diff --git a/assets/avesha/kubeslice-controller-0.5.0.tgz b/assets/avesha/kubeslice-controller-0.5.0.tgz new file mode 100644 index 000000000..323df25b8 Binary files /dev/null and b/assets/avesha/kubeslice-controller-0.5.0.tgz differ diff --git a/assets/avesha/kubeslice-worker-0.5.0.tgz b/assets/avesha/kubeslice-worker-0.5.0.tgz new file mode 100644 index 000000000..d1938cf27 Binary files /dev/null and b/assets/avesha/kubeslice-worker-0.5.0.tgz differ diff --git a/assets/bitnami/airflow-14.0.11.tgz b/assets/bitnami/airflow-14.0.11.tgz new file mode 100644 index 000000000..bd5a38d9a Binary files /dev/null and b/assets/bitnami/airflow-14.0.11.tgz differ diff --git a/assets/bitnami/cassandra-10.0.2.tgz b/assets/bitnami/cassandra-10.0.2.tgz new file mode 100644 index 000000000..f47ec97f6 Binary files /dev/null and b/assets/bitnami/cassandra-10.0.2.tgz differ diff --git a/assets/bitnami/postgresql-12.1.14.tgz b/assets/bitnami/postgresql-12.1.14.tgz new file mode 100644 index 000000000..66b2da64b Binary files /dev/null and b/assets/bitnami/postgresql-12.1.14.tgz differ diff --git a/assets/bitnami/tomcat-10.5.13.tgz b/assets/bitnami/tomcat-10.5.13.tgz new file mode 100644 index 000000000..4880de734 Binary files /dev/null and b/assets/bitnami/tomcat-10.5.13.tgz differ diff --git a/assets/bitnami/wordpress-15.2.37.tgz b/assets/bitnami/wordpress-15.2.37.tgz new file mode 100644 index 000000000..308a389a4 Binary files /dev/null and b/assets/bitnami/wordpress-15.2.37.tgz differ diff --git a/assets/datadog/datadog-3.10.4.tgz b/assets/datadog/datadog-3.10.4.tgz new file mode 100644 index 000000000..94ae9ff4e Binary files /dev/null and b/assets/datadog/datadog-3.10.4.tgz differ diff --git a/assets/haproxy/haproxy-1.27.1.tgz b/assets/haproxy/haproxy-1.27.1.tgz new file mode 100644 index 000000000..8392eb999 Binary files /dev/null and b/assets/haproxy/haproxy-1.27.1.tgz differ diff --git a/assets/nats/nats-0.19.7.tgz b/assets/nats/nats-0.19.7.tgz new file mode 100644 index 000000000..6d4e0620e Binary files /dev/null and b/assets/nats/nats-0.19.7.tgz differ diff --git a/assets/percona/psmdb-operator-1.13.3.tgz b/assets/percona/psmdb-operator-1.13.3.tgz new file mode 100644 index 000000000..81b9c20a1 Binary files /dev/null and b/assets/percona/psmdb-operator-1.13.3.tgz differ diff --git a/assets/redpanda/redpanda-2.6.4.tgz b/assets/redpanda/redpanda-2.6.4.tgz new file mode 100644 index 000000000..6faaafd5d Binary files /dev/null and b/assets/redpanda/redpanda-2.6.4.tgz differ diff --git a/assets/speedscale/speedscale-operator-1.2.19.tgz b/assets/speedscale/speedscale-operator-1.2.19.tgz new file mode 100644 index 000000000..0a57a316c Binary files /dev/null and b/assets/speedscale/speedscale-operator-1.2.19.tgz differ diff --git a/charts/avesha/kubeslice-controller/Chart.yaml b/charts/avesha/kubeslice-controller/Chart.yaml index 621625735..109a0d7a2 100644 --- a/charts/avesha/kubeslice-controller/Chart.yaml +++ b/charts/avesha/kubeslice-controller/Chart.yaml @@ -5,7 +5,7 @@ annotations: catalog.cattle.io/namespace: kubeslice-controller catalog.cattle.io/release-name: kubeslice-controller apiVersion: v2 -appVersion: 0.2.1 +appVersion: 0.5.0 description: Multi cloud networking (MCN), multi cluster, hybrid cloud networking tool for efficient, secure, policy-enforced connectivity and true multi-tenancy capabilities. KubeSlice enables enterprise platform teams to reduce infrastructure @@ -36,4 +36,4 @@ keywords: kubeVersion: '>= 1.19.0-0' name: kubeslice-controller type: application -version: 0.4.4 +version: 0.5.0 diff --git a/charts/avesha/kubeslice-controller/Readme.MD b/charts/avesha/kubeslice-controller/Readme.MD index d67032cd8..f8bb90490 100644 --- a/charts/avesha/kubeslice-controller/Readme.MD +++ b/charts/avesha/kubeslice-controller/Readme.MD @@ -1,13 +1,13 @@ # Kubeslice Enterprise Controller Helm Charts ## Prerequisites -📖 Follow the overview and registration [documentation](https://staging2-docs.avesha.io/documentation/enterprise/0.4.0/deployment-partners/deploying-kubeslice-on-rancher/) +📖 Follow the overview and registration [documentation](https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/) -- Create and configure the controller cluster following instructions in the prerequisites section [documentation](https://staging2-docs.avesha.io/documentation/enterprise/0.4.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-kubeslice-controller-on-rancher) +- Create and configure the controller cluster following instructions in the prerequisites section [documentation](https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-kubeslice-controller-on-rancher) - Copy the chart version from the upper right hand section of this page [VERSION parameter need during install and upgrade] - Click on the download chart link from the upper right hand section of this page, save it to location available from command prompt - Untar the chart to get the values.yaml file, update values.yaml with the follwing information - - cluster end point [documentation](https://staging2-docs.avesha.io/documentation/enterprise/0.4.