andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #656 from nflondo/main-source 

Charts CI
pull/658/head
alex-isv 2023-02-02 10:26:17 -07:00 committed by GitHub
parent 865f9fe49b c165ea229b
commit 72c3738aa2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
163 changed files with 7854 additions and 1192 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/avesha/kubeslice-controller-0.5.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/avesha/kubeslice-worker-0.5.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/airflow-14.0.11.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/cassandra-10.0.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/postgresql-12.1.14.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/tomcat-10.5.13.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/wordpress-15.2.37.tgz Normal file
View File

Binary file not shown.

BIN
assets/datadog/datadog-3.10.4.tgz Normal file
View File

Binary file not shown.

BIN
assets/haproxy/haproxy-1.27.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/nats/nats-0.19.7.tgz Normal file
View File

Binary file not shown.

BIN
assets/percona/psmdb-operator-1.13.3.tgz Normal file
View File

Binary file not shown.

BIN
assets/redpanda/redpanda-2.6.4.tgz Normal file
View File

Binary file not shown.

BIN
assets/speedscale/speedscale-operator-1.2.19.tgz Normal file
View File

Binary file not shown.

4
charts/avesha/kubeslice-controller/Chart.yaml
View File

@ -5,7 +5,7 @@ annotations:
catalog.cattle.io/namespace: kubeslice-controller
catalog.cattle.io/release-name: kubeslice-controller
apiVersion: v2
appVersion: 0.2.1
appVersion: 0.5.0
description: Multi cloud networking (MCN), multi cluster, hybrid cloud networking
tool for efficient, secure, policy-enforced connectivity and true multi-tenancy
capabilities. KubeSlice enables enterprise platform teams to reduce infrastructure
@ -36,4 +36,4 @@ keywords:
kubeVersion: '>= 1.19.0-0'
name: kubeslice-controller
type: application
version: 0.4.4
version: 0.5.0

8
charts/avesha/kubeslice-controller/Readme.MD
View File

@ -1,13 +1,13 @@
# Kubeslice Enterprise Controller Helm Charts
## Prerequisites
📖 Follow the overview and registration [documentation](https://staging2-docs.avesha.io/documentation/enterprise/0.4.0/deployment-partners/deploying-kubeslice-on-rancher/)
📖 Follow the overview and registration [documentation](https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/)
- Create and configure the controller cluster following instructions in the prerequisites section [documentation](https://staging2-docs.avesha.io/documentation/enterprise/0.4.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-kubeslice-controller-on-rancher)
- Create and configure the controller cluster following instructions in the prerequisites section [documentation](https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-kubeslice-controller-on-rancher)
- Copy the chart version from the upper right hand section of this page [VERSION parameter need during install and upgrade]
- Click on the download chart link from the upper right hand section of this page, save it to location available from command prompt
- Untar the chart to get the values.yaml file, update values.yaml with the follwing information
- cluster end point [documentation](https://staging2-docs.avesha.io/documentation/enterprise/0.4.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-kubeslice-controller-on-rancher#getting-the-controller-cluster-endpoint)
- cluster end point [documentation](https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-kubeslice-controller-on-rancher#getting-the-controller-cluster-endpoint)
- helm repository username, password and email [From registration]
@ -32,7 +32,7 @@ helm upgrade --history-max=5 --namespace=kubeslice-controller kubeslice-controll
```
### Uninstall KubeSlice Controller
- Follow instructions [documentation](https://staging2-docs.avesha.io/documentation/enterprise/0.4.0/getting-started-with-cloud-clusters/uninstalling-kubeslice/)
- Follow instructions [documentation](https://docs.avesha.io/documentation/enterprise/0.5.0/getting-started-with-cloud-clusters/uninstalling-kubeslice/uninstalling-the-kubeslice-controller/)
```console
export KUBECONFIG=<CONTROLLER CLUSTER KUBECONFIG>

6
charts/avesha/kubeslice-controller/questions.yml
View File

@ -2,7 +2,7 @@
questions:
-
default: ""
description: "https://github.com/kubeslice/docs-ent/blob/AM-6087/versioned_docs/version-0.4.0/deployment-partners/deploying-kubeslice-on-rancher/deploying-kubeslice-on-rancher.mdx#registering-to-access-the-enterprise-helm-chart"
description: "https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/#registering-to-access-the-enterprise-helm-chart"
group: "Global Settings"
label: "Registered Username"
required: true
@ -18,7 +18,7 @@ questions:
variable: imagePullSecrets.password
-
default: ""
description: "https://github.com/kubeslice/docs-ent/blob/AM-6087/versioned_docs/version-0.4.0/deployment-partners/deploying-kubeslice-on-rancher/deploying-kubeslice-on-rancher.mdx#getting-the-controller-cluster-endpoint"
description: "https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-kubeslice-controller-on-rancher/#getting-the-controller-cluster-endpoint"
group: "Controller Settings"
label: "Controller Endpoint"
required: true
@ -44,7 +44,7 @@ questions:
options:
- ClusterIP
- NodePort
- LoadBanlancer
- LoadBalancer
required: true
type: enum
variable: kubeslice.uiproxy.service.type

67
charts/avesha/kubeslice-controller/templates/_helpers.tpl
View File

@ -1,3 +1,5 @@
*************************kubeslice-controller*********************************
{{/*
Expand the name of the chart.
*/}}
@ -60,3 +62,68 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
*************************PROMETHUES*********************************
{{/*
Expand the name of the chart.
*/}}
{{- define "prometheus.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "prometheus.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "prometheus.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "prometheus.labels" -}}
helm.sh/chart: {{ include "prometheus.chart" . }}
{{ include "prometheus.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "prometheus.selectorLabels" -}}
app.kubernetes.io/name: {{ include "prometheus.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "prometheus.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "prometheus.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

10
charts/avesha/kubeslice-controller/templates/kubeslice-ui-rbac.yaml → charts/avesha/kubeslice-controller/templates/kubeslice-api-gw-rbac.yaml
View File

@ -1,7 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kubeslice-ui
name: kubeslice-api-gw
rules:
- verbs:
- get
@ -16,16 +16,16 @@ rules:
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubeslice-ui
name: kubeslice-api-gw
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubeslice-ui
name: kubeslice-api-gw
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubeslice-ui
name: kubeslice-api-gw
subjects:
- kind: ServiceAccount
name: kubeslice-ui
name: kubeslice-api-gw

58
charts/avesha/kubeslice-controller/templates/kubeslice-api-gw.yaml Normal file
View File

@ -0,0 +1,58 @@
---
apiVersion: v1
kind: Service
metadata:
labels:
app: kubeslice-api-gw
name: kubeslice-api-gw
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 3000
selector:
app: kubeslice-api-gw
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: kubeslice-api-gw
name: kubeslice-api-gw
spec:
replicas: 1
selector:
matchLabels:
app: kubeslice-api-gw
template:
metadata:
labels:
app: kubeslice-api-gw
spec:
containers:
- image: '{{ .Values.kubeslice.apigw.image }}:{{ .Values.kubeslice.apigw.tag }}'
imagePullPolicy: '{{ .Values.kubeslice.apigw.pullPolicy }}'
env:
- name: KUBESLICE_CONTROLLER_PROMETHEUS
value: {{ .Values.kubeslice.prometheus.url }}
name: kubeslice-api-gw
ports:
- containerPort: 3000
protocol: TCP
volumeMounts:
- mountPath: /app/secrets
name: oidc-secrets
{{- if and .Values.imagePullSecrets .Values.imagePullSecrets.repository .Values.imagePullSecrets.username .Values.imagePullSecrets.password }}
imagePullSecrets:
- name: kubeslice-ui-image-pull-secret
{{- end }}
restartPolicy: Always
serviceAccount: kubeslice-api-gw
serviceAccountName: kubeslice-api-gw
volumes:
- name: oidc-secrets
secret:
secretName: kubeslice-ui-oidc
optional: true

1949
charts/avesha/kubeslice-controller/templates/kubeslice-controller.yaml
View File

File diff suppressed because it is too large Load Diff

19
charts/avesha/kubeslice-controller/templates/kubeslice-ui-imagepullsecret.yaml Normal file
View File

@ -0,0 +1,19 @@
---
{{- if and .Values.imagePullSecrets .Values.imagePullSecrets.repository .Values.imagePullSecrets.username .Values.imagePullSecrets.password }}
apiVersion: v1
data:
.dockerconfigjson: {{
printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}"
.Values.imagePullSecrets.repository
.Values.imagePullSecrets.username
.Values.imagePullSecrets.password
.Values.imagePullSecrets.email
(printf "%s:%s" .Values.imagePullSecrets.username .Values.imagePullSecrets.password | b64enc)
| b64enc
}}
kind: Secret
metadata:
name: kubeslice-ui-image-pull-secret
namespace: kubeslice-controller
type: kubernetes.io/dockerconfigjson
{{- end }}

10
charts/avesha/kubeslice-controller/templates/kubeslice-ui-oidc-secret.yaml Normal file
View File

@ -0,0 +1,10 @@
---
{{- if .Values.kubeslice.ui.idp}}
apiVersion: v1
kind: Secret
metadata:
name: kubeslice-ui-oidc
namespace: kubeslice-controller
data:
oidc-secrets.yaml: {{ (printf "idp:%s" (.Values.kubeslice.ui.idp | toYaml | nindent 2)) | b64enc }}
{{- end}}

7
charts/avesha/kubeslice-controller/templates/kubeslice-ui-proxy.yaml
View File

@ -33,9 +33,14 @@ spec:
- name: kubeslice-ui-proxy
image: '{{ .Values.kubeslice.uiproxy.image }}:{{ .Values.kubeslice.uiproxy.tag }}'
imagePullPolicy: '{{ .Values.kubeslice.uiproxy.pullPolicy }}'
env:
- name: KUBESLICE-CONTROLLER-PROMETHEUS
value: {{ .Values.kubeslice.prometheus.url }}
- name: REACT_APP_SOCKET_URL
value: 'ws://kubeslice-api-gw.kubeslice-controller.svc.cluster.local:3000'
ports:
- containerPort: 443
{{- if and .Values.imagePullSecrets .Values.imagePullSecrets.repository .Values.imagePullSecrets.username .Values.imagePullSecrets.password }}
imagePullSecrets:
- name: kubeslice-ui-image-pull-secret
{{- end }}
{{- end }}

30
charts/avesha/kubeslice-controller/templates/kubeslice-ui.yaml
View File

@ -1,22 +1,3 @@
---
{{- if and .Values.imagePullSecrets .Values.imagePullSecrets.repository .Values.imagePullSecrets.username .Values.imagePullSecrets.password }}
apiVersion: v1
data:
.dockerconfigjson: {{
printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}"
.Values.imagePullSecrets.repository
.Values.imagePullSecrets.username
.Values.imagePullSecrets.password
.Values.imagePullSecrets.email
(printf "%s:%s" .Values.imagePullSecrets.username .Values.imagePullSecrets.password | b64enc)
| b64enc
}}
kind: Secret
metadata:
name: kubeslice-ui-image-pull-secret
namespace: kubeslice-controller
type: kubernetes.io/dockerconfigjson
{{- end }}
---
apiVersion: v1
kind: Service
@ -30,7 +11,7 @@ spec:
- name: http
port: 80
protocol: TCP
targetPort: 3000
targetPort: 80
selector:
app: kubeslice-ui
type: ClusterIP
@ -54,11 +35,16 @@ spec:
- image: '{{ .Values.kubeslice.ui.image }}:{{ .Values.kubeslice.ui.tag }}'
imagePullPolicy: '{{ .Values.kubeslice.ui.pullPolicy }}'
name: kubeslice-ui
env:
- name: KUBESLICE_CONTROLLER_PROMETHEUS
value: {{ .Values.kubeslice.prometheus.url }}
- name: REACT_APP_SOCKET_URL
value: 'ws://kubeslice-api-gw.kubeslice-controller.svc.cluster.local:3000'
ports:
- containerPort: 3000
{{- if and .Values.imagePullSecrets .Values.imagePullSecrets.repository .Values.imagePullSecrets.username .Values.imagePullSecrets.password }}
imagePullSecrets:
- name: kubeslice-ui-image-pull-secret
{{- end }}
serviceAccountName: kubeslice-ui
serviceAccount: kubeslice-ui
serviceAccountName: kubeslice-api-gw
serviceAccount: kubeslice-api-gw

