec:
+  descriptor:
+    type: "Dynatrace Operator"
+    version: {{ .Chart.AppVersion }}
+    maintainers:
+      - name: Dynatrace LLC
+        url: https://www.dynatrace.com/
+    keywords:
+      - "dynatrace"
+      - "operator"
+      - "activegate"
+      - "k8s"
+      - "monitoring"
+      - "apm"
+    description: |
+      # Dynatrace Operator
+
+      The Dynatrace Operator supports rollout and lifecycle management of various Dynatrace components in Kubernetes and OpenShift.
+
+      * OneAgent
+      * `classicFullStack` rolls out a OneAgent pod per node to monitor pods on it and the node itself
+      * `applicationMonitoring` is a webhook based injection mechanism for automatic app-only injection
+      * CSI Driver can be enabled to cache OneAgent downloads per node
+      * `hostMonitoring` is only monitoring the hosts (i.e. nodes) in the cluster without app-only injection
+      * `cloudNativeFullStack` is a combination of `applicationMonitoring` with CSI driver and `hostMonitoring`
+      * ActiveGate
+      * `routing` routes OneAgent traffic through the ActiveGate
+      * `kubernetes-monitoring` allows monitoring of the Kubernetes API
+      * `metrics-ingest` routes enriched metrics through ActiveGate
+
+      For more information please have a look at [our DynaKube Custom Resource examples](config/samples) and
+      our [official help page](https://www.dynatrace.com/support/help/setup-and-configuration/setup-on-container-platforms/kubernetes/).
+    links:
+      - description: Dynatrace Website
+        url: https://www.dynatrace.com/
+      - description: Operator Deploy Guide
+        url: ToDo
+      - description: Kubernetes Monitoring Info
+        url: https://www.dynatrace.com/technologies/kubernetes-monitoring
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: dynatrace-operator
+  componentKinds:
+    - group: apps/v1
+      kind: DaemonSet
+    - group: v1
+      kind: Pod
+    - group: v1
+      kind: ConfigMap
+    - group: apps/v1
+      kind: Deployment
+    - group: v1
+      kind: Secret
+    - group: batch/v1
+      kind: Job
+    - group: v1
+      kind: Service
+    - group: v1
+      kind: ServiceAccount
+    - group: admissionregistration.k8s.io/v1
+      kind: ValidatingWebhookConfiguration
+    - group: admissionregistration.k8s.io/v1
+      kind: MutatingWebhookConfiguration
+    - group: apps/v1
+      kind: StatefulSet
+    - group: storage.k8s.io/v1
+      kind: CSIDriver
+    - group: rbac.authorization.k8s.io/v1
+      kind: ClusterRole
+    - group: rbac.authorization.k8s.io/v1
+      kind: ClusterRoleBinding
+    - group: rbac.authorization.k8s.io/v1
+      kind: Role
+    - group: rbac.authorization.k8s.io/v1
+      kind: RoleBinding
+{{ end }}

charts/dynatrace/dynatrace-operator/1.2.2/values.yaml

@@ -0,0 +1,190 @@
+# Copyright 2021 Dynatrace LLC
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# may be set to "kubernetes", "openshift", "gke-autopilot" (deprecated)
+platform: ""
+
+#image qualifier; OBSOLETE -> use imageref instead!
+# supply either image or imageref; if both supplied, imageref will be disregarded
+image: ""
+#image description using tags
+#resulting image will be named <repository>:v<tag>
+imageRef:
+  repository: "" #path to repo
+  tag: "" #defaults to chart version
+
+customPullSecret: ""
+installCRD: true
+
+operator:
+  nodeSelector: {}
+  tolerations: []
+  labels: {}
+  annotations: {}
+  apparmor: false
+  securityContext:
+    privileged: false
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+  podSecurityContext:
+    seccompProfile:
+      type: RuntimeDefault
+  requests:
+    cpu: 50m
+    memory: 64Mi
+  limits:
+    cpu: 100m
+    memory: 128Mi
+
+webhook:
+  hostNetwork: false
+  nodeSelector: {}
+  tolerations: []
+  labels: {}
+  annotations: {}
+  apparmor: false
+  securityContext:
+    privileged: false
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+  podSecurityContext:
+    seccompProfile:
+      type: RuntimeDefault
+  requests:
+    cpu: 300m
+    memory: 128Mi
+  limits:
+    cpu: 300m
+    memory: 128Mi
+  highAvailability: true
+  validatingWebhook:
+    timeoutSeconds: 10
+  mutatingWebhook:
+    timeoutSeconds: 10
+
+csidriver:
+  enabled: true
+  nodeSelector: {}
+  kubeletPath: "/var/lib/kubelet"
+  existingPriorityClassName: "" # if defined, use this priorityclass instead of creating a new one
+  priorityClassValue: "1000000"
+  maxUnmountedVolumeAge: "" # defined in days, must be a plain number
+  tolerations:
+    - effect: NoSchedule
+      key: node-role.kubernetes.io/master
+      operator: Exists
+    - effect: NoSchedule
+      key: node-role.kubernetes.io/control-plane
+      operator: Exists
+  labels: {}
+  annotations: {}
+  csiInit:
+    securityContext:
+      runAsUser: 0
+      privileged: false
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: false
+      seLinuxOptions:
+        level: s0
+      seccompProfile:
+        type: RuntimeDefault
+    resources:
+      requests:
+        cpu: 50m
+        memory: 100Mi
+      limits:
+        cpu: 50m
+        memory: 100Mi
+  server:
+    securityContext:
+      runAsUser: 0
+      privileged: true # Needed for mountPropagation
+      allowPrivilegeEscalation: true # Needed for privileged
+      readOnlyRootFilesystem: true
+      runAsNonRoot: false
+      seLinuxOptions:
+        level: s0
+      seccompProfile:
+        type: RuntimeDefault
+    resources:
+      requests:
+        cpu: 50m
+        memory: 100Mi
+      limits:
+        cpu: 50m
+        memory: 100Mi
+  provisioner:
+    securityContext:
+      runAsUser: 0
+      privileged: true # Needed for mountPropagation
+      allowPrivilegeEscalation: true # Needed for privileged
+      readOnlyRootFilesystem: true
+      runAsNonRoot: false
+      seLinuxOptions:
+        level: s0
+      seccompProfile:
+        type: RuntimeDefault
+    resources:
+      requests:
+        cpu: 300m
+        memory: 100Mi
+  registrar:
+    securityContext:
+      runAsUser: 0
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: false
+      seccompProfile:
+        type: RuntimeDefault
+    resources:
+      requests:
+        cpu: 20m
+        memory: 30Mi
+      limits:
+        cpu: 20m
+        memory: 30Mi
+  livenessprobe:
+    securityContext:
+      runAsUser: 0
+      privileged: false
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: false
+      seccompProfile:
+        type: RuntimeDefault
+    resources:
+      requests:
+        cpu: 20m
+        memory: 30Mi
+      limits:
+        cpu: 20m
+        memory: 30Mi
+

charts/haproxy/haproxy/1.41.0/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