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-kubeslice-controller-on-rancher#getting-the-controller-cluster-endpoint) + - cluster end point [documentation](https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-kubeslice-controller-on-rancher#getting-the-controller-cluster-endpoint) - helm repository username, password and email [From registration] @@ -32,7 +32,7 @@ helm upgrade --history-max=5 --namespace=kubeslice-controller kubeslice-controll ``` ### Uninstall KubeSlice Controller -- Follow instructions [documentation](https://staging2-docs.avesha.io/documentation/enterprise/0.4.0/getting-started-with-cloud-clusters/uninstalling-kubeslice/) +- Follow instructions [documentation](https://docs.avesha.io/documentation/enterprise/0.5.0/getting-started-with-cloud-clusters/uninstalling-kubeslice/uninstalling-the-kubeslice-controller/) ```console export KUBECONFIG= diff --git a/charts/avesha/kubeslice-controller/questions.yml b/charts/avesha/kubeslice-controller/questions.yml index da9c4d750..c45fecbf2 100644 --- a/charts/avesha/kubeslice-controller/questions.yml +++ b/charts/avesha/kubeslice-controller/questions.yml @@ -2,7 +2,7 @@ questions: - default: "" - description: "https://github.com/kubeslice/docs-ent/blob/AM-6087/versioned_docs/version-0.4.0/deployment-partners/deploying-kubeslice-on-rancher/deploying-kubeslice-on-rancher.mdx#registering-to-access-the-enterprise-helm-chart" + description: "https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/#registering-to-access-the-enterprise-helm-chart" group: "Global Settings" label: "Registered Username" required: true @@ -18,7 +18,7 @@ questions: variable: imagePullSecrets.password - default: "" - description: "https://github.com/kubeslice/docs-ent/blob/AM-6087/versioned_docs/version-0.4.0/deployment-partners/deploying-kubeslice-on-rancher/deploying-kubeslice-on-rancher.mdx#getting-the-controller-cluster-endpoint" + description: "https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-kubeslice-controller-on-rancher/#getting-the-controller-cluster-endpoint" group: "Controller Settings" label: "Controller Endpoint" required: true @@ -44,7 +44,7 @@ questions: options: - ClusterIP - NodePort - - LoadBanlancer + - LoadBalancer required: true type: enum variable: kubeslice.uiproxy.service.type diff --git a/charts/avesha/kubeslice-controller/templates/_helpers.tpl b/charts/avesha/kubeslice-controller/templates/_helpers.tpl index 191be7618..6e2be538c 100644 --- a/charts/avesha/kubeslice-controller/templates/_helpers.tpl +++ b/charts/avesha/kubeslice-controller/templates/_helpers.tpl @@ -1,3 +1,5 @@ +*************************kubeslice-controller********************************* + {{/* Expand the name of the chart. */}} @@ -60,3 +62,68 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +*************************PROMETHUES********************************* + +{{/* +Expand the name of the chart. +*/}} +{{- define "prometheus.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "prometheus.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "prometheus.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "prometheus.labels" -}} +helm.sh/chart: {{ include "prometheus.chart" . }} +{{ include "prometheus.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "prometheus.selectorLabels" -}} +app.kubernetes.io/name: {{ include "prometheus.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "prometheus.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "prometheus.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/avesha/kubeslice-controller/templates/kubeslice-ui-rbac.yaml b/charts/avesha/kubeslice-controller/templates/kubeslice-api-gw-rbac.yaml similarity index 78% rename from charts/avesha/kubeslice-controller/templates/kubeslice-ui-rbac.yaml rename to charts/avesha/kubeslice-controller/templates/kubeslice-api-gw-rbac.yaml index 949b5d587..04492f2ef 100644 --- a/charts/avesha/kubeslice-controller/templates/kubeslice-ui-rbac.yaml +++ b/charts/avesha/kubeslice-controller/templates/kubeslice-api-gw-rbac.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: kubeslice-ui + name: kubeslice-api-gw rules: - verbs: - get @@ -16,16 +16,16 @@ rules: apiVersion: v1 kind: ServiceAccount metadata: - name: kubeslice-ui + name: kubeslice-api-gw --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: kubeslice-ui + name: kubeslice-api-gw roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: kubeslice-ui + name: kubeslice-api-gw subjects: - kind: ServiceAccount - name: kubeslice-ui \ No newline at end of file + name: kubeslice-api-gw \ No newline at end of file diff --git a/charts/avesha/kubeslice-controller/templates/kubeslice-api-gw.yaml b/charts/avesha/kubeslice-controller/templates/kubeslice-api-gw.yaml new file mode 100644 index 000000000..9c8e1ddfc --- /dev/null +++ b/charts/avesha/kubeslice-controller/templates/kubeslice-api-gw.