19
charts/avesha/kubeslice-controller/values.yaml
View File

@ -7,18 +7,21 @@ kubeslice:
logLevel: info
rbacResourcePrefix: kubeslice-rbac
projectnsPrefix: kubeslice
endpoint:
endpoint:
image: aveshasystems/kubeslice-controller-ent
tag: 0.2.0
tag: 0.5.0
pullPolicy: IfNotPresent
ovpnJob:
image: aveshasystems/gateway-certs-generator
tag: 0.1.5
tag: 0.1.10
prometheus:
enabled: true
url: http://kubeslice-controller-prometheus-service:9090
# Kubeslice UI settings
ui:
image: aveshasystems/kubeslice-ui-ent
tag: 0.2.3
tag: 0.5.0
pullPolicy: IfNotPresent
dashboard:
image: aveshasystems/kubeslice-kubernetes-dashboard
@ -26,14 +29,18 @@ kubeslice:
pullPolicy: IfNotPresent
uiproxy:
image: aveshasystems/kubeslice-ui-proxy
tag: 1.0.1
tag: 1.0.4
pullPolicy: IfNotPresent
service:
## For kind, set this to NodePort, elsewhere use LoadBalancer or NodePort
## Ref: https://kubernetes.io/docs/user-guide/services/#publishing-services---service-types
##
type: LoadBalancer
apigw:
image: aveshasystems/kubeslice-api-gw-ent
tag: 1.3.5
pullPolicy: IfNotPresent
# username & password & email values for imagePullSecrets has to provided to create a secret
imagePullSecrets:
repository: https://index.docker.io/v1/

4
charts/avesha/kubeslice-worker/Chart.yaml
View File

@ -5,7 +5,7 @@ annotations:
catalog.cattle.io/namespace: kubeslice-system
catalog.cattle.io/release-name: kubeslice-worker
apiVersion: v2
appVersion: 0.2.1
appVersion: 0.5.0
description: Multi cloud networking (MCN), multi cluster, hybrid cloud networking
tool for efficient, secure, policy-enforced connectivity and true multi-tenancy
capabilities. KubeSlice enables enterprise platform teams to reduce infrastructure
@ -36,4 +36,4 @@ keywords:
kubeVersion: '>= 1.19.0-0'
name: kubeslice-worker
type: application
version: 0.4.7
version: 0.5.0