charts/haproxy/haproxy/1.41.0/Chart.yaml

@@ -0,0 +1,26 @@
+annotations:
+  artifacthub.io/changes: |
+    - Fix bug w/ permissions (#255)
+    - Add ability to specify HPA name in KEDA object (#253)
+    - Add pre-install hook annotation for namespace creation (#254)
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller
+  catalog.cattle.io/kube-version: '>=1.23.0-0'
+  catalog.cattle.io/release-name: haproxy
+apiVersion: v2
+appVersion: 3.0.1
+description: A Helm chart for HAProxy Kubernetes Ingress Controller
+home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress
+icon: file://assets/icons/haproxy.png
+keywords:
+- ingress
+- haproxy
+kubeVersion: '>=1.23.0-0'
+maintainers:
+- email: dkorunic@haproxy.com
+  name: Dinko Korunic
+name: haproxy
+sources:
+- https://github.com/haproxytech/kubernetes-ingress
+type: application
+version: 1.41.0

charts/haproxy/haproxy/1.41.0/README.md

@@ -0,0 +1,296 @@
+# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy")
+
+## HAProxy Kubernetes Ingress Controller
+
+An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration.
+
+Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/).
+
+Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md).
+
+## Introduction
+
+This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+### Prerequisites
+
+- Kubernetes 1.22+ (recommended 1.24+)
+- Helm 3.6+ (recommended 3.7+)
+
+## Before you begin
+
+### Setting up a Kubernetes Cluster
+
+The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides.
+
+For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/).
+
+### Install Helm
+
+Get the latest [Helm release](https://github.com/helm/helm#install).
+
+### Adding Helm chart repo
+
+Once you have Helm installed, add the repo as follows:
+
+```console
+helm repo add haproxytech https://haproxytech.github.io/helm-charts
+
+helm repo update
+```
+
+## Installing the chart
+
+To install the chart with Helm v3 as _my-release_ deployment:
+
+```console
+helm install my-release haproxytech/kubernetes-ingress
+```
+
+**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter:
+
+```console
+helm install haproxytech/kubernetes-ingress \
+  --name my-release
+```
+
+### Installing with unique name
+
+To auto-generate controller and its resources names when installing, use the following:
+
+```console
+helm install haproxytech/kubernetes-ingress \
+  --generate-name
+```
+
+### Installing from a private registry
+
+To install the chart using a private registry for controller into a separate namespace _prod_.
+
+**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`)
+
+```console
+helm install my-ingress haproxytech/kubernetes-ingress  \
+  --namespace prod \
+  --set controller.image.tag=SOMETAG \
+  --set controller.imageCredentials.registry=myregistry.domain.com \
+  --set controller.imageCredentials.username=MYUSERNAME \
+  --set controller.imageCredentials.password=MYPASSWORD
+```
+
+Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace:
+
+```console
+helm install my-ingress haproxytech/kubernetes-ingress  \
+  --namespace prod \
+  --set controller.image.tag=SOMETAG \
+  --set controller.existingImagePullSecret name-of-existing-image-pull-secret
+```
+
+### Using values from YAML file
+
+As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm:
+
+_mylb.yaml_:
+
+```yaml
+controller:
+  kind: DaemonSet
+  ingressClass: haproxy
+  service:
+    type: LoadBalancer
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+      service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
+```
+
+And invoking Helm becomes (compare to the previous example):
+
+```console
+helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress
+```
+
+A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) :
+
+```yaml
+controller:
+  service:
+    tcpPorts:
+      - name: mysql
+        port: 3306
+        targetPort: 3306
+  extraArgs:
+    - --configmap-tcp-services=default/tcp
+```
+
+### Installing as DaemonSet
+
+Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well:
+
+```console
+helm install my-ingress haproxytech/kubernetes-ingress \
+  --set controller.kind=DaemonSet
+```
+
+### Installing in multi-ingress environment
+
+It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers):
+
+```console
+helm install my-ingress haproxytech/kubernetes-ingress \
+  --set controller.kind=DaemonSet \
+  --set controller.ingressClass=haproxy
+```
+
+**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation.
+
+### Installing Gateway API support
+
+[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md)
+
+```console
+helm install my-ingress haproxytech/kubernetes-ingress \
+  --set controller.gatewayControllerName=haproxy.org/gateway-controller
+```
+
+**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed.
+
+### Installing with service annotations
+
+On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however:
+
+```console
+helm install my-ingress haproxytech/kubernetes-ingress \
+  --set controller.kind=DaemonSet \
+  --set controller.ingressClass=haproxy \
+  --set controller.service.type=LoadBalancer \
+  --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \
+  --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true"
+```
+
+**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string.
+
+### Installing with Horizontal Pod Autoscaler (HPA)
+
+[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller:
+
+```console
+helm install my-ingress haproxytech/kubernetes-ingress \
+  --set controller.autoscaling.enabled=true
+```
+
+### Installing the ServiceMonitor
+
+If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs.
+
+```console
+helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
+
+helm install prometheus prometheus-community/kube-prometheus-stack \
+  --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \
+  --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false
+
+helm install my-ingress haproxytech/kubernetes-ingress \
+  --set controller.serviceMonitor.enabled=true
+```
+
+### Installing with Kubernetes Event-driven Autoscaling (KEDA)
+
+[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter.
+
+To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP):
+
+_mykeda.yaml_:
+
+```yaml
+controller:
+  kind: Deployment
+  serviceMonitor:
+    enabled: true
+  keda:
+    enabled: true
+    minReplicas: 1
+    maxReplicas: 5
+    triggers:
+      - type: prometheus
+        metadata:
+          serverAddress: http://10.96.206.247:9090
+          metricName: haproxy_frontend_current_sessions
+          threshold: "100"
+          query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m]))
+```
+
+Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are:
+
+- `haproxy_process_idle_time_percent`
+- `haproxy_frontend_current_sessions`
+- `haproxy_backend_current_queue`
+
+And to install:
+
+```console
+helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
+helm repo add kedacore https://kedacore.github.io/charts
+
+helm repo update
+
+helm install prometheus prometheus-community/kube-prometheus-stack \
+  --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \
+  --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false
+
+kubectl create namespace keda
+helm install keda kedacore/keda --namespace keda
+
+helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml
+```
+
+## Installing on Azure Managed Kubernetes Service (AKS)
+
+By default Azure LB sends probe to `/` and expects HTTP status codes of 200-399 to consider Pod healthy, which means probes end up on default HTTP backend returning HTTP 404 status code. Since v1.20 AKS service annotation `service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path` can be used to override health probe behaviour and we recommend using the following annotation on AKS to target `/healthz` endpoint for health probes:
+
+```console
+helm install ...
+  --set controller.service.type=LoadBalancer \
+  --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz
+```
+
+## Upgrading the chart
+
+To upgrade the _my-release_ deployment:
+
+```console
+helm upgrade my-release haproxytech/kubernetes-ingress
+```
+
+By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade.
+
+```console
+kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml
+kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml
+kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml
+```
+
+Note: from Helm Chart 1.35.0, Helm Chart contains CRD install/upgrade job that will take care of both installing and
+upgrading CRDs accordingly.
+
+## Uninstalling the chart
+
+To uninstall/delete the _my-release_ deployment:
+
+```console
+helm delete my-release
+```
+
+## Debugging
+
+It is possible to generate a set of YAML files for testing/debugging:
+
+```console
+helm install my-release haproxytech/kubernetes-ingress \
+  --debug \
+  --dry-run
+```
+
+## Contributing
+
+We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution.