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: kubeslice-api-gw + name: kubeslice-api-gw +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 3000 + selector: + app: kubeslice-api-gw + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: kubeslice-api-gw + name: kubeslice-api-gw +spec: + replicas: 1 + selector: + matchLabels: + app: kubeslice-api-gw + template: + metadata: + labels: + app: kubeslice-api-gw + spec: + containers: + - image: '{{ .Values.kubeslice.apigw.image }}:{{ .Values.kubeslice.apigw.tag }}' + imagePullPolicy: '{{ .Values.kubeslice.apigw.pullPolicy }}' + env: + - name: KUBESLICE_CONTROLLER_PROMETHEUS + value: {{ .Values.kubeslice.prometheus.url }} + name: kubeslice-api-gw + ports: + - containerPort: 3000 + protocol: TCP + volumeMounts: + - mountPath: /app/secrets + name: oidc-secrets + {{- if and .Values.imagePullSecrets .Values.imagePullSecrets.repository .Values.imagePullSecrets.username .Values.imagePullSecrets.password }} + imagePullSecrets: + - name: kubeslice-ui-image-pull-secret + {{- end }} + restartPolicy: Always + serviceAccount: kubeslice-api-gw + serviceAccountName: kubeslice-api-gw + volumes: + - name: oidc-secrets + secret: + secretName: kubeslice-ui-oidc + optional: true diff --git a/charts/avesha/kubeslice-controller/templates/kubeslice-controller.yaml b/charts/avesha/kubeslice-controller/templates/kubeslice-controller.yaml index f286a55ea..6b9c34bc7 100644 --- a/charts/avesha/kubeslice-controller/templates/kubeslice-controller.yaml +++ b/charts/avesha/kubeslice-controller/templates/kubeslice-controller.yaml @@ -22,20 +22,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: kubeslice-controller/kubeslice-controller-serving-cert controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null name: clusters.controller.kubeslice.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: kubeslice-controller-webhook-service - namespace: kubeslice-controller - path: /convert - conversionReviewVersions: - - v1 group: controller.kubeslice.io names: kind: Cluster @@ -158,20 +148,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: kubeslice-controller/kubeslice-controller-serving-cert controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null name: projects.controller.kubeslice.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: kubeslice-controller-webhook-service - namespace: kubeslice-controller - path: /convert - conversionReviewVersions: - - v1 group: controller.kubeslice.io names: kind: Project @@ -328,20 +308,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: kubeslice-controller/kubeslice-controller-serving-cert controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null name: sliceconfigs.controller.kubeslice.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: kubeslice-controller-webhook-service - namespace: kubeslice-controller - path: /convert - conversionReviewVersions: - - v1 group: controller.kubeslice.io names: kind: SliceConfig @@ -400,6 +370,11 @@ spec: type: object type: object type: array + maxClusters: + default: 16 + maximum: 32 + minimum: 2 + type: integer namespaceIsolationProfile: properties: allowedNamespaces: @@ -511,6 +486,103 @@ status: --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: kubeslice-controller/kubeslice-controller-serving-cert + controller-gen.kubebuilder.io/version: v0.7.0 + name: slicenodeaffinities.controller.kubeslice.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: kubeslice-controller-webhook-service + namespace: kubeslice-controller + path: /convert + conversionReviewVersions: + - v1 + group: controller.kubeslice.io + names: + kind: SliceNodeAffinity + listKind: SliceNodeAffinityList + plural: slicenodeaffinities + singular: slicenodeaffinity + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SliceNodeAffinity is the Schema for the slicenodeaffinities API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SliceNodeAffinitySpec defines the desired state of SliceNodeAffinity + properties: + nodeAffinityProfiles: + description: NodeAffinityProfiles defines the node affinity profile for the slice + items: + properties: + cluster: + description: Cluster is the cluster in the slice this rule applies to + type: string + nodeAffinityRules: + description: NodeAffinityRules defines the node affinity profile for the slice + items: + properties: + namespace: + description: Namespace is the namespace in the slice this rule applies to + type: string + nodeSelectorLabels: + description: NodeSelectorLabels defines the label selectors to select nodes for assigning to pods + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + type: object + type: array + type: object + status: + description: SliceNodeAffinityStatus defines the observed state of SliceNodeAffinity + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.7.0 @@ -597,6 +669,583 @@ status: --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: kubeslice-controller/kubeslice-controller-serving-cert + controller-gen.kubebuilder.io/version: v0.7.0 + name: sliceresourcequotaconfigs.controller.kubeslice.