9
charts/avesha/kubeslice-worker/Readme.MD
View File

@ -2,7 +2,7 @@
## Prerequisites
- KubeSlice Controller needs to be installed
- Create and configure the worker cluster following instructions in prerequisites and "registering the worker cluster" sections [documentation](https://staging2-docs.avesha.io/documentation/enterprise/0.4.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher)
- Create and configure the worker cluster following instructions in prerequisites and "registering the worker cluster" sections [documentation](https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher)
- Copy the chart version from the upper right hand section of this page [VERSION parameter need during install and upgrade]
- Click on the download link from the upper right hand section of this page, save it to location available from command prompt <LOCATION OF DOWNLOADED CHART.tgz>
- Untar the chart to get the values.yaml file and edit the following fields
@ -34,14 +34,17 @@ helm upgrade --history-max=5 --namespace=kubeslice-system kubeslice-worker kubes
```
### Uninstall Kubeslice Worker
- Follow instructions [documentation](https://staging2-docs.avesha.io/documentation/enterprise/0.2.0/getting-started-with-cloud-clusters/uninstalling-kubeslice/deregistering-the-worker-cluster)
- Follow instructions [documentation](https://docs.avesha.io/documentation/enterprise/0.5.0/getting-started-with-cloud-clusters/uninstalling-kubeslice/deregistering-the-worker-cluster)
```console
export KUBECONFIG=<WORKER CLUSTER KUBECONFIG>
helm uninstall --namespace=kubeslice-system --timeout=10m0s --wait=true kubeslice-worker
kubectl delete crd serviceexports.networking.kubeslice.io
kubectl delete crd serviceimports.networking.kubeslice.io
kubectl delete crd slice.networking.kubeslice.io
kubectl delete crd slicegateways.networking.kubeslice.io
kubectl delete crd slicenodeaffinities.networking.kubeslice.io
kubectl delete crd sliceresourcequotas.networking.kubeslice.io
kubectl delete crd slicerolebindings.networking.kubeslice.io
kubectl delete crd slices.networking.kubeslice.io
kubectl delete ns kubeslice-system
```

5
charts/avesha/kubeslice-worker/charts/jaeger/Chart.yaml
View File

@ -1,5 +0,0 @@
apiVersion: v1
appVersion: 0.2.0
description: Simple Jaeger installation for use by NSM Developers
name: jaeger
version: 0.2.0

57
charts/avesha/kubeslice-worker/charts/jaeger/templates/jaeger.tpl
View File

@ -1,57 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: jaeger
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
run: jaeger
replicas: 1
template:
metadata:
labels:
run: jaeger
spec:
containers:
- name: jaeger
image: {{ .Values.image }}
imagePullPolicy: {{ .Values.pullPolicy }}
ports:
- name: http
containerPort: 16686
- name: jaeger
containerPort: 6831
protocol: UDP
tolerations:
- key: kubeslice.io/node-type
operator: Equal
value: gateway
effect: NoSchedule
- key: kubeslice.io/node-type
operator: Equal
value: gateway
effect: NoExecute
---
apiVersion: v1
kind: Service
metadata:
name: jaeger
namespace: {{ .Release.Namespace }}
labels:
run: jaeger
namespace: {{ .Release.Namespace }}
spec:
ports:
- name: http
{{- if eq .Values.monSvcType "NodePort" }}
nodePort: 31922
{{- end }}
port: 16686
protocol: TCP
- name: jaeger
port: 6831
protocol: UDP
selector:
run: jaeger
type: {{ .Values.monSvcType }}

17
charts/avesha/kubeslice-worker/charts/jaeger/values.yaml
View File

@ -1,17 +0,0 @@
---
# Default values for jaeger.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
pullPolicy: IfNotPresent
image: jaegertracing/all-in-one:1.14.0
# The type for monitoring services, i.e. Jaeger
# May be set to valid Kubernetes ServiceTypes values--ClusterIP, NodePort, LoadBalancer, ExternalName
monSvcType: NodePort
# Variable used to deploy Prometheus
# Values can be true or false
prometheus: false
metricsCollectorEnabled: false

4
charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v1
appVersion: 0.2.0
appVersion: 0.2.1
description: A Helm chart for Kubernetes
name: admission-webhook
version: 0.2.0
version: 0.2.1

118
charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/admission-webhook-secret.tpl
View File

@ -1,118 +0,0 @@
{{- $ca := genCA "admission-controller-ca" 3650 -}}
{{- $cn := printf "nsm-admission-webhook-svc" -}}
{{- $altName1 := printf "%s.%s.svc" $cn .Release.Namespace }}
{{- $altName2 := printf "%s.%s.svc.cluster.local" $cn .Release.Namespace }}
{{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca -}}
apiVersion: v1
kind: Secret
metadata:
name: nsm-admission-webhook-certs
namespace: {{ .Release.Namespace }}
type: Opaque
data:
tls.key: {{ $cert.Key | b64enc }}
tls.crt: {{ $cert.Cert | b64enc }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nsm-admission-webhook
namespace: {{ .Release.Namespace }}
labels:
app: nsm-admission-webhook
spec:
replicas: 1
selector:
matchLabels:
app: nsm-admission-webhook
template:
metadata:
labels:
app: nsm-admission-webhook
spec:
imagePullSecrets:
- name: avesha-nexus
containers:
- name: nsm-admission-webhook
image: docker.io/aveshasystems/nsm-admission-webhook:1.0.1
imagePullPolicy: {{ .Values.pullPolicy }}
env:
- name: INITCONTAINER_REPO
value: "{{ .Values.initContainerRegistry }}"
- name: INITCONTAINER_TAG
value: "{{ .Values.initContainerTag }}"
- name: DNS_SIDECAR_REPO
value: "{{ .Values.dnsSidecarContainerRegistry }}"
- name: DNS_SIDECAR_TAG
value: "{{ .Values.dnsSidecarContainerTag }}"
- name: NSM_NAMESPACE
value: "{{ .Values.clientNamespace }}"
- name: TRACER_ENABLED
value: {{ .Values.global.JaegerTracing | default false | quote }}
- name: JAEGER_AGENT_HOST
value: jaeger.{{ .Release.Namespace }}
- name: JAEGER_AGENT_PORT
value: "6831"
- name: CABUNDLE
value: {{ $ca.Cert | b64enc }}
volumeMounts:
- name: webhook-certs
mountPath: /etc/webhook/certs
readOnly: true
livenessProbe:
httpGet:
path: /liveness
port: 5555
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 3
readinessProbe:
httpGet:
path: /readiness
port: 5555
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 3
volumes:
- name: webhook-certs
secret:
secretName: nsm-admission-webhook-certs
---
apiVersion: v1
kind: Service
metadata:
name: nsm-admission-webhook-svc
namespace: {{ .Release.Namespace }}
labels:
app: nsm-admission-webhook
spec:
ports:
- port: 443
targetPort: 443
selector:
app: nsm-admission-webhook
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: nsm-admission-webhook-cfg
namespace: {{ .Release.Namespace }}
labels:
app: nsm-admission-webhook
webhooks:
- name: admission-webhook.networkservicemesh.io
sideEffects: None
admissionReviewVersions: ["v1", "v1beta1"]
failurePolicy: Ignore
matchPolicy: Equivalent
clientConfig:
service:
name: nsm-admission-webhook-svc
namespace: {{ .Release.Namespace }}
path: "/mutate"
caBundle: {{ $ca.Cert | b64enc }}
rules:
- operations: ["CREATE"]
apiGroups: ["apps", "extensions", ""]
apiVersions: ["v1", "v1beta1"]
resources: ["deployments", "services", "pods"]

52
charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/admission-webhook.yaml Normal file
View File

@ -0,0 +1,52 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nsm-admission-webhook-k8s
namespace: {{ .Release.Namespace }}
labels:
app: admission-webhook-k8s
spec:
selector:
matchLabels:
app: admission-webhook-k8s
template:
metadata:
labels:
app: admission-webhook-k8s
spec:
serviceAccountName: admission-webhook-sa
containers:
- name: admission-webhook-k8s
image: {{ .Values.webhookImageRegistry }}:{{ .Values.webhookImageTag }}
imagePullPolicy: IfNotPresent
readinessProbe:
httpGet:
path: /ready
port: 443
scheme: HTTPS
env:
- name: SPIFFE_ENDPOINT_SOCKET
value: unix:///run/spire/sockets/agent.sock
- name: NSM_SERVICE_NAME
value: admission-webhook-svc
- name: NSM_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: NSM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NSM_ANNOTATION
value: networkservicemesh.io
{{/* - name: NSM_CONTAINER_IMAGES*/}}
{{/* value: ghcr.io/networkservicemesh/cmd-nsc:v1.5.0*/}}
- name: NSM_CONTAINER_IMAGES
value: "{{ .Values.nsmInjectContainerImageRegistry }}:{{ .Values.nsmInjectContainerImageTag }}"
- name: NSM_INIT_CONTAINER_IMAGES
value: "{{ .Values.nsmInjectInitContainerImageRegistry }}:{{ .Values.nsmInjectInitContainerImageTag }}"
- name: NSM_LABELS
value: spiffe.io/spiffe-id:true
- name: NSM_ENVS
value: NSM_LOG_LEVEL=TRACE,NSM_LIVENESSCHECKENABLED=false

13
charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/binding.yaml Normal file
View File

@ -0,0 +1,13 @@
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admission-webhook-binding
subjects:
- kind: ServiceAccount
name: admission-webhook-sa
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: admission-webhook-role
apiGroup: rbac.authorization.k8s.io

7
charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/priorityClass.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: nsm-webhook-high-priority
value: 1000000
globalDefault: false
description: "This priority class should be used for nsm webhook pods only."

13
charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/role.yaml Normal file
View File

@ -0,0 +1,13 @@
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admission-webhook-role
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources:
- "mutatingwebhookconfigurations"
verbs: ["*"]

6
charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/sa.yaml Normal file
View File

@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: admission-webhook-sa
namespace: {{ .Release.Namespace }}

14
charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/service.yaml Normal file
View File

@ -0,0 +1,14 @@
---
apiVersion: v1
kind: Service
metadata:
name: admission-webhook-svc
namespace: {{ .Release.Namespace }}
labels:
app: admission-webhook-k8s
spec:
ports:
- port: 443
targetPort: 443
selector:
app: admission-webhook-k8s

12
charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/values.yaml
View File

@ -3,11 +3,11 @@
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
initContainerRegistry: docker.io/aveshasystems
initContainerTag: 1.0.0
webhookImageRegistry: aveshasystems/cmd-admission-webhook-k8s
webhookImageTag: 1.5.3
dnsSidecarContainerRegistry: docker.io/aveshasystems
dnsSidecarContainerTag: 1.0.0
nsmInjectContainerImageRegistry: aveshasystems/cmd-nsc
nsmInjectContainerImageTag: 1.5.3
pullPolicy: IfNotPresent
clientNamespace: kubeslice-system
nsmInjectInitContainerImageRegistry: aveshasystems/cmd-nsc-init
nsmInjectInitContainerImageTag: 1.5.3

29
charts/avesha/kubeslice-worker/charts/nsm/charts/config/crds/crd-ns.yaml Normal file
View File

@ -0,0 +1,29 @@
# warning: please update nsm crd upgrade hook as well if you change this
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: networkservices.networkservicemesh.io
spec:
conversion:
strategy: None
group: networkservicemesh.io
names:
kind: NetworkService
listKind: NetworkServiceList
plural: networkservices
shortNames:
- netsvc
- netsvcs
singular: networkservice
scope: Namespaced
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
x-kubernetes-preserve-unknown-fields: true

29
charts/avesha/kubeslice-worker/charts/nsm/charts/config/crds/crd-nse.yaml Normal file
View File

@ -0,0 +1,29 @@
# warning: please update nsm crd upgrade hook as well if you change this
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: networkserviceendpoints.networkservicemesh.io
spec:
conversion:
strategy: None
group: networkservicemesh.io
names:
kind: NetworkServiceEndpoint
listKind: NetworkServiceEndpointList
plural: networkserviceendpoints
shortNames:
- nse
- nses
singular: networkserviceendpoint
scope: Namespaced
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
x-kubernetes-preserve-unknown-fields: true

3
charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/cluster-role-admin.yaml
View File

@ -11,14 +11,13 @@ rules:
resources:
- "networkservices"
- "networkserviceendpoints"
- "networkservicemanagers"
verbs: ["*"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["*"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "update"]
verbs: ["patch", "get", "list", "watch", "update", "read", "write"]
- apiGroups: [""]
resources: ["nodes", "services", "namespaces"]
verbs: ["get", "list", "watch"]

43
charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/crd-networkserviceendpoints.yaml
View File

@ -1,43 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: networkserviceendpoints.networkservicemesh.io
spec:
conversion:
strategy: None
group: networkservicemesh.io
names:
kind: NetworkServiceEndpoint
listKind: NetworkServiceEndpointList
plural: networkserviceendpoints
shortNames:
- nse
- nses
singular: networkserviceendpoint
scope: Namespaced
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
description: 'NetworkServiceEndpoints is the schema for NetworkServiceEndpoints API'
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: 'Spec defines the desired state'
type: object
x-kubernetes-preserve-unknown-fields: true

43
charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/crd-networkservicemanagers.yaml
View File

@ -1,43 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: networkservicemanagers.networkservicemesh.io
spec:
conversion:
strategy: None
group: networkservicemesh.io
names:
kind: NetworkServiceManager
listKind: NetworkServiceManagerList
plural: networkservicemanagers
shortNames:
- nsm
- nsms
singular: networkservicemanager
scope: Namespaced
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
description: 'NetworkServiceManagers is the schema for NetworkServiceManagers API'
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: 'Spec defines the desired state'
type: object
x-kubernetes-preserve-unknown-fields: true

43
charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/crd-networkservices.yaml
View File

@ -1,43 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: networkservices.networkservicemesh.io
spec:
conversion:
strategy: None
group: networkservicemesh.io
names:
kind: NetworkService
listKind: NetworkServiceList
plural: networkservices
shortNames:
- netsvc
- netsvcs
singular: networkservice
scope: Namespaced
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
description: 'NetworkServices is the schema for NetworkServices API'
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: 'Spec defines the desired state'
type: object
x-kubernetes-preserve-unknown-fields: true

5
charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/nsm-configmap.yaml
View File

@ -3,5 +3,8 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: nsm-config
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/resource-policy": keep
data:
excluded_prefixes.yaml: ''
excluded_prefixes_output.yaml: ''

174
charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/nsm-crd-upgrade-preinstall-hook.yaml Normal file