charts/haproxy/haproxy/1.41.0/app-readme.md

@@ -0,0 +1,8 @@
+# HAProxy
+[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment.
+
+# HAProxy Enterprise
+[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/)  is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code.
+
+## Introduction
+This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager.

charts/haproxy/haproxy/1.41.0/ci/daemonset-customconfig-values.yaml

@@ -0,0 +1,4 @@
+controller:
+  kind: DaemonSet
+  config:
+    rate-limit: "ON"

charts/haproxy/haproxy/1.41.0/ci/daemonset-customnodeport-values.yaml

@@ -0,0 +1,7 @@
+controller:
+  kind: DaemonSet
+  service:
+    type: NodePort
+    ports:
+      8000: 10000
+      8001: 10001

charts/haproxy/haproxy/1.41.0/ci/daemonset-default-values.yaml

@@ -0,0 +1,2 @@
+controller:
+  kind: DaemonSet

charts/haproxy/haproxy/1.41.0/ci/daemonset-disableddefaultbackend-values.yaml

@@ -0,0 +1,4 @@
+controller:
+  kind: DaemonSet
+defaultBackend:
+  enabled: false

charts/haproxy/haproxy/1.41.0/ci/daemonset-disabledsecretconfig-values.yaml

@@ -0,0 +1,4 @@
+controller:
+  kind: DaemonSet
+  defaultTLSSecret:
+    enabled: false

charts/haproxy/haproxy/1.41.0/ci/daemonset-enableports-values.yaml

@@ -0,0 +1,7 @@
+controller:
+  kind: DaemonSet
+  service:
+    enablePorts:
+      http: false
+      https: true
+      stat: false

charts/haproxy/haproxy/1.41.0/ci/daemonset-extraargs-values.yaml

@@ -0,0 +1,4 @@
+controller:
+  kind: DaemonSet
+  extraArgs:
+    - --namespace-whitelist=default

charts/haproxy/haproxy/1.41.0/ci/daemonset-extraenvs-values.yaml

@@ -0,0 +1,7 @@
+controller:
+  kind: DaemonSet
+  extraEnvs:
+    - name: TEST_STR1
+      value: foo
+    - name: TEST_STR2
+      value: baz

charts/haproxy/haproxy/1.41.0/ci/daemonset-hostport-values.yaml

@@ -0,0 +1,8 @@
+controller:
+  kind: DaemonSet
+  daemonset:
+    useHostPort: true
+    hostPorts:
+      http: 80
+      https: 443
+      stat: 1024

charts/haproxy/haproxy/1.41.0/ci/daemonset-ingressclass-values.yaml

@@ -0,0 +1,6 @@
+controller:
+  kind: DaemonSet
+  ingressClass: haproxy
+  ingressClassResource:
+    enabled: true
+    default: true

charts/haproxy/haproxy/1.41.0/ci/daemonset-ipfamily-values.yaml

@@ -0,0 +1,5 @@
+controller:
+  kind: DaemonSet
+  service:
+    ipFamilies: [IPv4]
+    ipFamilyPolicy: SingleStack

charts/haproxy/haproxy/1.41.0/ci/daemonset-kubernetesgateway-values.yaml

@@ -0,0 +1,5 @@
+controller:
+  kind: DaemonSet
+  kubernetesGateway:
+    enabled: true
+    gatewayControllerName: haproxy.org/gateway-controller

charts/haproxy/haproxy/1.41.0/ci/daemonset-nodeport-values.yaml

@@ -0,0 +1,4 @@
+controller:
+  kind: DaemonSet
+  service:
+    type: NodePort

charts/haproxy/haproxy/1.41.0/ci/daemonset-privileged-ports.values.yaml

@@ -0,0 +1,6 @@
+controller:
+  kind: DaemonSet
+  containerPort:
+    http: 80
+    https: 443
+    stat: 1024

charts/haproxy/haproxy/1.41.0/ci/daemonset-publishservice-values.yaml

@@ -0,0 +1,5 @@
+controller:
+  kind: DaemonSet
+  service:
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0

charts/haproxy/haproxy/1.41.0/ci/daemonset-serviceannotation-values.yaml

@@ -0,0 +1,5 @@
+controller:
+  kind: DaemonSet
+  service:
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0

charts/haproxy/haproxy/1.41.0/ci/daemonset-strategy-values.yaml

@@ -0,0 +1,7 @@
+controller:
+  kind: DaemonSet
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 0
+      maxSurge: 1

charts/haproxy/haproxy/1.41.0/ci/daemonset-unprivileged-values.yaml

@@ -0,0 +1,4 @@
+controller:
+  kind: DaemonSet
+  unprivileged: true
+  allowPrivilegedPorts: true

charts/haproxy/haproxy/1.41.0/ci/deployment-customconfig-values.yaml

@@ -0,0 +1,3 @@
+controller:
+  config:
+    rate-limit: "ON"

charts/haproxy/haproxy/1.41.0/ci/deployment-customnodeport-values.yaml

@@ -0,0 +1,6 @@
+controller:
+  service:
+    type: NodePort
+    ports:
+      8000: 10000
+      8001: 10001

charts/haproxy/haproxy/1.41.0/ci/deployment-default-values.yaml

@@ -0,0 +1 @@
+#

charts/haproxy/haproxy/1.41.0/ci/deployment-disableddefaultbackend-values.yaml

@@ -0,0 +1,2 @@
+defaultBackend:
+  enabled: false

charts/haproxy/haproxy/1.41.0/ci/deployment-disabledsecretconfig-values.yaml

@@ -0,0 +1,3 @@
+controller:
+  defaultTLSSecret:
+    enabled: false

charts/haproxy/haproxy/1.41.0/ci/deployment-enableports-values.yaml

@@ -0,0 +1,6 @@
+controller:
+  service:
+    enablePorts:
+      http: false
+      https: true
+      stat: false

charts/haproxy/haproxy/1.41.0/ci/deployment-extraargs-values.yaml

@@ -0,0 +1,3 @@
+controller:
+  extraArgs:
+    - --namespace-whitelist=default

charts/haproxy/haproxy/1.41.0/ci/deployment-extraenvs-values.yaml

@@ -0,0 +1,6 @@
+controller:
+  extraEnvs:
+    - name: TEST_STR1
+      value: foo
+    - name: TEST_STR2
+      value: baz

charts/haproxy/haproxy/1.41.0/ci/deployment-hpa-values.yaml

@@ -0,0 +1,13 @@
+controller:
+  autoscaling:
+    enabled: true
+    minReplicas: 1
+    maxReplicas: 5
+    targetCPUUtilizationPercentage: 80
+
+defaultBackend:
+  autoscaling:
+    enabled: true
+    minReplicas: 1
+    maxReplicas: 2
+    targetCPUUtilizationPercentage: 50

charts/haproxy/haproxy/1.41.0/ci/deployment-ingressclass-values.yaml

@@ -0,0 +1,5 @@
+controller:
+  ingressClass: haproxy
+  ingressClassResource:
+    enabled: true
+    default: true