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: kubeslice-controller-webhook-service + namespace: kubeslice-controller + path: /convert + conversionReviewVersions: + - v1 + group: controller.kubeslice.io + names: + kind: SliceResourceQuotaConfig + listKind: SliceResourceQuotaConfigList + plural: sliceresourcequotaconfigs + singular: sliceresourcequotaconfig + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SliceResourceQuotaConfig is the Schema for the sliceresourcequotaconfigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SliceResourceQuotaConfigSpec defines the desired state of SliceResourceQuotaConfig + properties: + clusterQuota: + description: ClusterQuota defines the configuration for cluster quota of a resource quota + items: + description: ClusterQuota defines the configuration for cluster quota of a resource quota + properties: + clusterName: + description: ClusterName defines the name of the cluster in ClusterQuota + type: string + namespaceQuota: + description: NamespaceQuota defines the configuration for namespace quota of a ClusterQuota + items: + description: NamespaceQuota defines the configuration for namespace quota of a NamespaceQuota + properties: + enforceQuota: + default: false + description: EnforceQuota defines the enforceQuota status flag for NamespaceQuota + type: boolean + namespace: + description: Namespace defines the namespace of the NamespaceQuota + type: string + resources: + description: Resources defines the configuration for resources for NamespaceQuota + properties: + defaultLimitPerContainer: + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + defaultRequestPerContainer: + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + limit: + description: LimitResourceList is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + podCount: + description: PodCount in number. + format: int64 + type: integer + type: object + request: + description: RequestResourceList is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + type: object + type: array + resources: + description: Resources defines the configuration for resources for ClusterQuota + properties: + limit: + description: LimitResourceList is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + podCount: + description: PodCount in number. + format: int64 + type: integer + type: object + request: + description: RequestResourceList is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + type: object + type: array + sliceQuota: + description: SliceQuota defines the configuration for slice quota of a resource quota + properties: + resources: + description: Resources defines the configuration for resources for SliceQuota + properties: + defaultRequestPerContainer: + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + limit: + description: LimitResourceList is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + podCount: + description: PodCount in number. + format: int64 + type: integer + type: object + request: + description: RequestResourceList is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + type: object + type: object + status: + description: SliceResourceQuotaConfigStatus defines the observed state of SliceResourceQuotaConfig + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: kubeslice-controller/kubeslice-controller-serving-cert + controller-gen.kubebuilder.io/version: v0.7.0 + name: slicerolebindings.controller.kubeslice.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: kubeslice-controller-webhook-service + namespace: kubeslice-controller + path: /convert + conversionReviewVersions: + - v1 + group: controller.kubeslice.io + names: + kind: SliceRoleBinding + listKind: SliceRoleBindingList + plural: slicerolebindings + singular: slicerolebinding + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SliceRoleBinding is the Schema for the slicerolebindings API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + bindings: + items: + description: RoleBinding references a role, but does not contain it. + properties: + applyTo: + description: ApplyTo contains information about the namespace and the Subjects. + items: + description: ApplyTo contains information about the namespace and the Subjects. It adds who information via Subjects and namespace information by which namespace it exists in. + properties: + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. '*' Represents all namespaces + type: string + subjects: + description: Subjects holds references to the objects the role applies to. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + type: array + type: object + type: array + roleRef: + description: RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - apiVersion + - kind + - name + type: object + type: object + type: array + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + properties: + roleRefConditions: + items: + properties: + condition: + description: Condition defines conditions of a RoleRef, one of INVALID_NS, NOT_ACCESSIBLE, INVALID_RULE, INVALID_ROLE_BINDING. + type: string + lastUpdateTime: + description: The last time this condition was updated. + format: date-time + type: string + message: + description: A human-readable message indicating details about the transition. + type: string + namespace: + description: Name of the Namespace in case of INVALID_NS condition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + roleRef: + description: Name, APIVersion and Kind of the RoleRef + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - apiVersion + - kind + - name + type: object + status: + description: Status of the condition, one of True, False, Unknown. + type: string + required: + - condition + - lastUpdateTime + - reason + - roleRef + - status + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: kubeslice-controller/kubeslice-controller-serving-cert + controller-gen.kubebuilder.io/version: v0.7.0 + name: sliceroletemplates.controller.kubeslice.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: kubeslice-controller-webhook-service + namespace: kubeslice-controller + path: /convert + conversionReviewVersions: + - v1 + group: controller.kubeslice.io + names: + kind: SliceRoleTemplate + listKind: SliceRoleTemplateList + plural: sliceroletemplates + singular: sliceroletemplate + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SliceRoleTemplate is the Schema for the sliceroletemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + rules: + items: + description: PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to. + properties: + apiGroups: + description: APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. + items: + type: string + type: array + nonResourceURLs: + description: NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. + items: + type: string + type: array + resourceNames: + description: ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. + items: + type: string + type: array + resources: + description: Resources is a list of resources this rule applies to. '*' represents all resources. + items: + type: string + type: array + verbs: + description: Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs. + items: + type: string + type: array + required: + - verbs + type: object + type: array + status: + description: SliceRoleTemplateStatus defines the observed state of SliceResourceQuotaConfig + type: object + required: + - rules + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.7.0 @@ -727,6 +1376,8 @@ spec: spec: description: WorkerSliceConfigSpec defines the desired state of Slice properties: + clusterSubnetCIDR: + type: string externalGatewayConfig: properties: egress: @@ -766,6 +1417,8 @@ spec: default: false type: boolean type: object + octet: + type: integer qosProfileDetails: description: QOSProfile is the QOS Profile configuration from backend properties: @@ -818,6 +1471,8 @@ spec: sliceType: default: Application type: string + required: + - octet type: object status: description: WorkerSliceConfigStatus defines the observed state of Slice @@ -966,6 +1621,757 @@ status: conditions: [] storedVersions: [] --- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: kubeslice-controller/kubeslice-controller-serving-cert + controller-gen.kubebuilder.io/version: v0.7.0 + name: workerslicenodeaffinities.worker.kubeslice.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: kubeslice-controller-webhook-service + namespace: kubeslice-controller + path: /convert + conversionReviewVersions: + - v1 + group: worker.kubeslice.io + names: + kind: WorkerSliceNodeAffinity + listKind: WorkerSliceNodeAffinityList + plural: workerslicenodeaffinities + singular: workerslicenodeaffinity + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: WorkerSliceNodeAffinity is the Schema for the workerslicenodeaffinities API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: WorkerSliceNodeAffinitySpec defines the desired state of WorkerSliceNodeAffinity + properties: + clusterName: + description: ClusterName defines the name of the cluster for the WorkerSliceNodeAffinity + type: string + nodeAffinityRules: + description: NodeAffinityRules defines the node affinity profile for the slice + items: + properties: + namespace: + description: Namespace is the namespace in the slice this rule applies to + type: string + nodeSelectorLabels: + description: NodeSelectorLabels defines the label selectors to select nodes for assigning to pods + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + sliceName: + description: SliceName defines the name of the slice for the WorkerSliceNodeAffinity + type: string + type: object + status: + description: WorkerSliceNodeAffinityStatus defines the observed state of WorkerSliceNodeAffinity + properties: + nodeAffinityRules: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + properties: + namespace: + description: Namespace is the namespace in the slice this rule applies to + type: string + nodeSelectorLabels: + description: NodeSelectorLabels defines the label selectors to select nodes for assigning to pods + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: kubeslice-controller/kubeslice-controller-serving-cert + controller-gen.kubebuilder.io/version: v0.7.0 + name: workersliceresourcequotas.worker.kubeslice.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: kubeslice-controller-webhook-service + namespace: kubeslice-controller + path: /convert + conversionReviewVersions: + - v1 + group: worker.kubeslice.io + names: + kind: WorkerSliceResourceQuota + listKind: WorkerSliceResourceQuotaList + plural: workersliceresourcequotas + singular: workersliceresourcequota + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: WorkerSliceResourceQuota is the Schema for the workersliceresourcequota API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: WorkerSliceResourceQuotaSpec defines the desired state of WorkerSliceResourceQuota + properties: + clusterName: + description: ClusterName defines the name of the cluster for the WorkerResourceQuota + type: string + resourceQuotaProfile: + description: ResourceQuotaProfile defines the resource quota profile for the slice + properties: + clusterQuota: + description: ClusterQuota defines the configuration for cluster quota of a resource quota + properties: + namespaceQuota: + description: NamespaceQuota defines the configuration for namespace quota of a ClusterQuota + items: + description: NamespaceQuota defines the configuration for namespace quota of a namespaceQuota + properties: + enforceQuota: + default: false + description: EnforceQuota defines the enforceQuota status flag for NamespaceQuota + type: boolean + namespace: + description: Namespace defines the namespace of the NamespaceQuota + type: string + resources: + description: Resources defines the configuration for resources for NamespaceQuota + properties: + defaultLimitPerContainer: + description: DefaultResourcePerContainer is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + defaultRequestPerContainer: + description: DefaultResourcePerContainer is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + limit: + description: LimitResourceList is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + podCount: + description: PodCount in number. + format: int64 + type: integer + type: object + request: + description: RequestResourceList is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + type: object + type: array + resources: + description: Resources defines the configuration for resources for ClusterQuota + properties: + limit: + description: LimitResourceList is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + podCount: + description: PodCount in number. + format: int64 + type: integer + type: object + request: + description: RequestResourceList is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + type: object + sliceQuota: + description: SliceQuota defines the configuration for slice quota of a resource quota + properties: + resources: + description: Resources defines the configuration for resources for SliceQuota + properties: + defaultRequestPerContainer: + description: DefaultResourcePerContainer is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + limit: + description: LimitResourceList is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + podCount: + description: PodCount in number. + format: int64 + type: integer + type: object + request: + description: RequestResourceList is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + type: object + type: object + sliceName: + description: SliceName defines the name of the slice for the WorkerResourceQuota + type: string + type: object + status: + description: WorkerSliceResourceQuotaStatus defines the observed state of WorkerSliceResourceQuota + properties: + clusterResourceQuotaStatus: + properties: + namespaceResourceQuotaStatus: + items: + properties: + namespace: + type: string + requestResourceUsage: + description: RequestResourceList is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + resourceUsage: + description: LimitResourceList is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + podCount: + description: PodCount in