View File

@ -0,0 +1,174 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: nsm-install-crds
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote}}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nsm-install-crds
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
labels:
app.kubernetes.io/name: kubeslice
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nsm-install-crds
subjects:
- kind: ServiceAccount
name: nsm-install-crds
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nsm-install-crds
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
labels:
app.kubernetes.io/name: kubeslice
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups:
- "apiextensions.k8s.io"
resources:
- customresourcedefinitions
verbs:
- get
- list
- patch
- update
- create
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nsm-crd-install
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
data:
crd-ns.yaml: |
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: networkservices.networkservicemesh.io
spec:
conversion:
strategy: None
group: networkservicemesh.io
names:
kind: NetworkService
listKind: NetworkServiceList
plural: networkservices
shortNames:
- netsvc
- netsvcs
singular: networkservice
scope: Namespaced
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
x-kubernetes-preserve-unknown-fields: true
crd-nse.yaml: |
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: networkserviceendpoints.networkservicemesh.io
spec:
conversion:
strategy: None
group: networkservicemesh.io
names:
kind: NetworkServiceEndpoint
listKind: NetworkServiceEndpointList
plural: networkserviceendpoints
shortNames:
- nse
- nses
singular: networkserviceendpoint
scope: Namespaced
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
x-kubernetes-preserve-unknown-fields: true
---
apiVersion: batch/v1
kind: Job
metadata:
name: nsm-install-crds
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation
"helm.sh/hook-weight": "2"
labels:
app.kubernetes.io/name: nsm
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
backoffLimit: 3
template:
metadata:
name: nsm-install-crds
namespace: {{ .Release.Namespace }}
spec:
serviceAccountName: nsm-install-crds
containers:
- name: kubectl
image: "alpine/k8s:1.22.9"
command:
- /bin/sh
- -c
- kubectl apply -f /tmp
volumeMounts:
- mountPath: /tmp
name: crds
volumes:
- name: crds
configMap:
name: nsm-crd-install
restartPolicy: OnFailure

128
charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/nsm-webhook-predelete-hook.yaml Normal file
View File

@ -0,0 +1,128 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nsm-delete-webhooks
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote}}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
annotations:
"helm.sh/hook": pre-delete,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nsm-delete-webhooks
annotations:
"helm.sh/hook": pre-delete,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-1"
labels:
app.kubernetes.io/name: kubeslice
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nsm-delete-webhooks
subjects:
- kind: ServiceAccount
name: nsm-delete-webhooks
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nsm-delete-webhooks
annotations:
"helm.sh/hook": pre-delete,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-1"
labels:
app.kubernetes.io/name: kubeslice
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- apiGroups:
- "admissionregistration.k8s.io"
resources:
- mutatingwebhookconfigurations
verbs:
- get
- list
- delete
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nsm-delete-webhooks
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
annotations:
"helm.sh/hook": pre-delete,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
data:
delete-admission-webhook.sh: |-
#!/usr/bin/env bash
echo "finding out the admission webhook "
WH=$(kubectl get pods -l app=admission-webhook-k8s -n {{ .Release.Namespace }} --template {{`'{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`}})
echo "deleting mutatingwebhookconfiguration ${WH}"
kubectl delete mutatingwebhookconfiguration --ignore-not-found ${WH}
---
apiVersion: batch/v1
kind: Job
metadata:
name: nsm-delete-webhooks
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-delete,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation
"helm.sh/hook-weight": "2"
labels:
app.kubernetes.io/name: nsm
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
backoffLimit: 3
template:
metadata:
name: nsm-delete-webhooks
namespace: {{ .Release.Namespace }}
spec:
serviceAccountName: nsm-delete-webhooks
containers:
- name: kubectl
image: "alpine/k8s:1.22.9"
command:
- /bin/bash
- /tmp/delete-admission-webhook.sh
volumeMounts:
- mountPath: /tmp
name: nsm-delete-webhooks
volumes:
- name: nsm-delete-webhooks
configMap:
name: nsm-delete-webhooks
restartPolicy: OnFailure

0
charts/avesha/kubeslice-worker/charts/nsm/templates/service-accounts.tpl → charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/service-accounts.tpl
View File

5
charts/avesha/kubeslice-worker/charts/nsm/charts/prefix-service/Chart.yaml
View File

@ -1,5 +0,0 @@
apiVersion: v1
appVersion: "1.0"
description: A Helm chart for Kubernetes
name: prefix-service
version: 0.1.0

32
charts/avesha/kubeslice-worker/charts/nsm/charts/prefix-service/templates/deployment.tpl
View File

@ -1,32 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Chart.Name }}
spec:
selector:
matchLabels:
app: {{ .Chart.Name }}
template:
metadata:
labels:
app: {{ .Chart.Name }}
spec:
serviceAccountName: {{ .Values.serviceAccount.name }}
imagePullSecrets:
- name: avesha-nexus
containers:
- name: {{ .Chart.Name }}
image: {{ .Values.registry }}/{{ .Values.org }}/{{ .Chart.Name }}:{{ .Values.tag }}
imagePullPolicy: {{ .Values.pullPolicy }}
env:
- name: NSM_NAMESPACE
value: {{ .Release.Namespace }}
tolerations:
- key: kubeslice.io/node-type
operator: Equal
value: gateway
effect: NoSchedule
- key: kubeslice.io/node-type
operator: Equal
value: gateway
effect: NoExecute

13
charts/avesha/kubeslice-worker/charts/nsm/charts/prefix-service/values.yaml
View File

@ -1,13 +0,0 @@
---
# Default values for prefix-service.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# NOTE: the variables might be overriden by helm command line options, see helm.mk
registry: docker.io
org: aveshasystems
tag: 0.6.1
pullPolicy: IfNotPresent
serviceAccount:
name: nsmgr-acc

1
charts/avesha/kubeslice-worker/charts/nsm/charts/prefix-service/.helmignore → charts/avesha/kubeslice-worker/charts/nsm/charts/spire/.helmignore
View File

@ -14,6 +14,7 @@
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project

6
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/Chart.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v2
appVersion: 1.16.0
description: A Helm chart for Kubernetes
name: spire
type: application
version: 0.4.0

23
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/Chart.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v2
appVersion: 1.16.0
description: A Helm chart for Kubernetes
name: spire-server
type: application
version: 0.1.0

23
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/Chart.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v2
appVersion: 1.16.0
description: A Helm chart for Kubernetes
name: spire-config
type: application
version: 0.1.0

6
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/agent-account.yaml Normal file
View File

@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: spire-agent
namespace: spire

25
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/agent-cluster-role.yaml Normal file
View File

@ -0,0 +1,25 @@
---
# Required cluster role to allow spire-agent to query k8s API server
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-agent-cluster-role
rules:
- apiGroups: [""]
resources: ["pods", "nodes", "nodes/proxy"]
verbs: ["get"]
---
# Binds above cluster role to spire-agent service account
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-agent-cluster-role-binding
subjects:
- kind: ServiceAccount
name: spire-agent
namespace: spire
roleRef:
kind: ClusterRole
name: spire-agent-cluster-role
apiGroup: rbac.authorization.k8s.io

30
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/k8s-workload-registrar-cluster-role.yaml Normal file
View File

@ -0,0 +1,30 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: k8s-workload-registrar-role
rules:
- apiGroups: [""]
resources: ["endpoints", "nodes", "pods"]
verbs: ["get", "list", "watch"]
- apiGroups: ["spiffeid.spiffe.io"]
resources: ["spiffeids"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["spiffeid.spiffe.io"]
resources: ["spiffeids/status"]
verbs: ["get", "patch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: k8s-workload-registrar-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: k8s-workload-registrar-role
subjects:
- kind: ServiceAccount
name: spire-server
namespace: spire

107
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/k8s-workload-registrar-crd.yaml Normal file
View File

@ -0,0 +1,107 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.4
name: spiffeids.spiffeid.spiffe.io
spec:
group: spiffeid.spiffe.io
names:
kind: SpiffeID
listKind: SpiffeIDList
plural: spiffeids
singular: spiffeid
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
description: SpiffeID is the Schema for the spiffeid API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SpiffeIDSpec defines the desired state of SpiffeID
properties:
dnsNames:
items:
type: string
type: array
federatesWith:
items:
type: string
type: array
parentId:
type: string
selector:
properties:
arbitrary:
description: Arbitrary selectors
items:
type: string
type: array
containerImage:
description: Container image to match for this spiffe ID
type: string
containerName:
description: Container name to match for this spiffe ID
type: string
namespace:
description: Namespace to match for this spiffe ID
type: string
nodeName:
description: Node name to match for this spiffe ID
type: string
podLabel:
additionalProperties:
type: string
description: Pod label name/value to match for this spiffe ID
type: object
podName:
description: Pod name to match for this spiffe ID
type: string
podUid:
description: Pod UID to match for this spiffe ID
type: string
serviceAccount:
description: ServiceAccount to match for this spiffe ID
type: string
cluster:
description: The k8s_psat cluster name
type: string
agent_node_uid:
description: UID of the node
type: string
type: object
spiffeId:
type: string
required:
- parentId
- selector
- spiffeId
type: object
status:
description: SpiffeIDStatus defines the observed state of SpiffeID
properties:
entryId:
description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
of cluster Important: Run "make" to regenerate code after modifying
this file'
type: string
type: object
type: object

19
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/k8s-workload-registrar.yaml Normal file
View File

@ -0,0 +1,19 @@
---
apiVersion: v1
data:
k8s-workload-registrar.conf: |-
log_level = "debug"
trust_domain = "example.org"
agent_socket_path = "/run/spire/sockets/agent.sock"
server_socket_path = "/tmp/spire-server/private/api.sock"
cluster = "nsm-cluster"
pod_controller = true
add_svc_dns_names = true
mode = "crd"
webhook_enabled = true
identity_template = "ns/{{ printf "{{.Pod.Namespace}}" }}/pod/{{ printf "{{.Pod.Name}}" }}"
identity_template_label = "spiffe.io/spiffe-id"
kind: ConfigMap
metadata:
name: k8s-workload-registrar
namespace: spire

6
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/server-account.yaml Normal file
View File

@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: spire-server
namespace: spire

35
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/server-cluster-role.yaml Normal file
View File

@ -0,0 +1,35 @@
---
# ClusterRole to allow spire-server node attestor to query Token Review API
# and to be able to push certificate bundles to a configmap
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-server-trust-role
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
verbs: ["get", "list", "patch", "watch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["patch", "get", "list"]
- apiGroups: [""]
resources: ["pods", "nodes"]
verbs: ["get"]
---
# Binds above cluster role to spire-server service account
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-server-trust-role-binding
subjects:
- kind: ServiceAccount
name: spire-server
namespace: spire
roleRef:
kind: ClusterRole
name: spire-server-trust-role
apiGroup: rbac.authorization.k8s.io

42
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-agent.yaml Normal file
View File

@ -0,0 +1,42 @@
---
apiVersion: v1
data:
agent.conf: |
agent {
data_dir = "/run/spire"
log_level = "DEBUG"
server_address = "spire-server"
server_port = "8081"
socket_path = "/run/spire/sockets/agent.sock"
trust_bundle_path = "/run/spire/bundle/bundle.crt"
trust_domain = "example.org"
}
plugins {
NodeAttestor "k8s_psat" {
plugin_data {
# NOTE: Change this to your cluster name
cluster = "nsm-cluster"
}
}
KeyManager "memory" {
plugin_data {}
}
WorkloadAttestor "k8s" {
plugin_data {
# Defaults to the secure kubelet port by default.
# Minikube does not have a cert in the cluster CA bundle that
# can authenticate the kubelet cert, so skip validation.
skip_kubelet_verification = true
}
}
WorkloadAttestor "unix" {
plugin_data {}
}
}
kind: ConfigMap
metadata:
name: spire-agent
namespace: spire

6
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-bundle.yaml Normal file
View File

@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-bundle
namespace: spire

5
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-namespace.yaml Normal file
View File

@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: spire

55
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-server.yaml Normal file
View File

@ -0,0 +1,55 @@
---
apiVersion: v1
data:
server.conf: |
server {
bind_address = "0.0.0.0"
bind_port = "8081"
trust_domain = "example.org"
data_dir = "/run/spire/data"
log_level = "DEBUG"
#AWS requires the use of RSA. EC cryptography is not supported
ca_key_type = "rsa-2048"
default_svid_ttl = "1h"
ca_subject = {
country = ["US"],
organization = ["SPIFFE"],
common_name = "",
}
}
plugins {
DataStore "sql" {
plugin_data {
database_type = "sqlite3"
connection_string = "/run/spire/data/datastore.sqlite3"
}
}
NodeAttestor "k8s_psat" {
plugin_data {
clusters = {
# NOTE: Change this to your cluster name
"nsm-cluster" = {
use_token_review_api_validation = true
service_account_allow_list = ["spire:spire-agent"]
}
}
}
}
KeyManager "disk" {
plugin_data {
keys_path = "/run/spire/data/keys.json"
}
}
Notifier "k8sbundle" {
plugin_data {
webhook_label = "spiffe.io/webhook"
}
}
}