charts/haproxy/haproxy/1.41.0/ci/deployment-ipfamily-values.yaml

@@ -0,0 +1,4 @@
+controller:
+  service:
+    ipFamilies: [IPv4]
+    ipFamilyPolicy: SingleStack

charts/haproxy/haproxy/1.41.0/ci/deployment-kubernetesgateway-values.yaml

@@ -0,0 +1,4 @@
+controller:
+  kubernetesGateway:
+    enabled: true
+    gatewayControllerName: haproxy.org/gateway-controller

charts/haproxy/haproxy/1.41.0/ci/deployment-nodeport-values.yaml

@@ -0,0 +1,3 @@
+controller:
+  service:
+    type: NodePort

charts/haproxy/haproxy/1.41.0/ci/deployment-privileged-ports.values.yaml

@@ -0,0 +1,5 @@
+controller:
+  containerPort:
+    http: 80
+    https: 443
+    stat: 1024

charts/haproxy/haproxy/1.41.0/ci/deployment-publishservice-values.yaml

@@ -0,0 +1,4 @@
+controller:
+  kind: DaemonSet
+  publishService:
+    enabled: true

charts/haproxy/haproxy/1.41.0/ci/deployment-replicacount-unset.yaml

@@ -0,0 +1,5 @@
+controller:
+    replicaCount: null
+
+defaultBackend:
+    replicaCount: null

charts/haproxy/haproxy/1.41.0/ci/deployment-strategy-values.yaml

@@ -0,0 +1,6 @@
+controller:
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 0
+      maxSurge: 1

charts/haproxy/haproxy/1.41.0/ci/deployment-unprivileged-values.yaml

@@ -0,0 +1,3 @@
+controller:
+  unprivileged: true
+  allowPrivilegedPorts: true

charts/haproxy/haproxy/1.41.0/questions.yml

@@ -0,0 +1,72 @@
+questions:
+- variable: imageDefault
+  default: true
+  description: "Use default Docker image"
+  label: Use Default Image
+  type: boolean
+  group: "Settings"
+  show_subquestion_if: false
+  subquestions:
+  - variable: controller.image.tag
+    default: "1.7.2"
+    description: "HAProxy Ingress Controller Tag"
+    type: string
+    label: HAProxy Ingress Controller Tag
+- variable: controller.kind
+  type: enum
+  options:
+    - "DaemonSet"
+    - "Deployment"
+  default: "Deployment"
+  description: "Deployment Type"
+  label: Deployment Type
+  group: "Settings"
+- variable: controller.service.type
+  type: enum
+  options:
+    - "LoadBalancer"
+    - "NodePort"
+  default: "NodePort"
+  description: "Service Type for HAProxy Ingress Controller"
+  label: Service Type
+  group: "Settings"
+- variable: controller.ingressClass
+  default: ""
+  description: "Ingress Class for targeting this controller"
+  label: Ingress Class
+  type: string
+  group: "Settings"
+- variable: controller.defaultTLSSecret.secret
+  default: ""
+  description: "Default TLS certificate secret"
+  label: TLS Certificate Secret
+  type: string
+  group: "Settings"
+- variable: enableEnterprise
+  default: false
+  description: "Use HAProxy Enterprise"
+  label: Enable
+  type: boolean
+  group: "HAProxy Enterprise"
+  show_subquestion_if: true
+  subquestions:
+  - variable: controller.imageCredentials.registry
+    type: string
+    default: "kubernetes-registry.haproxy.com"
+    description: "HAProxy Enterprise Registtry"
+    label: Registry
+  - variable: controller.image.repository
+    type: string
+    default: "kubernetes-registry.haproxy.com/hapee-ingress"
+    description: "HAProxy Enterprise Registry"
+    label: Repository
+  - variable: controller.imageCredentials.username
+    type: string
+    default: "MYUSERNAME"
+    description: "HAProxy Enterprise Username"
+    label: Username
+  - variable: controller.imageCredentials.password
+    type: string
+    default: "MYPASSWORD"
+    description: "HAProxy Enterprise Password"
+    label: Password 

charts/haproxy/haproxy/1.41.0/templates/NOTES.txt

@@ -0,0 +1,109 @@
+HAProxy Kubernetes Ingress Controller has been successfully installed.
+
+Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}".
+Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type.
+{{- if .Values.rbac.create}}
+RBAC authorization is enabled.
+{{- else}}
+RBAC authorization is disabled.
+{{- end}}
+{{- if .Values.controller.ingressClass}}
+Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for
+Ingress resource.
+{{- end}}
+{{- if .Values.controller.gatewayControllerName}}
+Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure
+that Gateway API CRDs are installed in Kubernetes.
+{{- end}}
+
+Service ports mapped are:
+{{- if eq .Values.controller.kind "Deployment" }}
+{{- range $key, $value := .Values.controller.containerPort }}
+  - name: {{ $key }}
+    containerPort: {{ $value }}
+    protocol: TCP
+{{- end }}
+{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
+  - name: quic
+    containerPort: {{ .Values.controller.containerPort.https }}
+    protocol: UDP
+{{- end }}
+{{- range .Values.controller.service.tcpPorts }}
+  - name: {{ .name | trunc 15 | trimSuffix "-" }}
+    containerPort: {{ .targetPort }}
+    protocol: TCP
+{{- end }}
+{{- end }}
+{{- if eq .Values.controller.kind "DaemonSet" }}
+{{- $useHostPort := .Values.controller.daemonset.useHostPort -}}
+{{- $hostPorts := .Values.controller.daemonset.hostPorts -}}
+{{- $hostIP := .Values.controller.daemonset.hostIP -}}
+{{- range $key, $value := .Values.controller.containerPort }}
+  - name: {{ $key }}
+    containerPort: {{ $value }}
+    protocol: TCP
+{{- if $useHostPort }}
+    hostPort: {{ index $hostPorts $key | default $value }}
+{{- end }}
+{{- if $hostIP }}
+    hostIP: {{ $hostIP }}
+{{- end }}
+{{- end }}
+{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
+  - name: quic
+    containerPort: {{ .Values.controller.containerPort.https }}
+    protocol: UDP
+{{- if $useHostPort }}
+    hostPort: {{ .Values.controller.daemonset.hostPorts.https }}
+{{- end }}
+{{- if $hostIP }}
+    hostIP: {{ $hostIP }}
+{{- end }}
+{{- end }}
+{{- range .Values.controller.service.tcpPorts }}
+  - name: {{ .name | trunc 15 | trimSuffix "-" }}
+    containerPort: {{ .port }}
+    protocol: TCP
+{{- if $useHostPort }}
+    hostPort: {{ .port }}
+{{- end }}
+{{- if $hostIP }}
+    hostIP: {{ $hostIP }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+Node IP can be found with:
+  $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}"
+
+The following ingress resource routes traffic to pods that match the following:
+  * service name: web
+  * client's Host header: webdemo.com
+  * path begins with /
+
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: Ingress
+  metadata:
+    name: web-ingress
+    namespace: default
+    annotations:
+      ingress.class: "haproxy"
+  spec:
+    rules:
+    - host: webdemo.com
+      http:
+        paths:
+        - path: /
+          backend:
+            serviceName: web
+            servicePort: 80
+
+In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it
+with helm chart option controller.ingressClass.
+
+For more examples and up to date documentation, please visit:
+  * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress
+  * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/
+  * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation
+  * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md

charts/haproxy/haproxy/1.41.0/templates/_helpers.tpl

@@ -0,0 +1,169 @@
+{{/*
+Copyright 2019 HAProxy Technologies LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kubernetes-ingress.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "kubernetes-ingress.namespace" -}}
+{{- if .Values.namespaceOverride -}}
+{{- .Values.namespaceOverride -}}
+{{- else -}}
+{{- .Release.Namespace -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "kubernetes-ingress.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "kubernetes-ingress.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Encode an imagePullSecret string.
+*/}}
+{{- define "kubernetes-ingress.imagePullSecret" }}
+{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }}
+{{- end }}
+
+{{/*
+Encode an imagePullSecret string for the default backend.
+*/}}
+{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }}
+{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }}
+{{- end }}
+
+{{/*
+Generate default certificate for HAProxy.
+*/}}
+{{- define "kubernetes-ingress.gen-certs" -}}
+{{- $ca := genCA "kubernetes-ingress-ca" 365 -}}
+{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}}
+{{- $cert := genSignedCert $cn nil nil 365 $ca -}}
+tls.crt: {{ $cert.Cert | b64enc }}
+tls.key: {{ $cert.Key | b64enc }}
+{{- end -}}
+
+{{/*
+Create the name of the controller service account to use.
+*/}}
+{{- define "kubernetes-ingress.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
+*/}}
+{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}}
+{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}}
+    {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.defaultBackend.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified default backend name.
+*/}}
+{{- define "kubernetes-ingress.defaultBackend.fullname" -}}
+{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified default cert secret name.
+*/}}
+{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}}
+{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Construct the path for the publish-service.
+By default this will use the <namespace>/<service-name> matching the controller's service name.
+Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride`
+*/}}
+{{- define "kubernetes-ingress.publishServicePath" -}}
+{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}}
+{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }}
+{{- print $servicePath | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Construct the syslog-server annotation
+*/}}
+{{- define "kubernetes-ingress.syslogServer" -}}
+{{- range $key, $val := .Values.controller.logging.traffic -}}
+{{- printf "%s:%s, " $key $val }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified ServiceMonitor name.
+*/}}
+{{- define "kubernetes-ingress.serviceMonitorName" -}}
+{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a FQDN for the Service metrics.
+*/}}
+{{- define "kubernetes-ingress.serviceMetricsName" -}}
+{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }}
+{{- end -}}
+
+{{/*
+Create a default fully qualified unique CRD job name.
+*/}}
+{{- define "kubernetes-ingress.crdjob.fullname" -}}
+{{- printf "%s-%s-%d" (include "kubernetes-ingress.fullname" .) "crdjob" .Release.Revision | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a FQDN for the proxy pods.
+*/}}
+{{- define "kubernetes-ingress.serviceProxyName" -}}
+{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 58 | trimSuffix "-") "proxy" }}
+{{- end -}}
+
+{{/* vim: set filetype=mustache: */}}

charts/haproxy/haproxy/1.41.0/templates/clusterrole.yaml

@@ -0,0 +1,160 @@
+{{/*
+Copyright 2019 HAProxy Technologies LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubernetes-ingress.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
+    helm.sh/chart: {{ include "kubernetes-ingress.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - nodes
+  - pods
+  - services
+  - namespaces
+  - events
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+  - watch
+{{- if and (eq .Values.controller.sync.mode "fetch") (eq .Values.controller.sync.fetchParams.source "proxy") }}
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - pods
+  verbs:
+  - update
+{{- end }}
+- apiGroups:
+  - "extensions"
+  - "networking.k8s.io"
+  resources:
+  - ingresses
+  - ingresses/status
+  - ingressclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - "extensions"
+  - "networking.k8s.io"
+  resources:
+  - ingresses/status
+  verbs:
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - patch
+  - update
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - core.haproxy.org
+  resources:
+     - '*'
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - ingress.v1.haproxy.org
+  - ingress.v1.haproxy.com
+  resources:
+    - "*"
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - "apiextensions.k8s.io"
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+{{- if .Values.controller.kubernetesGateway.enabled }}
+- apiGroups:
+  - "gateway.networking.k8s.io"
+  resources:
+  - referencegrants
+  - gateways
+  - gatewayclasses
+  - tcproutes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - "gateway.networking.k8s.io"
+  resources:
+  - gatewayclasses/status
+  - gateways/status
+  - tcproutes/status
+  verbs:
+  - update
+{{- end }}
+- apiGroups:
+  - "apps"
+  resources:
+  - replicasets
+  - deployments
+  - daemonsets
+  verbs:
+  - get
+  - list
+  - watch
+{{- if and (eq .Values.controller.sync.mode "fetch") (eq .Values.controller.sync.fetchParams.source "proxy") }}
+- apiGroups:
+  - "coordination.k8s.io"
+  resources:
+  - leases
+  verbs:
+  - "*"
+{{- end }}
+{{- end -}}

charts/haproxy/haproxy/1.41.0/templates/clusterrolebinding.yaml

@@ -0,0 +1,37 @@
+{{/*
+Copyright 2019 HAProxy Technologies LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "kubernetes-ingress.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
+    helm.sh/chart: {{ include "kubernetes-ingress.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "kubernetes-ingress.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "kubernetes-ingress.serviceAccountName" . }}
+  namespace: {{ include "kubernetes-ingress.namespace" . }}
+{{- end -}}
+

charts/haproxy/haproxy/1.41.0/templates/controller-configmap.yaml

@@ -0,0 +1,38 @@
+{{/*
+Copyright 2019 HAProxy Technologies LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "kubernetes-ingress.fullname" . }}
+  namespace: {{ include "kubernetes-ingress.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
+    helm.sh/chart: {{ include "kubernetes-ingress.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+{{- if .Values.controller.configAnnotations }}
+  annotations:
+{{ toYaml .Values.controller.configAnnotations | indent 4 }}
+{{- end }}
+data:
+{{- if .Values.controller.logging.traffic }}
+  syslog-server: {{ include "kubernetes-ingress.syslogServer" . }}
+{{- end }}
+{{- if .Values.controller.config }}
+{{ toYaml .Values.controller.config | indent 2 }}
+{{- end }}