kind: ConfigMap
metadata:
name: spire-server
namespace: spire

0
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/values.yaml Normal file
View File

15
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/k8s-workload-registrar-service.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: v1
kind: Service
metadata:
name: k8s-workload-registrar
namespace: spire
spec:
type: ClusterIP
ports:
- name: webhook
protocol: TCP
port: 443
targetPort: 9443
selector:
app: spire-server

22
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/k8s-workload-registrar-validating-webhook-configuration.yaml Normal file
View File

@ -0,0 +1,22 @@
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: k8s-workload-registrar
labels:
spiffe.io/webhook: "true"
webhooks:
- name: k8s-workload-registrar.spire.svc
admissionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: k8s-workload-registrar
namespace: spire
path: "/validate-spiffeid-spiffe-io-v1beta1-spiffeid"
rules:
- apiGroups: ["spiffeid.spiffe.io"]
apiVersions: ["v1beta1"]
operations: ["CREATE", "UPDATE", "DELETE"]
resources: ["spiffeids"]
scope: Namespaced
sideEffects: None

19
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/server-service.yaml Normal file
View File

@ -0,0 +1,19 @@
---
apiVersion: v1
kind: Service
metadata:
name: spire-server
namespace: spire
spec:
type: ClusterIP
ports:
- name: spire-server
port: 8081
targetPort: 8081
protocol: TCP
- name: spire-federation
port: 8443
targetPort: 8443
protocol: TCP
selector:
app: spire-server

93
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/server-statefulset.yaml Normal file
View File

@ -0,0 +1,93 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: spire-server
namespace: spire
labels:
app: spire-server
spec:
replicas: 1
selector:
matchLabels:
app: spire-server
serviceName: spire-server
template:
metadata:
namespace: spire
labels:
app: spire-server
spec:
serviceAccountName: spire-server
shareProcessNamespace: true
containers:
- name: spire-server
image: {{ .Values.spireServer.imageRegistry }}:{{ .Values.spireServer.imageTag }}
args:
- -config
- /run/spire/config/server.conf
ports:
- containerPort: 8081
volumeMounts:
- name: spire-config
mountPath: /run/spire/config
readOnly: true
- name: spire-registration-socket
mountPath: /tmp
readOnly: false
livenessProbe:
exec:
command:
- /opt/spire/bin/spire-server
- healthcheck
failureThreshold: 2
initialDelaySeconds: 15
periodSeconds: 60
timeoutSeconds: 3
readinessProbe:
exec:
command: ["/opt/spire/bin/spire-server", "healthcheck", "--shallow"]
# This is a workaround for https://github.com/spiffe/spire/issues/2872
# that prevents k8s-workload-registrar container restarts until
# https://github.com/spiffe/spire/pull/2921 will come with SPIRE 1.3.0.
lifecycle:
postStart:
exec:
command: ["sleep", "2"]
- name: k8s-workload-registrar
image: {{ .Values.spireServer.k8sWorkloadRegistrarImageRegistry }}:{{ .Values.spireServer.k8sWorkloadRegistrarImageTag }}
args:
- -config
- /run/spire/config/k8s-workload-registrar.conf
env:
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- containerPort: 9443
name: webhook
protocol: TCP
volumeMounts:
- mountPath: /run/spire/config
name: k8s-workload-registrar-config
readOnly: true
- mountPath: /run/spire/sockets
name: spire-agent-socket
readOnly: true
- name: spire-registration-socket
mountPath: /tmp
readOnly: false
volumes:
- name: spire-config
configMap:
name: spire-server
- name: spire-agent-socket
hostPath:
path: /run/spire/sockets
type: DirectoryOrCreate
- name: k8s-workload-registrar-config
configMap:
name: k8s-workload-registrar
- name: spire-registration-socket
emptyDir: {}

91
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/values.yaml Normal file
View File

@ -0,0 +1,91 @@
# Default values for spire-server.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# Variables added
spireServer:
imageRegistry: gcr.io/spiffe-io/spire-server
imageTag: 1.5.1
k8sWorkloadRegistrarImageRegistry: gcr.io/spiffe-io/k8s-workload-registrar
k8sWorkloadRegistrarImageTag: 1.5.1
# TODO: check and remove unneeded values
replicaCount: 1
image:
repository: nginx
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 80
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}

86
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/templates/agent-daemonset.yaml Normal file
View File

@ -0,0 +1,86 @@
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: spire-agent
namespace: spire
labels:
app: spire-agent
spec:
selector:
matchLabels:
app: spire-agent
template:
metadata:
namespace: spire
labels:
app: spire-agent
spec:
hostPID: true
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: spire-agent
initContainers:
- name: init
# This is a small image with wait-for-it, choose whatever image
# you prefer that waits for a service to be up. This image is built
# from https://github.com/lqhl/wait-for-it
image: {{ .Values.spireAgent.waitForItImageRegistry }}:{{ .Values.spireAgent.waitForItImageTag }}
imagePullPolicy: IfNotPresent
args: ["-t", "30", "spire-server:8081"]
- name: init-bundle
# Additional init container with the same wait-for-it image to
# provide workaround for https://github.com/spiffe/spire/issues/3032
# It checks if the bundle is in place and ready to be parsed or not.
image: {{ .Values.spireAgent.waitForItImageRegistry }}:{{ .Values.spireAgent.waitForItImageTag }}
imagePullPolicy: IfNotPresent
command: ['sh', '-c', "t=0; until [ -f /run/spire/bundle/bundle.crt 2>&1 ] || [ $t -eq 5 ]; do t=`expr $t + 1`; sleep 1; done"]
containers:
- name: spire-agent
image: {{ .Values.spireAgent.imageRegistry }}:{{ .Values.spireAgent.imageTag }}
args: ["-config", "/run/spire/config/agent.conf"]
volumeMounts:
- name: spire-config
mountPath: /run/spire/config
readOnly: true
- name: spire-bundle
mountPath: /run/spire/bundle
- name: spire-agent-socket
mountPath: /run/spire/sockets
readOnly: false
- name: spire-token
mountPath: /var/run/secrets/tokens
livenessProbe:
exec:
command:
- /opt/spire/bin/spire-agent
- healthcheck
- -socketPath
- /run/spire/sockets/agent.sock
failureThreshold: 2
initialDelaySeconds: 15
periodSeconds: 60
timeoutSeconds: 3
readinessProbe:
exec:
command: ["/opt/spire/bin/spire-agent", "healthcheck", "-socketPath", "/run/spire/sockets/agent.sock", "--shallow"]
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: spire-config
configMap:
name: spire-agent
- name: spire-bundle
configMap:
name: spire-bundle
- name: spire-agent-socket
hostPath:
path: /run/spire/sockets
type: DirectoryOrCreate
- name: spire-token
projected:
sources:
- serviceAccountToken:
path: spire-agent
expirationSeconds: 7200
audience: spire-server

94
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/values.yaml Normal file
View File

@ -0,0 +1,94 @@
# Default values for spire.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# Variables added
spireAgent:
imageRegistry: gcr.io/spiffe-io/spire-agent
imageTag: 1.5.1
waitForItImageRegistry: docker.io/aveshasystems/wait-for-it
waitForItImageTag: 1.0.0
# TODO: use these values/remove them
# TODO: figure how how to make this work outside of spire NS
# Official chart request https://github.com/spiffe/spire/issues/2652
replicaCount: 1
image:
repository: nginx
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 80
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}

5
charts/avesha/kubeslice-worker/charts/nsm/requirements.yaml
View File

@ -1,9 +1,4 @@
---
dependencies:
- name: spire
version: 0.1.0
condition: spire.enabled
- name: prefix-service
version: 0.1.0
- name: config
version: 0.1.0

77
charts/avesha/kubeslice-worker/charts/nsm/templates/forwarder-kernel.yaml Normal file
View File

@ -0,0 +1,77 @@
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: forwarder-kernel
namespace: {{ .Release.Namespace }}
labels:
app: forwarder-kernel
spec:
selector:
matchLabels:
app: forwarder-kernel
template:
metadata:
labels:
app: forwarder-kernel
"spiffe.io/spiffe-id": "true"
spec:
hostPID: true
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
containers:
- image: {{ .Values.forwardingPlane.kernelImageRegistry }}:{{ .Values.forwardingPlane.kernelImageTag }}
imagePullPolicy: IfNotPresent
name: forwarder-kernel
securityContext:
privileged: true
env:
- name: SPIFFE_ENDPOINT_SOCKET
value: unix:///run/spire/sockets/agent.sock
- name: NSM_LOG_LEVEL
value: TRACE
- name: NSM_TUNNEL_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NSM_CONNECT_TO
value: unix:///var/lib/networkservicemesh/nsm.io.sock
- name: NSM_LISTEN_ON
value: unix:///listen.on.sock
- name: NSM_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: spire-agent-socket
mountPath: /run/spire/sockets
readOnly: true
- name: nsm-socket
mountPath: /var/lib/networkservicemesh
- name: kubelet-socket
mountPath: /var/lib/kubelet
- name: cgroup
mountPath: /host/sys/fs/cgroup
resources:
requests:
cpu: 150m
limits:
memory: 500Mi
cpu: 525m
volumes:
- name: spire-agent-socket
hostPath:
path: /run/spire/sockets
type: Directory
- name: nsm-socket
hostPath:
path: /var/lib/networkservicemesh
type: DirectoryOrCreate
- name: kubelet-socket
hostPath:
path: /var/lib/kubelet
type: Directory
- name: cgroup
hostPath:
path: /sys/fs/cgroup
type: Directory

91
charts/avesha/kubeslice-worker/charts/nsm/templates/forwarding-plane.tpl
View File

@ -1,91 +0,0 @@
{{ $fp := .Values.forwardingPlane }}
apiVersion: apps/v1
kind: DaemonSet
spec:
selector:
matchLabels:
app: nsm-{{ $fp }}-plane
template:
metadata:
labels:
app: nsm-{{ $fp }}-plane
spec:
hostPID: true
hostNetwork: true
serviceAccount: forward-plane-acc
{{- if and .Values.imagePullSecrets .Values.imagePullSecrets.repository .Values.imagePullSecrets.username .Values.imagePullSecrets.password }}
imagePullSecrets:
- name: kubeslice-image-pull-secret
{{- end }}
containers:
- name: {{ (index .Values $fp).image }}
securityContext:
privileged: true
image: {{ .Values.registry }}/{{ .Values.org }}/{{ (index .Values $fp).image }}:{{ (index .Values $fp).tag }}
imagePullPolicy: {{ (index .Values $fp).pullPolicy }}
env:
- name: INSECURE
value: {{ .Values.insecure | default false | quote }}
- name: METRICS_COLLECTOR_ENABLED
value: {{ .Values.metricsCollectorEnabled | default false | quote }}
- name: TRACER_ENABLED
value: {{ .Values.global.JaegerTracing | default false | quote }}
- name: JAEGER_AGENT_HOST
value: jaeger.{{ .Release.Namespace }}
- name: JAEGER_AGENT_PORT
value: "6831"
- name: NSM_FORWARDER_SRC_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
volumeMounts:
- name: workspace
mountPath: /var/lib/networkservicemesh/
mountPropagation: Bidirectional
- name: spire-agent-socket
mountPath: /run/spire/sockets
readOnly: true
livenessProbe:
httpGet:
path: /liveness
port: 5555
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 3
readinessProbe:
httpGet:
path: /readiness
port: 5555
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 3
{{- if (index .Values $fp).resources }}
resources:
limits:
cpu: {{ (index .Values $fp).resources.limitCPU }}
requests:
cpu: {{ (index .Values $fp).resources.requestsCPU }}
{{- end }}
volumes:
- hostPath:
path: /var/lib/networkservicemesh
type: DirectoryOrCreate
name: workspace
- hostPath:
path: /run/spire/sockets
type: DirectoryOrCreate
name: spire-agent-socket
tolerations:
- key: "kubeslice.io/node-type"
operator: "Equal"
value: "gateway"
effect: "NoSchedule"
- key: "kubeslice.io/node-type"
operator: "Equal"
value: "gateway"
effect: "NoExecute"
metadata:
name: nsm-{{ $fp }}-forwarder
namespace: {{ .Release.Namespace }}

142
charts/avesha/kubeslice-worker/charts/nsm/templates/nsmgr.tpl
View File

@ -1,142 +0,0 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: nsmgr
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: nsmgr-daemonset
template:
metadata:
labels:
app: nsmgr-daemonset
spec:
serviceAccount: nsmgr-acc
{{- if and .Values.imagePullSecrets .Values.imagePullSecrets.repository .Values.imagePullSecrets.username .Values.imagePullSecrets.password }}
imagePullSecrets:
- name: kubeslice-image-pull-secret
{{- end }}
containers:
- name: nsmdp
image: {{ .Values.registry }}/{{ .Values.org }}/nsmdp:{{ .Values.nsmdp.tag }}
imagePullPolicy: {{ .Values.nsmdp.pullPolicy }}
env:
- name: INSECURE
value: {{ .Values.insecure | default false | quote }}
- name: TRACER_ENABLED
value: {{ .Values.global.JaegerTracing | default false | quote }}
- name: JAEGER_AGENT_HOST
value: jaeger.{{ .Release.Namespace }}
- name: NSM_NAMESPACE
value: {{ .Release.Namespace }}
- name: JAEGER_AGENT_PORT
value: "6831"
- name: PREFERRED_REMOTE_MECHANISM
value: {{ .Values.preferredRemoteMechanism | quote }}
ports:
- containerPort: 5001
hostPort: 5001
volumeMounts:
- name: kubelet-socket
mountPath: /var/lib/kubelet/device-plugins
- name: nsm-socket
mountPath: /var/lib/networkservicemesh
- name: spire-agent-socket
mountPath: /run/spire/sockets
readOnly: true
- name: nsmd
image: {{ .Values.registry }}/{{ .Values.org }}/nsmd:{{ .Values.nsmd.tag }}
imagePullPolicy: {{ .Values.nsmd.pullPolicy }}
env:
- name: INSECURE
value: {{ .Values.insecure | default false | quote }}
- name: TRACER_ENABLED
value: {{ .Values.global.JaegerTracing | default false | quote }}
- name: JAEGER_AGENT_HOST
value: jaeger.{{ .Release.Namespace }}
- name: JAEGER_AGENT_PORT
value: "6831"
- name: NSM_NAMESPACE
value: {{ .Release.Namespace }}
- name: PREFERRED_REMOTE_MECHANISM
value: {{ .Values.preferredRemoteMechanism | quote }}
volumeMounts:
- name: nsm-socket
mountPath: /var/lib/networkservicemesh
- name: spire-agent-socket
mountPath: /run/spire/sockets
readOnly: true
- name: nsm-config-volume
mountPath: /var/lib/networkservicemesh/config
livenessProbe:
httpGet:
host: "127.0.0.1"
path: /liveness
port: 5555
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 3
readinessProbe:
httpGet:
host: "127.0.0.1"
path: /readiness
port: 5555
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 3
- name: nsmd-k8s
image: {{ .Values.registry }}/{{ .Values.org }}/nsmd-k8s:{{ .Values.nsmdK8s.tag }}
imagePullPolicy: {{ .Values.nsmdK8s.pullPolicy }}
volumeMounts:
- name: spire-agent-socket
mountPath: /run/spire/sockets
readOnly: true
env:
- name: INSECURE
value: {{ .Values.insecure | default false | quote }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: TRACER_ENABLED
value: {{ .Values.global.JaegerTracing | default false | quote }}
- name: JAEGER_AGENT_HOST
value: jaeger.{{ .Release.Namespace }}
- name: JAEGER_AGENT_PORT
value: "6831"
- name: NSM_NAMESPACE
value: {{ .Release.Namespace }}
volumes:
- hostPath:
path: /var/lib/kubelet/device-plugins
type: DirectoryOrCreate
name: kubelet-socket
- hostPath:
path: /var/lib/networkservicemesh
type: DirectoryOrCreate
name: nsm-socket
- name: nsm-config-volume
configMap:
name: nsm-config
- hostPath:
path: /run/spire/sockets
type: DirectoryOrCreate