charts/haproxy/haproxy/1.41.0/templates/controller-crdjob.yaml

@@ -0,0 +1,106 @@
+{{/*
+Copyright 2023 HAProxy Technologies LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "kubernetes-ingress.crdjob.fullname" . }}
+  namespace: {{ include "kubernetes-ingress.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }}
+    helm.sh/chart: {{ include "kubernetes-ingress.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+  annotations:
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: HookSucceeded
+spec:
+{{- if or (.Capabilities.APIVersions.Has "batch/v1alpha1") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }}
+  ttlSecondsAfterFinished: 120
+{{- end }}
+  backoffLimit: 0
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- if .Values.controller.podLabels }}
+{{ toYaml .Values.controller.podLabels | indent 8 }}
+        {{- end }}
+      {{- if .Values.controller.podAnnotations }}
+      annotations:
+{{ toYaml .Values.controller.podAnnotations | indent 8 }}
+      {{- end }}
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }}
+{{- if .Values.controller.imageCredentials.registry }}
+      imagePullSecrets:
+      - name: {{ include "kubernetes-ingress.fullname" . }}
+{{- else if .Values.controller.existingImagePullSecret }}
+      imagePullSecrets:
+      - name: {{ .Values.controller.existingImagePullSecret }}
+{{- end }}
+{{- if .Values.controller.priorityClassName }}
+      priorityClassName: {{ .Values.controller.priorityClassName }}
+{{- end }}
+{{- if .Values.controller.runtimeClassName }}
+      runtimeClassName: {{ .Values.controller.runtimeClassName }}
+{{- end }}
+{{- if .Values.controller.unprivileged }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser:  1000
+        runAsGroup: 1000
+{{- end }}
+      containers:
+        - name: crd
+          image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
+          command:
+            - /haproxy-ingress-controller
+            - --job-check-crd
+          {{- if .Values.controller.unprivileged }}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser:  1000
+            runAsGroup: 1000
+            allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - NET_BIND_SERVICE
+            {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+          resources:
+            {{- toYaml .Values.controller.resources | nindent 12 }}
+          {{- end }}
+      {{- with .Values.controller.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.controller.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.controller.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/haproxy/haproxy/1.41.0/templates/controller-daemonset.yaml

@@ -0,0 +1,288 @@
+{{/*
+Copyright 2019 HAProxy Technologies LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if eq .Values.controller.kind "DaemonSet" }}
+{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}}
+{{- $useHostPort := .Values.controller.daemonset.useHostPort -}}
+{{- $hostPorts := .Values.controller.daemonset.hostPorts -}}
+{{- $hostIP := .Values.controller.daemonset.hostIP -}}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "kubernetes-ingress.fullname" . }}
+  namespace: {{ include "kubernetes-ingress.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
+    helm.sh/chart: {{ include "kubernetes-ingress.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    {{- if .Values.controller.extraLabels }}
+{{ toYaml .Values.controller.extraLabels | indent 4 }}
+    {{- end }}
+spec:
+  minReadySeconds: {{ .Values.controller.minReadySeconds }}
+  {{- with .Values.controller.strategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- if .Values.controller.podLabels }}
+{{ toYaml .Values.controller.podLabels | indent 8 }}
+        {{- end }}
+      {{- if .Values.controller.podAnnotations }}
+      annotations:
+{{ toYaml .Values.controller.podAnnotations | indent 8 }}
+      {{- end }}
+    spec:
+      enableServiceLinks: {{ .Values.controller.enableServiceLinks }}
+      serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }}
+      terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
+      {{- if $useHostNetwork }}
+      hostNetwork: true
+      {{- end }}
+{{- if .Values.controller.dnsConfig }}
+      dnsConfig:
+{{ toYaml .Values.controller.dnsConfig | indent 8 }}
+{{- end }}
+      dnsPolicy: {{ .Values.controller.dnsPolicy }}
+{{- if .Values.controller.imageCredentials.registry }}
+      imagePullSecrets:
+      - name: {{ include "kubernetes-ingress.fullname" . }}
+{{- else if .Values.controller.existingImagePullSecret }}
+      imagePullSecrets:
+      - name: {{ .Values.controller.existingImagePullSecret }}
+{{- end }}
+{{- if .Values.controller.priorityClassName }}
+      priorityClassName: {{ .Values.controller.priorityClassName }}
+{{- end }}
+{{- if .Values.controller.runtimeClassName }}
+      runtimeClassName: {{ .Values.controller.runtimeClassName }}
+{{- end }}
+{{- if .Values.controller.unprivileged }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser:  1000
+        runAsGroup: 1000
+{{- if .Values.controller.allowPrivilegedPorts }}
+        sysctls:
+         - name: net.ipv4.ip_unprivileged_port_start
+           value: "0"
+{{- end }}
+{{- end }}
+      containers:
+        - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }}
+          image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
+          args:
+{{- if .Values.controller.defaultTLSSecret.enabled -}}
+{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }}
+          - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }}
+{{- else }}
+          - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }}
+{{- end }}
+{{- end }}
+          - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }}
+          - --http-bind-port={{ .Values.controller.containerPort.http }}
+          - --https-bind-port={{ .Values.controller.containerPort.https }}
+{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
+          - --quic-bind-port={{ .Values.controller.containerPort.https }}
+          - --quic-announce-port={{ .Values.controller.service.ports.https }}
+{{- end }}
+{{- if .Values.controller.ingressClass }}
+          - --ingress.class={{ .Values.controller.ingressClass }}
+{{- end }}
+{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }}
+          - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }}
+{{- end }}
+{{- if .Values.controller.publishService.enabled }}
+          - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }}
+{{- end }}
+{{- if .Values.controller.logging.level }}
+          - --log={{ .Values.controller.logging.level }}
+{{- end }}
+{{- if .Values.controller.service.enablePorts.prometheus }}
+          - --prometheus
+{{- end }}
+{{- range .Values.controller.extraArgs }}
+          - {{ . }}
+{{- end }}
+          {{- if .Values.controller.unprivileged }}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser:  1000
+            runAsGroup: 1000
+            allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - NET_BIND_SERVICE
+            {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+          {{- end }}
+          ports:
+          {{- range $key, $value := .Values.controller.containerPort }}
+            - name: {{ $key }}
+              containerPort: {{ $value }}
+              protocol: TCP
+              {{- if $useHostPort }}
+              hostPort: {{ index $hostPorts $key | default $value }}
+              {{- end }}
+              {{- if $hostIP }}
+              hostIP: {{ $hostIP }}
+              {{- end }}
+          {{- end }}
+          {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
+            - name: quic
+              containerPort: {{ .Values.controller.containerPort.https }}
+              protocol: UDP
+              {{- if $useHostPort }}
+              hostPort: {{ .Values.controller.daemonset.hostPorts.https }}
+              {{- end }}
+              {{- if $hostIP }}
+              hostIP: {{ $hostIP }}
+              {{- end }}
+          {{- end }}
+          {{- range .Values.controller.service.tcpPorts }}
+            - name: {{ .name | trunc 15 | trimSuffix "-" }}
+              containerPort: {{ .port }}
+              protocol: TCP
+              {{- if $useHostPort }}
+              hostPort: {{ .port }}
+              {{- end }}
+              {{- if $hostIP }}
+              hostIP: {{ $hostIP }}
+              {{- end }}
+          {{- end }}
+          {{- with .Values.controller.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | trim | nindent 12 }}
+          {{- end }}
+          {{- with .Values.controller.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | trim | nindent 12 }}
+          {{- end }}
+          {{- with .Values.controller.startupProbe }}
+          startupProbe:
+            {{- toYaml . | trim | nindent 12 }}
+          {{- end }}
+          env:
+          {{- if .Values.aws.licenseConfigSecretName }}
+          - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE
+            value: "/var/run/secrets/product-license/license_token"
+          - name: AWS_ROLE_ARN
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.aws.licenseConfigSecretName }}
+                key: iam_role
+          {{- end }}
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: POD_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.podIP
+          {{- if .Values.controller.extraEnvs -}}
+          {{- toYaml .Values.controller.extraEnvs | nindent 10 }}
+          {{- end }}
+          resources:
+            {{- toYaml .Values.controller.resources | nindent 12 }}
+          {{- if .Values.controller.lifecycle }}
+          lifecycle:
+            {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }}
+{{ tpl .Values.controller.lifecycle . | indent 12 }}
+            {{- else }}
+{{ toYaml .Values.controller.lifecycle | indent 12 }}
+            {{- end }}
+          {{- end }}
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+              subPath: tmp
+            - name: tmp
+              mountPath: /run
+              subPath: run
+            {{- if .Values.aws.licenseConfigSecretName }}
+            - name: aws-product-license
+              readOnly: true
+              mountPath: /var/run/secrets/product-license
+            {{- end }}
+            {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }}
+{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }}
+            {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }}
+{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }}
+            {{- end }}
+        {{- if .Values.controller.extraContainers }}
+          {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }}
+{{ tpl .Values.controller.extraContainers . | indent 8 }}
+          {{- else }}
+{{ toYaml .Values.controller.extraContainers | indent 8 }}
+          {{- end }}
+        {{- end }}
+      volumes:
+        - name: tmp
+          {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }}
+          emptyDir:
+            medium: Memory
+            sizeLimit: 64Mi
+          {{- else }}
+          emptyDir: {}
+          {{- end }}
+        {{- if .Values.aws.licenseConfigSecretName }}
+        - name: aws-product-license
+          secret:
+            secretName: {{ .Values.aws.licenseConfigSecretName }}
+            optional: true
+        {{- end }}
+        {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }}
+{{ tpl .Values.controller.extraVolumes . | indent 8 }}
+        {{- else if gt (len .Values.controller.extraVolumes) 0 }}
+{{ toYaml .Values.controller.extraVolumes | indent 8 }}
+        {{- end }}
+      {{- with.Values.controller.initContainers }}
+      initContainers:
+          {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.controller.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.controller.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.controller.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+{{- end }}

charts/haproxy/haproxy/1.41.0/templates/controller-defaultcertsecret.yaml

@@ -0,0 +1,37 @@
+{{/*
+Copyright 2019 HAProxy Technologies LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.controller.defaultTLSSecret.enabled }}
+{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }}
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/tls
+metadata:
+  name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }}
+  namespace: {{ include "kubernetes-ingress.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
+    helm.sh/chart: {{ include "kubernetes-ingress.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+  annotations:
+    "helm.sh/hook": "pre-install"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+data:
+{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }}
+{{- end }}
+{{- end }}

charts/haproxy/haproxy/1.41.0/templates/controller-deployment.yaml

@@ -0,0 +1,281 @@
+{{/*
+Copyright 2019 HAProxy Technologies LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if eq .Values.controller.kind "Deployment" }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "kubernetes-ingress.fullname" . }}
+  namespace: {{ include "kubernetes-ingress.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
+    helm.sh/chart: {{ include "kubernetes-ingress.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    {{- if .Values.controller.extraLabels }}
+{{ toYaml .Values.controller.extraLabels | indent 4 }}
+    {{- end }}
+spec:
+  {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }}
+  replicas: {{ .Values.controller.replicaCount }}
+  {{- end }}
+  minReadySeconds: {{ .Values.controller.minReadySeconds }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  {{- with .Values.controller.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- if .Values.controller.podLabels }}
+{{ toYaml .Values.controller.podLabels | indent 8 }}
+        {{- end }}
+      {{- if .Values.controller.podAnnotations }}
+      annotations:
+{{ toYaml .Values.controller.podAnnotations | indent 8 }}
+      {{- end }}
+    spec:
+      enableServiceLinks: {{ .Values.controller.enableServiceLinks }}
+      serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }}
+      terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
+{{- with .Values.controller.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+{{- end }}
+{{- if .Values.controller.dnsConfig }}
+      dnsConfig:
+{{ toYaml .Values.controller.dnsConfig | indent 8 }}
+{{- end }}
+      dnsPolicy: {{ .Values.controller.dnsPolicy }}
+{{- if .Values.controller.imageCredentials.registry }}
+      imagePullSecrets:
+      - name: {{ include "kubernetes-ingress.fullname" . }}
+{{- else if .Values.controller.existingImagePullSecret }}
+      imagePullSecrets:
+      - name: {{ .Values.controller.existingImagePullSecret }}
+{{- end }}
+{{- if .Values.controller.priorityClassName }}
+      priorityClassName: {{ .Values.controller.priorityClassName }}
+{{- end }}
+{{- if .Values.controller.runtimeClassName }}
+      runtimeClassName: {{ .Values.controller.runtimeClassName }}
+{{- end }}
+{{- if .Values.controller.unprivileged }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser:  1000
+        runAsGroup: 1000
+{{- if .Values.controller.allowPrivilegedPorts }}
+        sysctls:
+         - name: net.ipv4.ip_unprivileged_port_start
+           value: "0"
+{{- end }}
+{{- end }}
+      containers:
+        - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }}
+          image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
+          args:
+{{- if .Values.controller.defaultTLSSecret.enabled -}}
+{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }}
+          - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }}
+{{- else }}
+          - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }}
+{{- end }}
+{{- end }}
+          - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }}
+          - --http-bind-port={{ .Values.controller.containerPort.http }}
+          - --https-bind-port={{ .Values.controller.containerPort.https }}
+{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
+          - --quic-bind-port={{ .Values.controller.containerPort.https }}
+          - --quic-announce-port={{ .Values.controller.service.ports.https }}
+{{- end }}
+{{- if .Values.controller.ingressClass }}
+          - --ingress.class={{ .Values.controller.ingressClass }}
+{{- end }}
+{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }}
+          - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }}
+{{- end }}
+{{- if .Values.controller.publishService.enabled }}
+          - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }}
+{{- end }}
+{{- if .Values.controller.logging.level }}
+          - --log={{ .Values.controller.logging.level }}
+{{- end }}
+{{- if .Values.controller.service.enablePorts.prometheus }}
+          - --prometheus
+{{- end }}
+{{- if eq .Values.controller.sync.mode "fetch" }}
+  {{- if .Values.controller.sync.fetchParams.period }}
+          - --proxy-k8s-fetch-period={{ .Values.controller.sync.fetchParams.period }}
+  {{- end }}
+  {{- if eq .Values.controller.sync.fetchParams.source "k8s" }}
+          - --k8s-api-sync-type=k8s
+  {{- else if eq .Values.controller.sync.fetchParams.source "proxy" }}
+          - --k8s-api-sync-type=proxy
+          - --proxy-svc-label-selector={{ .Values.controller.sync.proxyParams.proxySvcLabelSelector }}
+  {{- end }}
+{{- end }}
+{{- range .Values.controller.extraArgs }}
+          - {{ . }}
+{{- end }}
+          {{- if .Values.controller.unprivileged }}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser:  1000
+            runAsGroup: 1000
+            allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - NET_BIND_SERVICE
+            {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+          {{- end }}
+          ports:
+          {{- range $key, $value := .Values.controller.containerPort }}
+            - name: {{ $key }}
+              containerPort: {{ $value }}
+              protocol: TCP
+          {{- end }}
+          {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
+            - name: quic
+              containerPort: {{ .Values.controller.containerPort.https }}
+              protocol: UDP
+          {{- end }}
+          {{- range .Values.controller.service.tcpPorts }}
+            - name: {{ .name | trunc 15 | trimSuffix "-" }}
+              containerPort: {{ .targetPort }}
+              protocol: TCP
+          {{- end }}
+          {{- with .Values.controller.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | trim | nindent 12 }}
+          {{- end }}
+          {{- with .Values.controller.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | trim | nindent 12 }}
+          {{- end }}
+          {{- with .Values.controller.startupProbe }}
+          startupProbe:
+            {{- toYaml . | trim | nindent 12 }}
+          {{- end }}
+          env:
+          {{- if .Values.aws.licenseConfigSecretName }}
+          - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE
+            value: "/var/run/secrets/product-license/license_token"
+          - name: AWS_ROLE_ARN
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.aws.licenseConfigSecretName }}
+                key: iam_role
+          {{- end }}
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: POD_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.podIP
+          {{- if .Values.controller.extraEnvs -}}
+          {{- toYaml .Values.controller.extraEnvs | nindent 10 }}
+          {{- end }}
+          resources:
+            {{- toYaml .Values.controller.resources | nindent 12 }}
+          {{- if .Values.controller.lifecycle }}
+          lifecycle:
+            {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }}
+{{ tpl .Values.controller.lifecycle . | indent 12 }}
+            {{- else }}
+{{ toYaml .Values.controller.lifecycle | indent 12 }}
+            {{- end }}
+          {{- end }}
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+              subPath: tmp
+            - name: tmp
+              mountPath: /run
+              subPath: run
+            {{- if .Values.aws.licenseConfigSecretName }}
+            - name: aws-product-license
+              readOnly: true
+              mountPath: /var/run/secrets/product-license
+            {{- end }}
+            {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }}
+{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }}
+            {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }}
+{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }}
+            {{- end }}
+        {{- if .Values.controller.extraContainers }}
+          {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }}
+{{ tpl .Values.controller.extraContainers . | indent 8 }}
+          {{- else }}
+{{ toYaml .Values.controller.extraContainers | indent 8 }}
+          {{- end }}
+        {{- end }}
+      volumes:
+        - name: tmp
+          {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }}
+          emptyDir:
+            medium: Memory
+            sizeLimit: 64Mi
+          {{- else }}
+          emptyDir: {}
+          {{- end }}
+        {{- if .Values.aws.licenseConfigSecretName }}
+        - name: aws-product-license
+          secret:
+            secretName: {{ .Values.aws.licenseConfigSecretName }}
+            optional: true
+        {{- end }}
+        {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }}
+{{ tpl .Values.controller.extraVolumes . | indent 8 }}
+        {{- else if gt (len .Values.controller.extraVolumes) 0 }}
+{{ toYaml .Values.controller.extraVolumes | indent 8 }}
+        {{- end }}
+      {{- with.Values.controller.initContainers }}
+      initContainers:
+          {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.controller.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.controller.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.controller.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+{{- end }}