name: spire-agent-socket
tolerations:
- key: "kubeslice.io/node-type"
operator: "Equal"
value: "gateway"
effect: "NoSchedule"
- key: "kubeslice.io/node-type"
operator: "Equal"
value: "gateway"
effect: "NoExecute"

152
charts/avesha/kubeslice-worker/charts/nsm/templates/nsmgr.yaml Normal file
View File

@ -0,0 +1,152 @@
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: nsmgr
labels:
app: nsmgr
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: nsmgr
template:
metadata:
labels:
app: nsmgr
"spiffe.io/spiffe-id": "true"
spec:
serviceAccountName: nsmgr-acc
initContainers:
- name: init
# This is a small image with wait-for-it, choose whatever image
# you prefer that waits for a service to be up. This image is built
# from https://github.com/lqhl/wait-for-it
image: {{ .Values.nsmgr.waitForItImageRegistry }}:{{ .Values.nsmgr.waitForItImageTag }}
imagePullPolicy: IfNotPresent
args: [ "-t", "120", "spire-server.spire:8081" ]
#command: ['sh', '-c', 'sleep 120']
#command: ['sh', '-c', "t=0; until [ -f /run/spire/sockets/agent.sock 2>&1 ] || [ $t -eq 5 ]; do t=`expr $t + 1`; sleep 15; done;"]
containers:
- image: {{ .Values.nsmgr.imageRegistry }}:{{ .Values.nsmgr.imageTag }}
imagePullPolicy: IfNotPresent
name: nsmgr
ports:
- containerPort: 5001
hostPort: 5001
env:
- name: SPIFFE_ENDPOINT_SOCKET
value: unix:///run/spire/sockets/agent.sock
- name: NSM_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: NSM_LOG_LEVEL
value: TRACE
- name: NSM_REGISTRY_URL
value: "registry:5002"
# - name: DLV_LISTEN_NSMGR
# value: :40000
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NSM_LISTEN_ON
value: unix:///var/lib/networkservicemesh/nsm.io.sock,tcp://:5001
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: INSECURE
value: {{ .Values.insecure | default false | quote }}
- name: TRACER_ENABLED
value: {{ .Values.global.JaegerTracing | default false | quote }}
- name: NSM_OPENTELEMETRYENDPOINT
value: jaeger.{{ .Release.Namespace }}:6831
- name: JAEGER_AGENT_HOST
value: jaeger.{{ .Release.Namespace }}
- name: JAEGER_AGENT_PORT
value: "6831"
- name: FORWARDER_NAME
value: "kernel"
volumeMounts:
- name: kubelet-socket
mountPath: /var/lib/kubelet/device-plugins
- name: spire-agent-socket
mountPath: /run/spire/sockets
readOnly: true
- name: nsm-socket
mountPath: /var/lib/networkservicemesh
- name: nsm-config-volume
mountPath: /var/lib/networkservicemesh/config/
resources:
requests:
cpu: 200m
memory: 100Mi
limits:
memory: 200Mi
cpu: 400m
readinessProbe:
exec:
command: ["/bin/grpc-health-probe", "-spiffe", "-addr=:5001"]
failureThreshold: 300
initialDelaySeconds: 1
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 2
livenessProbe:
exec:
command: ["/bin/grpc-health-probe", "-spiffe", "-addr=:5001"]
failureThreshold: 25
initialDelaySeconds: 10
periodSeconds: 5
timeoutSeconds: 2
startupProbe:
exec:
command: ["/bin/grpc-health-probe", "-spiffe", "-addr=:5001"]
failureThreshold: 25
periodSeconds: 5
- image: {{ .Values.nsmgr.excludePrefixesImageRegistry }}:{{ .Values.nsmgr.excludePrefixesImageTag }}
imagePullPolicy: IfNotPresent
name: exclude-prefixes
env:
- name: NSM_LOG_LEVEL
value: TRACE
- name: NSM_CONFIG_MAP_NAMESPACE
value: {{ .Release.Namespace }}
- name: NSM_PREFIXES_OUTPUT_TYPE
value: config-map
volumeMounts:
- name: nsm-config-volume
mountPath: /var/lib/networkservicemesh/config/
resources:
limits:
memory: 40Mi
cpu: 75m
volumes:
- hostPath:
path: /var/lib/kubelet/device-plugins
type: DirectoryOrCreate
name: kubelet-socket
- name: spire-agent-socket
hostPath:
path: /run/spire/sockets
type: Directory
- name: nsm-socket
hostPath:
path: /var/lib/networkservicemesh
type: DirectoryOrCreate
- name: nsm-config-volume
{{/* emptyDir:*/}}
{{/* {}*/}}
configMap:
name: nsm-config
tolerations:
- key: "kubeslice.io/node-type"
operator: "Equal"
value: "gateway"
effect: "NoSchedule"
- key: "kubeslice.io/node-type"
operator: "Equal"
value: "gateway"
effect: "NoExecute"

57
charts/avesha/kubeslice-worker/charts/nsm/templates/registry-k8s.yaml Normal file
View File

@ -0,0 +1,57 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: registry-k8s
namespace: {{ .Release.Namespace }}
labels:
app: registry
spec:
selector:
matchLabels:
app: registry
template:
metadata:
labels:
app: registry
"spiffe.io/spiffe-id": "true"
spec:
serviceAccountName: nsmgr-acc
containers:
- image: {{ .Values.registryK8sImageRegistry }}:{{ .Values.registryK8sImageTag }}
env:
- name: SPIFFE_ENDPOINT_SOCKET
value: unix:///run/spire/sockets/agent.sock
- name: REGISTRY_K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: REGISTRY_K8S_LOG_LEVEL
value: TRACE
- name: REGISTRY_K8S_LISTEN_ON
value: tcp://:5002
- name: REGISTRY_K8S_PROXY_REGISTRY_URL
value: nsmgr-proxy:5004
imagePullPolicy: IfNotPresent
name: registry
ports:
- containerPort: 5002
hostPort: 5002
volumeMounts:
- name: spire-agent-socket
mountPath: /run/spire/sockets
resources:
requests:
cpu: 100m
limits:
memory: 40Mi
cpu: 200m
volumes:
- name: spire-agent-socket
hostPath:
path: /run/spire/sockets
type: DirectoryOrCreate
- name: nsm-socket
hostPath:
path: /var/lib/networkservicemesh
type: DirectoryOrCreate

15
charts/avesha/kubeslice-worker/charts/nsm/templates/registry-service.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: v1
kind: Service
metadata:
name: registry
namespace: {{ .Release.Namespace }}
spec:
selector:
app: registry
ports:
- name: registry
protocol: TCP
port: 5002
targetPort: 5002
type: ClusterIP

54
charts/avesha/kubeslice-worker/charts/nsm/values.yaml
View File

@ -3,50 +3,22 @@
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
registry: docker.io
org: aveshasystems
tag: 0.6.1
pullPolicy: IfNotPresent
forwardingPlane: kernel
insecure: true
preferredRemoteMechanism:
vpp:
image: vppagent-forwarder
nsmd:
image: nsmd
tag: 0.6.1
pullPolicy: IfNotPresent
nsmdp:
image: nsmdp
tag: 0.6.1
pullPolicy: IfNotPresent
nsmdK8s:
image: nsmd-k8s
tag: 0.6.2
pullPolicy: IfNotPresent
kernel:
image: kernel-forwarder
tag: 0.6.2
pullPolicy: IfNotPresent
resources:
limitCPU: 1
requestsCPU: 1m
global:
# set to true to enable Jaeger tracing for NSM components
JaegerTracing: true
metricsCollectorEnabled: false
forwardingPlane:
kernelImageRegistry: docker.io/aveshasystems/cmd-forwarder-kernel
kernelImageTag: 1.0.0
# username & password & email values for imagePullSecrets has to provided to create a secret
imagePullSecrets:
repository: https://index.docker.io/v1/
username:
password:
email:
nsmgr:
imageRegistry: docker.io/aveshasystems/cmd-nsmgr
imageTag: 1.5.2
waitForItImageRegistry: docker.io/aveshasystems/wait-for-it
waitForItImageTag: 1.0.0
excludePrefixesImageRegistry: docker.io/aveshasystems/cmd-exclude-prefixes-k8s
excludePrefixesImageTag: 1.5.2
registryK8sImageRegistry: docker.io/aveshasystems/cmd-registry-k8s
registryK8sImageTag: 1.5.2

103
charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_slicenodeaffinities.yaml Normal file
View File

@ -0,0 +1,103 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.7.0
creationTimestamp: null
name: slicenodeaffinities.networking.kubeslice.io
spec:
group: networking.kubeslice.io
names:
kind: SliceNodeAffinity
listKind: SliceNodeAffinityList
plural: slicenodeaffinities
singular: slicenodeaffinity
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: SliceNodeAffinity is the Schema for the slicenodeaffinities API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SliceNodeAffinitySpec defines the desired state of SliceNodeAffinity
type: object
status:
description: SliceNodeAffinityStatus defines the observed state of SliceNodeAffinity
properties:
nodeAffinityRules:
description: NodeAffinityRules contains the list of rules per namespace
items:
description: NodeAffinityRule defines the rules to select nodes
for a particular namespace
properties:
namespace:
description: Namespace is the namespace in the slice this rule
applies to
type: string
nodeSelectorLabels:
description: NodeSelectorLabels defines the label selectors
to select nodes for assigning to pods
items:
description: A node selector requirement is a selector that
contains values, a key, and an operator that relates the
key and values.
properties:
key:
description: The label key that the selector applies to.
type: string
operator:
description: Represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array of string values. If the operator
is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. If the operator is Gt or Lt, the
values array must have a single element, which will
be interpreted as an integer. This array is replaced
during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
required:
- namespace
- nodeSelectorLabels
type: object
type: array
sliceName:
description: SliceName defines the name of the slice for the NodeAffinity
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

527
charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_sliceresourcequotas.yaml Normal file
View File

@ -0,0 +1,527 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.7.0
creationTimestamp: null
name: sliceresourcequotas.networking.kubeslice.io
spec:
group: networking.kubeslice.io
names:
kind: SliceResourceQuota
listKind: SliceResourceQuotaList
plural: sliceresourcequotas
singular: sliceresourcequota
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: SliceResourceQuota is the Schema for the sliceresourcequota API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
status:
properties:
clusterName:
description: ClusterName defines the name of the cluster for the ResourceQuota
type: string
configUpdatedOn:
format: int64
type: integer
resourceQuotaProfile:
description: ResourceQuotaProfile defines the resource quota profile
for the slice
properties:
clusterQuota:
description: ClusterQuota defines the configuration for cluster
quota of a resource quota
properties:
namespaceQuota:
description: NamespaceQuota defines the configuration for
namespace quota of a ClusterQuota
items:
description: NamespaceQuota defines the configuration for
namespace quota of a ClusterQuota
properties:
enforceQuota:
default: false
description: EnforceQuota defines the enforceQuota status
flag for NamespaceQuota
type: boolean
namespace:
description: Namespace defines the namespace of the
NamespaceQuota
type: string
resources:
description: Resources defines the configuration for
resources for NamespaceQuota
properties:
defaultLimitPerContainer:
description: DefaultResourcePerContainerList is
a set of (resource name, quantity) pairs.
properties:
cpu:
anyOf:
- type: integer
- type: string
description: CPU in cores. (500m = .5 cores)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
ephemeralStorage:
anyOf:
- type: integer
- type: string
description: EphemeralStorage Local ephemeral
storage, in bytes. (500Gi = 500GiB = 500 *
1024 * 1024 * 1024) The resource name for
EphemeralStorage is alpha, and it can change
across releases.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memory:
anyOf:
- type: integer
- type: string
description: Memory in bytes. (500Gi = 500GiB
= 500 * 1024 * 1024 * 1024)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
defaultRequestPerContainer:
description: DefaultRequestPerContainer is a set
of (resource name, quantity) pairs.
properties:
cpu:
anyOf:
- type: integer
- type: string
description: CPU in cores. (500m = .5 cores)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
ephemeralStorage:
anyOf:
- type: integer
- type: string
description: EphemeralStorage LoNamespaceResourceQuotaStatuscal
ephemeral storage, in bytes. (500Gi = 500GiB
= 500 * 1024 * 1024 * 1024) The resource name
for EphemeralStorage is alpha, and it can
change across releases.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memory:
anyOf:
- type: integer
- type: string
description: Memory in bytes. (500Gi = 500GiB
= 500 * 1024 * 1024 * 1024)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
limit:
properties:
cpu:
anyOf:
- type: integer
- type: string
description: CPU in cores. (500m = .5 cores)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
ephemeralStorage:
anyOf:
- type: integer
- type: string
description: EphemeralStorage Local ephemeral
storage, in bytes. (500Gi = 500GiB = 500 *
1024 * 1024 * 1024) The resource name for
EphemeralStorage is alpha, and it can change
across releases.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memory:
anyOf:
- type: integer
- type: string
description: Memory in bytes. (500Gi = 500GiB
= 500 * 1024 * 1024 * 1024)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
podCount:
description: PodCount in number.
format: int64
type: integer
type: object
request:
description: RequestResourceList is a set of (resource
name, quantity) pairs.
properties:
cpu:
anyOf:
- type: integer
- type: string
description: CPU in cores. (500m = .5 cores)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
ephemeralStorage:
anyOf:
- type: integer
- type: string
description: EphemeralStorage Local ephemeral
storage, in bytes. (500Gi = 500GiB = 500 *
1024 * 1024 * 1024) The resource name for
EphemeralStorage is alpha, and it can change
across releases.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memory:
anyOf:
- type: integer
- type: string
description: Memory in bytes. (500Gi = 500GiB
= 500 * 1024 * 1024 * 1024)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
type: object
type: array
resources:
description: Resources defines the configuration for resources
for ClusterQuota
properties:
limit:
properties:
cpu:
anyOf:
- type: integer
- type: string
description: CPU in cores. (500m = .5 cores)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
ephemeralStorage:
anyOf:
- type: integer
- type: string
description: EphemeralStorage Local ephemeral storage,
in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 *
1024) The resource name for EphemeralStorage is
alpha, and it can change across releases.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memory:
anyOf:
- type: integer
- type: string
description: Memory in bytes. (500Gi = 500GiB = 500
* 1024 * 1024 * 1024)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
podCount:
description: PodCount in number.
format: int64
type: integer
type: object
request:
description: RequestResourceList is a set of (resource
name, quantity) pairs.
properties:
cpu:
anyOf:
- type: integer
- type: string
description: CPU in cores. (500m = .5 cores)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
ephemeralStorage:
anyOf:
- type: integer
- type: string
description: EphemeralStorage Local ephemeral storage,
in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 *
1024) The resource name for EphemeralStorage is
alpha, and it can change across releases.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memory:
anyOf:
- type: integer
- type: string
description: Memory in bytes. (500Gi = 500GiB = 500