charts/haproxy/haproxy/1.41.0/templates/controller-hpa.yaml

@@ -0,0 +1,68 @@
+{{/*
+Copyright 2020 HAProxy Technologies LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }}
+{{- if not .Values.controller.keda.enabled }}
+{{- if or (.Capabilities.APIVersions.Has "autoscaling/v2") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }}
+apiVersion: autoscaling/v2
+{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }}
+apiVersion: autoscaling/v2beta2
+{{- else }}
+  {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }}
+{{- end }}
+kind: HorizontalPodAutoscaler
+metadata:
+{{- if .Values.controller.autoscaling.annotations }}
+  annotations:
+{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }}
+{{- end }}
+  name: {{ include "kubernetes-ingress.fullname" . }}
+  namespace: {{ include "kubernetes-ingress.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
+    helm.sh/chart: {{ include "kubernetes-ingress.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "kubernetes-ingress.fullname" . }}
+  minReplicas: {{ .Values.controller.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }}
+  metrics:
+  {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }}
+  {{- end }}
+  {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }}
+  {{- end }}
+  {{- if .Values.controller.autoscaling.custom }}
+  {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}

charts/haproxy/haproxy/1.41.0/templates/controller-ingressclass.yaml

@@ -0,0 +1,46 @@
+{{/*
+Copyright 2021 HAProxy Technologies LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version }}
+{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.Version) }}
+apiVersion: networking.k8s.io/v1
+{{- else }}
+apiVersion: networking.k8s.io/v1beta1
+{{- end }}
+kind: IngressClass
+metadata:
+  name: {{ .Values.controller.ingressClassResource.name }}
+  labels:
+    app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
+    helm.sh/chart: {{ include "kubernetes-ingress.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+{{- if .Values.controller.ingressClassResource.default }}
+  annotations:
+    ingressclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+spec:
+{{- if not .Values.controller.ingressClass }}
+  controller: haproxy.org/ingress-controller
+{{- else }}
+  controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }}
+{{- end }}
+  {{- if .Values.controller.ingressClassResource.parameters }}
+  parameters:
+{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }}
+{{- end }}
+{{- end }}

charts/haproxy/haproxy/1.41.0/templates/controller-keda.yaml

@@ -0,0 +1,57 @@
+{{/*
+Copyright 2021 HAProxy Technologies LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }}
+apiVersion: keda.sh/v1alpha1
+kind: ScaledObject
+metadata:
+  name: {{ include "kubernetes-ingress.fullname" . }}
+  namespace: {{ include "kubernetes-ingress.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
+    helm.sh/chart: {{ include "kubernetes-ingress.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+  {{- if .Values.controller.keda.scaledObject.annotations }}
+  annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  scaleTargetRef:
+    name: {{ include "kubernetes-ingress.fullname" . }}
+  pollingInterval: {{ .Values.controller.keda.pollingInterval }}
+  cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }}
+  minReplicaCount: {{ .Values.controller.keda.minReplicas }}
+  maxReplicaCount: {{ .Values.controller.keda.maxReplicas }}
+  triggers:
+{{- with .Values.controller.keda.triggers }}
+{{ toYaml . | indent 2 }}
+{{ end }}
+  advanced:
+    restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }}
+{{- if .Values.controller.keda.horizontalPodAutoscalerConfig }}
+    horizontalPodAutoscalerConfig:
+{{- if .Values.controller.keda.horizontalPodAutoscalerConfig.name }}
+      name: {{ .Values.controller.keda.horizontalPodAutoscalerConfig.name }}
+{{- end }}
+{{- if .Values.controller.keda.horizontalPodAutoscalerConfig.behavior }}
+      behavior:
+{{ with .Values.controller.keda.horizontalPodAutoscalerConfig.behavior -}}
+{{ toYaml . | indent 8 }}
+{{ end }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/haproxy/haproxy/1.41.0/templates/controller-poddisruptionbudget.yaml

@@ -0,0 +1,44 @@
+{{/*
+Copyright 2019 HAProxy Technologies LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.controller.PodDisruptionBudget.enable }}
+{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }}
+apiVersion: policy/v1
+{{- else }}
+apiVersion: policy/v1beta1
+{{- end }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "kubernetes-ingress.fullname" . }}
+  namespace: {{ include "kubernetes-ingress.namespace" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
+    helm.sh/chart: {{ include "kubernetes-ingress.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+spec:
+  {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }}
+  {{- end }}
+  {{- if .Values.controller.PodDisruptionBudget.minAvailable }}
+  minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}