* 1024 * 1024 * 1024)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
type: object
sliceQuota:
description: SliceQuota defines the configuration for slice quota
of a resource quota
properties:
resources:
description: Resources defines the configuration for resources
for SliceQuota
properties:
defaultRequestPerContainer:
description: DefaultRequestPerContainer is a set of (resource
name, quantity) pairs.
properties:
cpu:
anyOf:
- type: integer
- type: string
description: CPU in cores. (500m = .5 cores)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
ephemeralStorage:
anyOf:
- type: integer
- type: string
description: EphemeralStorage LoNamespaceResourceQuotaStatuscal
ephemeral storage, in bytes. (500Gi = 500GiB = 500
* 1024 * 1024 * 1024) The resource name for EphemeralStorage
is alpha, and it can change across releases.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memory:
anyOf:
- type: integer
- type: string
description: Memory in bytes. (500Gi = 500GiB = 500
* 1024 * 1024 * 1024)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
limit:
properties:
cpu:
anyOf:
- type: integer
- type: string
description: CPU in cores. (500m = .5 cores)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
ephemeralStorage:
anyOf:
- type: integer
- type: string
description: EphemeralStorage Local ephemeral storage,
in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 *
1024) The resource name for EphemeralStorage is
alpha, and it can change across releases.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memory:
anyOf:
- type: integer
- type: string
description: Memory in bytes. (500Gi = 500GiB = 500
* 1024 * 1024 * 1024)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
podCount:
description: PodCount in number.
format: int64
type: integer
type: object
request:
description: RequestResourceList is a set of (resource
name, quantity) pairs.
properties:
cpu:
anyOf:
- type: integer
- type: string
description: CPU in cores. (500m = .5 cores)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
ephemeralStorage:
anyOf:
- type: integer
- type: string
description: EphemeralStorage Local ephemeral storage,
in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 *
1024) The resource name for EphemeralStorage is
alpha, and it can change across releases.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memory:
anyOf:
- type: integer
- type: string
description: Memory in bytes. (500Gi = 500GiB = 500
* 1024 * 1024 * 1024)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: object
type: object
type: object
sliceName:
description: SliceName defines the name of the slice for the ResourceQuota
type: string
sliceResourceQuotaStatus:
description: WorkerSliceResourceQuotaStatus defines the observed state
of WorkerSliceResourceQuota
properties:
clusterResourceQuotaStatus:
properties:
namespaceResourceQuotaStatus:
items:
properties:
namespace:
type: string
requestResourceUsage:
description: RequestResourceList is a set of (resource
name, quantity) pairs.
properties:
cpu:
anyOf:
- type: integer
- type: string
description: CPU in cores. (500m = .5 cores)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
ephemeralStorage:
anyOf:
- type: integer
- type: string
description: EphemeralStorage Local ephemeral storage,
in bytes. (500Gi = 500GiB = 500 * 1024 * 1024
* 1024) The resource name for EphemeralStorage
is alpha, and it can change across releases.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memory:
anyOf:
- type: integer
- type: string
description: Memory in bytes. (500Gi = 500GiB =
500 * 1024 * 1024 * 1024)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
resourceUsage:
properties:
cpu:
anyOf:
- type: integer
- type: string
description: CPU in cores. (500m = .5 cores)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
ephemeralStorage:
anyOf:
- type: integer
- type: string
description: EphemeralStorage Local ephemeral storage,
in bytes. (500Gi = 500GiB = 500 * 1024 * 1024
* 1024) The resource name for EphemeralStorage
is alpha, and it can change across releases.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memory:
anyOf:
- type: integer
- type: string
description: Memory in bytes. (500Gi = 500GiB =
500 * 1024 * 1024 * 1024)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
podCount:
description: PodCount in number.
format: int64
type: integer
type: object
type: object
type: array
requestResourceUsage:
description: RequestResourceList is a set of (resource name,
quantity) pairs.
properties:
cpu:
anyOf:
- type: integer
- type: string
description: CPU in cores. (500m = .5 cores)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
ephemeralStorage:
anyOf:
- type: integer
- type: string
description: EphemeralStorage Local ephemeral storage,
in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
The resource name for EphemeralStorage is alpha, and
it can change across releases.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memory:
anyOf:
- type: integer
- type: string
description: Memory in bytes. (500Gi = 500GiB = 500 *
1024 * 1024 * 1024)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
resourceUsage:
properties:
cpu:
anyOf:
- type: integer
- type: string
description: CPU in cores. (500m = .5 cores)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
ephemeralStorage:
anyOf:
- type: integer
- type: string
description: EphemeralStorage Local ephemeral storage,
in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
The resource name for EphemeralStorage is alpha, and
it can change across releases.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memory:
anyOf:
- type: integer
- type: string
description: Memory in bytes. (500Gi = 500GiB = 500 *
1024 * 1024 * 1024)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
podCount:
description: PodCount in number.
format: int64
type: integer
type: object
type: object
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

214
charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_slicerolebindings.yaml Normal file
View File

@ -0,0 +1,214 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.7.0
creationTimestamp: null
name: slicerolebindings.networking.kubeslice.io
spec:
group: networking.kubeslice.io
names:
kind: SliceRoleBinding
listKind: SliceRoleBindingList
plural: slicerolebindings
singular: slicerolebinding
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: SliceRoleBinding is the Schema for the slicerolebindings API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SliceRoleBindingSpec defines the desired state of SliceRoleBinding
type: object
status:
properties:
roleRefCondition:
properties:
condition:
description: Condition defines conditions of the RoleRef, one
of INVALID_RULE, INVALID_ROLE_BINDING.
type: string
lastUpdateTime:
description: The last time this condition was updated.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
roleRef:
description: Name, APIGroup and Kind of the RoleRef
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this
representation of an object. Servers should convert recognized
schemas to the latest internal value, and may reject unrecognized
values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: Kind is the type of resource being referenced
type: string
name:
description: Name is the name of resource being referenced
type: string
required:
- apiVersion
- kind
- name
type: object
status:
description: Status of the condition, one of True, False, Unknown.
type: string
required:
- condition
- lastUpdateTime
- reason
- roleRef
- status
type: object
sliceRbConfig:
description: RoleBindingConfig references a role, but does not contain
it.
properties:
applyTo:
description: ApplyTo contains information about the namespace
and the Subjects.
items:
description: ApplyTo contains information about the namespace
and the Subjects. It adds who information via Subjects and
namespace information by which namespace it exists in.
properties:
namespace:
description: Namespace of the referenced object. If the
object kind is non-namespace, such as "User" or "Group",
and this value is not empty the Authorizer should report
an error. '*' Represents all namespaces
type: string
subjects:
description: Subjects holds references to the objects the
role applies to.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
type: array
type: object
type: array
roleRefName:
description: Name of the RoleRef
type: string
rules:
description: PolicyRule holds information that describes a policy
rule
items:
description: PolicyRule holds information that describes a policy
rule, but does not contain information about who the rule
applies to or which namespace the rule applies to.
properties:
apiGroups:
description: APIGroups is the name of the APIGroup that
contains the resources. If multiple API groups are specified,
any action requested against one of the enumerated resources
in any API group will be allowed.
items:
type: string
type: array
nonResourceURLs:
description: NonResourceURLs is a set of partial urls that
a user should have access to. *s are allowed, but only
as the full, final step in the path Since non-resource
URLs are not namespaced, this field is only applicable
for ClusterRoles referenced from a ClusterRoleBinding.
Rules can either apply to API resources (such as "pods"
or "secrets") or non-resource URL paths (such as "/api"), but
not both.
items:
type: string
type: array
resourceNames:
description: ResourceNames is an optional white list of
names that the rule applies to. An empty set means that
everything is allowed.
items:
type: string
type: array
resources:
description: Resources is a list of resources this rule
applies to. '*' represents all resources.
items:
type: string
type: array
verbs:
description: Verbs is a list of Verbs that apply to ALL
the ResourceKinds contained in this rule. '*' represents
all verbs.
items:
type: string
type: array
required:
- verbs
type: object
type: array
sliceName:
description: sliceName is the name of the slice
type: string
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

8
charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_slice.yaml → charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_slices.yaml
View File

@ -1,4 +1,3 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -6,20 +5,20 @@ metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.7.0
creationTimestamp: null
name: slice.networking.kubeslice.io
name: slices.networking.kubeslice.io
spec:
group: networking.kubeslice.io
names:
kind: Slice
listKind: SliceList
plural: slice
plural: slices
singular: slice
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: Slice is the Schema for the slice API
description: Slice is the Schema for the slices API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
@ -203,3 +202,4 @@ status:
plural: ""
conditions: []
storedVersions: []

10
charts/avesha/kubeslice-worker/questions.yaml
View File

@ -17,7 +17,7 @@ questions:
variable: imagePullSecrets.password
-
default: ""
description: "https://docs.avesha.io/documentation/enterprise/0.2.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster"
description: "https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster"
group: "Worker Secrets from Controller"
label: "Controller Namespace"
required: true
@ -25,7 +25,7 @@ questions:
variable: controllerSecret.namespace
-
default: ""
description: "https://docs.avesha.io/documentation/enterprise/0.2.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster"
description: "https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster"
group: "Worker Secrets from Controller"
label: "Controller Endpoint"
required: true
@ -33,7 +33,7 @@ questions:
variable: controllerSecret.endpoint
-
default: ""
description: "https://docs.avesha.io/documentation/enterprise/0.2.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster"
description: "https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster"
group: "Worker Secrets from Controller"
label: "Controller CA Cert"
required: true
@ -41,7 +41,7 @@ questions:
variable: controllerSecret.'ca.crt'
-
default: ""
description: "https://docs.avesha.io/documentation/enterprise/0.2.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster"
description: "https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster"
group: "Worker Secrets from Controller"
label: "Controller Token"
required: true
@ -57,7 +57,7 @@ questions:
variable: cluster.name
-
default: ""
description: "Worker Cluster Endpoint,use 'kubectl cluster-info on worker cluster' or for details please follow https://docs.avesha.io/documentation/enterprise/0.2.0/"
description: "Worker Cluster Endpoint,use 'kubectl cluster-info on worker cluster' or for details please follow https://docs.avesha.io/documentation/enterprise/0.5.0/"
group: "Worker Cluster Details"
label: "Cluster Endpoint"
required: true

93
charts/avesha/kubeslice-worker/templates/cleanUp.yaml Normal file
View File

@ -0,0 +1,93 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubeslice-cleanup
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote}}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubeslice-cleanup
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
labels:
app.kubernetes.io/name: kubeslice
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubeslice-cleanup
subjects:
- kind: ServiceAccount
name: kubeslice-cleanup
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeslice-cleanup
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
labels:
app.kubernetes.io/name: kubeslice
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- patch
- update
- create
- delete
---
apiVersion: batch/v1
kind: Job
metadata:
name: kubeslice-cleanup
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
"helm.sh/hook-weight": "2"
labels:
app.kubernetes.io/name: nsm
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
backoffLimit: 3
template:
metadata:
name: kubeslice-cleanup
namespace: {{ .Release.Namespace }}
spec:
serviceAccountName: kubeslice-cleanup
containers:
- name: kubectl
image: "alpine/k8s:1.22.9"
command:
- /bin/sh
- -c
- kubectl delete cm nsm-config --ignore-not-found -n {{ .Release.Namespace }}
restartPolicy: OnFailure

10
charts/avesha/kubeslice-worker/templates/opertor-secret.yaml → charts/avesha/kubeslice-worker/templates/dashboard-rbac.yaml
View File

@ -18,6 +18,8 @@ kind: ServiceAccount
metadata:
name: kubeslice-kubernetes-dashboard
namespace: kubeslice-system
secrets:
- name: kubeslice-kubernetes-dashboard-creds
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
@ -31,3 +33,11 @@ subjects:
- kind: ServiceAccount
name: kubeslice-kubernetes-dashboard
namespace: kubeslice-system
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: kubeslice-kubernetes-dashboard-creds
annotations:
kubernetes.io/service-account.name: "kubeslice-kubernetes-dashboard"

136
charts/avesha/kubeslice-worker/templates/kubeslice-predelete-hook.yaml Normal file
View File

@ -0,0 +1,136 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubeslice-delete-webhooks
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote}}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
annotations:
"helm.sh/hook": pre-delete,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubeslice-delete-webhooks
annotations:
"helm.sh/hook": pre-delete,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-1"
labels:
app.kubernetes.io/name: kubeslice
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubeslice-delete-webhooks
subjects:
- kind: ServiceAccount
name: kubeslice-delete-webhooks
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeslice-delete-webhooks
annotations:
"helm.sh/hook": pre-delete,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-1"
labels:
app.kubernetes.io/name: kubeslice
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- apiGroups: ["spiffeid.spiffe.io"]
resources: ["spiffeids"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["spiffeid.spiffe.io"]
resources: ["spiffeids/status"]
verbs: ["get", "patch", "update"]
---
apiVersion: v1
kind: ConfigMap
metadata:
name: kubeslice-delete-webhooks
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
annotations:
"helm.sh/hook": pre-delete,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
data:
delete-admission-webhook.sh: |-
#!/usr/bin/env bash
NAMESPACE={{ .Release.Namespace | quote}}
echo "finding and removing spiffeids in namespace $NAMESPACE ..."
for item in $(kubectl get spiffeid.spiffeid.spiffe.io -n $NAMESPACE -o name); do
echo "removing item $item"
kubectl patch $item -p '{"metadata":{"finalizers":null}}' --type=merge -n $NAMESPACE
kubectl delete $item --ignore-not-found -n $NAMESPACE
done
# TODO: once we figure out how to keep spire in release ns then we could remove this
NAMESPACE="spire"
echo "finding and removing spiffeids in namespace $NAMESPACE ..."
for item in $(kubectl get spiffeid.spiffeid.spiffe.io -n $NAMESPACE -o name); do
echo "removing item $item"
kubectl patch $item -p '{"metadata":{"finalizers":null}}' --type=merge -n $NAMESPACE
kubectl delete $item --ignore-not-found -n $NAMESPACE
done
---
apiVersion: batch/v1
kind: Job
metadata:
name: kubeslice-delete-webhooks
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-delete,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation
"helm.sh/hook-weight": "2"
labels:
app.kubernetes.io/name: nsm
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
backoffLimit: 3
template:
metadata:
name: kubeslice-delete-webhooks
namespace: {{ .Release.Namespace }}
spec:
serviceAccountName: kubeslice-delete-webhooks
containers:
- name: kubectl
image: "alpine/k8s:1.22.9"
command:
- /bin/bash
- /tmp/delete-admission-webhook.sh
volumeMounts:
- mountPath: /tmp
name: kubeslice-delete-webhooks
volumes:
- name: kubeslice-delete-webhooks
configMap:
name: kubeslice-delete-webhooks
restartPolicy: OnFailure

206
charts/avesha/kubeslice-worker/templates/operator-rbac.yaml
View File

@ -73,6 +73,32 @@ metadata:
creationTimestamp: null
name: kubeslice-manager-role
rules:
- apiGroups:
- networking.kubeslice.io
resources:
- slicenodeaffinities
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.kubeslice.io
resources:
- slicenodeaffinities/finalizers
verbs:
- update
- apiGroups:
- networking.kubeslice.io
resources:
- slicenodeaffinities/status
verbs:
- get
- patch
- update
- apiGroups:
- apps
resources:
@ -85,6 +111,42 @@ rules:
- patch
- update
- watch
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- replicasets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
@ -102,8 +164,11 @@ rules:
resources:
- pods
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
@ -130,6 +195,30 @@ rules:
- patch
- update
- watch
- apiGroups:
- ""
resources:
- resourcequotas
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- limitranges
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
@ -154,10 +243,34 @@ rules:
- update
- patch
- delete
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- batch
resources:
- cronjobs
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- networking.kubeslice.io
resources:
- slice
- slicerolebindings
verbs:
- create
- delete
@ -169,13 +282,39 @@ rules:
- apiGroups:
- networking.kubeslice.io
resources:
- slice/finalizers
- slicerolebindings/finalizers
verbs:
- update
- apiGroups:
- networking.kubeslice.io
resources:
- slice/status
- slicerolebindings/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.kubeslice.io
resources:
- slices
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.kubeslice.io
resources:
- slices/finalizers
verbs:
- update
- apiGroups:
- networking.kubeslice.io
resources:
- slices/status
verbs:
- get
- patch
@ -206,6 +345,14 @@ rules:
- get
- patch
- update
- apiGroups:
- networking.kubeslice.io
resources:
- sliceresourcequotas/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.kubeslice.io
resources:
@ -218,6 +365,18 @@ rules:
- patch
- update
- watch
- apiGroups:
- networking.kubeslice.io
resources:
- sliceresourcequotas
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.kubeslice.io
resources:
@ -362,6 +521,47 @@ rules:
- list
- update
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
- extensions
- apps
- rbac.authorization.k8s.io
- coordination.k8s.io
- discovery.k8s.io
- events.k8s.io
- networking.k8s.io
- policy
- batch
- authorization.k8s.io
- autoscaling
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- get
- list
- update
- watch
- apiGroups:
- ""
resources:
- nodes/proxy
verbs:
- get
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole

245
charts/avesha/kubeslice-worker/templates/preinstall-configmap.yaml Normal file
View File

@ -0,0 +1,245 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-preinstall-configmap
namespace: kubeslice-system
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-7"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
data:
metrics-server.yaml: |-
# source https://github.com/kubernetes-sigs/metrics-server/releases/download/metrics-server-helm-chart-3.8.2/components.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: metrics-server
name: metrics-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: metrics-server
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: system:aggregated-metrics-reader
rules:
- apiGroups:
- metrics.k8s.io
resources:
- pods
- nodes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: metrics-server
name: system:metrics-server
rules:
- apiGroups:
- ""
resources:
- nodes/metrics
verbs:
- get
- apiGroups:
- ""
resources:
- pods
- nodes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: metrics-server
name: metrics-server-auth-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
k8s-app: metrics-server
name: metrics-server:system:auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
k8s-app: metrics-server
name: system:metrics-server
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:metrics-server
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: metrics-server
name: metrics-server
namespace: kube-system
spec:
ports:
- name: https
port: 443
protocol: TCP
targetPort: https
selector:
k8s-app: metrics-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: metrics-server
name: metrics-server
namespace: kube-system
spec:
selector:
matchLabels:
k8s-app: metrics-server
strategy:
rollingUpdate:
maxUnavailable: 0
template:
metadata:
labels:
k8s-app: metrics-server
spec:
containers:
- args:
- --cert-dir=/tmp
- --secure-port=4443
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --kubelet-use-node-status-port
- --metric-resolution={{ .Values.metrics.metricResolution }}
{{ if eq (toString .Values.metrics.insecure) "true" }}
- --kubelet-insecure-tls
{{ end }}
image: k8s.gcr.io/metrics-server/metrics-server:v0.6.1
imagePullPolicy: "{{ .Values.metrics.imagePullPolicy }}"
livenessProbe:
failureThreshold: 3
httpGet:
path: /livez
port: https
scheme: HTTPS
periodSeconds: 10
name: metrics-server
ports:
- containerPort: 4443
name: https
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: https
scheme: HTTPS
initialDelaySeconds: 20
periodSeconds: 10
resources:
requests:
cpu: 100m
memory: 200Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
nodeSelector:
kubernetes.io/os: linux
priorityClassName: system-cluster-critical
serviceAccountName: metrics-server
volumes:
- emptyDir: {}
name: tmp-dir
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
k8s-app: metrics-server
name: v1beta1.metrics.k8s.io
spec:
group: metrics.k8s.io
groupPriorityMinimum: 100
insecureSkipTLSVerify: true
service:
name: metrics-server
namespace: kube-system
version: v1beta1
versionPriority: 100
pre-install.sh: |-
#!/usr/bin/env bash
set -euo pipefail
BASE_DIR="$(dirname "$0")"
metrics_server_file="${BASE_DIR}/metrics-server.yaml"
# detect and install metrics server
echo "detecting if metrics server is installed"
if kubectl get apiservice v1beta1.metrics.k8s.io | grep True || kubectl get apiservice v1.metrics.k8s.io | grep True; then
echo "metrics server is already installed, skipping"
exit 0
fi
echo "installing metrics server"
kubectl apply -f "$metrics_server_file"
echo "checking for successful installation"
for _ in $(seq 1 25); do
if kubectl get apiservice v1beta1.metrics.k8s.io | grep True || kubectl get apiservice v1.metrics.k8s.io | grep True; then
echo "metrics server installation successful"
exit 0
fi
echo "not yet up"
sleep 3
done
echo "failed to validate installation of metrics server"
exit 1

40
charts/avesha/kubeslice-worker/templates/preinstall-job.yaml Normal file
View File

@ -0,0 +1,40 @@
apiVersion: batch/v1
kind: Job
metadata:
name: "{{ .Release.Name }}-preinstall-job"
namespace: kubeslice-system
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-6"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
spec:
template:
metadata:
name: "{{ .Release.Name }}"
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
spec:
restartPolicy: Never
serviceAccountName: kubeslice-preinstall
containers:
- name: pre-install-job
image: "alpine/k8s:1.22.9"
imagePullPolicy: IfNotPresent
command: ["/bin/bash","/opt/scripts/pre-install.sh"]
volumeMounts:
- name: config-volume
mountPath: /opt/scripts
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}-preinstall-configmap
defaultMode: 0777

128
charts/avesha/kubeslice-worker/templates/preinstall-rbac.yaml Normal file
View File

@ -0,0 +1,128 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubeslice-preinstall
namespace: kubeslice-system
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-10"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeslice-preinstall-role
namespace: kubeslice-system
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-9"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
rules:
- apiGroups:
- ""
resources:
- serviceaccounts
- services
verbs:
- get
- create
- update
- apiGroups:
- ""
resources:
- nodes
- pods
- nodes/metrics
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- "authentication.k8s.io"
resources:
- tokenreviews
verbs:
- create
- update
- apiGroups:
- "authorization.k8s.io"
resources:
- subjectaccessreviews
verbs:
- create
- update
- apiGroups:
- "rbac.authorization.k8s.io"
resources:
- clusterroles
- rolebindings
- clusterrolebindings
verbs:
- get
- create
- update
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- create
- update
- patch
- apiGroups:
- "apiregistration.k8s.io"
resources:
- apiservices
verbs:
- get
- create
- apiGroups:
- "metrics.k8s.io"
resources:
- nodes
- pods
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubeslice-preinstall-rolebinding
namespace: kubeslice-system
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-8"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubeslice-preinstall-role
subjects:
- kind: ServiceAccount
name: kubeslice-preinstall
namespace: kubeslice-system

1353
charts/avesha/kubeslice-worker/templates/upgrade-crds.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

22
charts/avesha/kubeslice-worker/templates/webhook.yaml
View File

@ -38,11 +38,12 @@ webhooks:
service:
name: kubeslice-webhook-service
namespace: {{ .Release.Namespace }}
path: /mutate-appsv1-deploy
path: /mutate-webhook
failurePolicy: Fail
name: mdeploy.avesha.io
name: webhook.kubeslice.io
rules:
- apiGroups:
- ""
- apps
apiVersions:
- v1
@ -50,17 +51,26 @@ webhooks:
- CREATE
- UPDATE
resources:
- pods
- deployments
- statefulsets
- daemonsets
sideEffects: NoneOnDryRun
namespaceSelector:
matchExpressions:
- key: kubeslice.io/slice
operator: Exists
- key: name
operator: NotIn
values:
- kube-system
- {{ .Release.Namespace }}
- kube-system
- spire
- {{ .Release.Namespace | quote}}
- {{ .Values.controllerNamespace | quote }}
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system
- {{ .Release.Namespace }}
- kube-system
- spire
- {{ .Release.Namespace | quote }}
- {{ .Values.controllerNamespace | quote }}

38
charts/avesha/kubeslice-worker/values.yaml
View File

@ -1,6 +1,6 @@
operator:
image: docker.io/aveshasystems/worker-operator-ent
tag: 0.2.1
tag: 0.5.0
pullPolicy: IfNotPresent
logLevel: INFO
@ -17,51 +17,55 @@ cluster:
endpoint:
router:
image: docker.io/aveshasystems/vl3_ucnf-nse
image: docker.io/aveshasystems/cmd-nse-vl3
tag: 1.0.0
pullPolicy: IfNotPresent
pullPolicy: IfNotPresent
routerSidecar:
image: docker.io/aveshasystems/kubeslice-router-sidecar-ent
tag: 0.1.1
image: docker.io/aveshasystems/kubeslice-router-sidecar
tag: 0.3.1
pullPolicy: IfNotPresent
netop:
networkInterface:
image: docker.io/aveshasystems/netops-ent
tag: 0.1.0
networkInterface: eth0
image: docker.io/aveshasystems/netops
tag: 0.1.1
pullPolicy: IfNotPresent
gateway:
image: docker.io/aveshasystems/gw-sidecar-ent
tag: 0.1.3
image: docker.io/aveshasystems/gw-sidecar
tag: 0.1.4
pullPolicy: IfNotPresent
logLevel: INFO
openvpn:
server:
image: docker.io/aveshasystems/openvpn-server.ubuntu.18.04
tag: 1.0.0
image: docker.io/aveshasystems/openvpn-server.alpine.amd64
tag: 1.0.1
pullPolicy: IfNotPresent
client:
image: docker.io/aveshasystems/openvpn-client.alpine.amd64
tag: 1.0.0
tag: 1.0.1
pullPolicy: IfNotPresent
dns:
image: docker.io/aveshasystems/dns
tag: 0.0.2
tag: 0.0.3
pullPolicy: IfNotPresent
nsm:
forwardingPlane: kernel
jaeger:
enabled: false
metrics:
insecure: false
metricResolution: "15s"
imagePullPolicy: IfNotPresent
# username & password & email values for imagePullSecrets has to provided to create a secret
imagePullSecrets:
repository: https://index.docker.io/v1/
username:
password:
email:
controllerNamespace: kubeslice-controller

Some files were not shown because too many files have changed in this diff Show More