number. + format: int64 + type: integer + type: object + type: object + type: array + requestResourceUsage: + description: RequestResourceList is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + resourceUsage: + description: LimitResourceList is a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) The resource name for EphemeralStorage is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + podCount: + description: PodCount in number. + format: int64 + type: integer + type: object + type: object + onboardedNamespace: + items: + type: string + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: kubeslice-controller/kubeslice-controller-serving-cert + controller-gen.kubebuilder.io/version: v0.7.0 + name: workerslicerolebindings.worker.kubeslice.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: kubeslice-controller-webhook-service + namespace: kubeslice-controller + path: /convert + conversionReviewVersions: + - v1 + group: worker.kubeslice.io + names: + kind: WorkerSliceRoleBinding + listKind: WorkerSliceRoleBindingList + plural: workerslicerolebindings + singular: workerslicerolebinding + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: WorkerSliceRoleBinding is the Schema for the workerslicerolebindings API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + bindings: + properties: + applyTo: + description: ApplyTo contains information about the namespace and the Subjects. + items: + description: ApplyTo contains information about the namespace and the Subjects. It adds who information via Subjects and namespace information by which namespace it exists in. + properties: + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. '*' Represents all namespaces + type: string + subjects: + description: Subjects holds references to the objects the role applies to. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + type: array + type: object + type: array + rules: + items: + description: PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to. + properties: + apiGroups: + description: APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. + items: + type: string + type: array + nonResourceURLs: + description: NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. + items: + type: string + type: array + resourceNames: + description: ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. + items: + type: string + type: array + resources: + description: Resources is a list of resources this rule applies to. '*' represents all resources. + items: + type: string + type: array + verbs: + description: Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs. + items: + type: string + type: array + required: + - verbs + type: object + type: array + type: object + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + properties: + roleRefCondition: + properties: + condition: + description: Condition defines conditions of the RoleRef, one of INVALID_RULE, INVALID_ROLE_BINDING. + type: string + lastUpdateTime: + description: The last time this condition was updated. + format: date-time + type: string + message: + description: A human-readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + roleRef: + description: Name, APIGroup and Kind of the RoleRef + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - apiVersion + - kind + - name + type: object + status: + description: Status of the condition, one of True, False, Unknown. + type: string + required: + - condition + - lastUpdateTime + - reason + - roleRef + - status + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -1091,7 +2497,11 @@ rules: - projects - serviceexportconfigs - sliceconfigs + - slicenodeaffinities - sliceqosconfigs + - sliceresourcequotaconfigs + - slicerolebindings + - sliceroletemplates verbs: - create - delete @@ -1107,7 +2517,11 @@ rules: - projects/finalizers - serviceexportconfigs/finalizers - sliceconfigs/finalizers + - slicenodeaffinities/finalizers - sliceqosconfigs/finalizers + - sliceresourcequotaconfigs/finalizers + - slicerolebindings/finalizers + - sliceroletemplates/finalizers verbs: - update - apiGroups: @@ -1117,11 +2531,17 @@ rules: - projects/status - serviceexportconfigs/status - sliceconfigs/status + - slicenodeaffinities/status - sliceqosconfigs/status + - sliceresourcequotaconfigs/status + - slicerolebindings/status + - sliceroletemplates/status verbs: - get + - list - patch - update + - watch - apiGroups: - rbac.authorization.k8s.io resources: @@ -1142,6 +2562,9 @@ rules: - workerserviceimports - workersliceconfigs - workerslicegateways + - workerslicenodeaffinities + - workersliceresourcequotas + - workerslicerolebindings verbs: - create - delete @@ -1155,7 +2578,10 @@ rules: resources: - workerserviceimports/finalizers - workersliceconfigs/finalizers - - workerslicegateways/ + - workerslicegateways/finalizers + - workerslicenodeaffinities/finalizers + - workersliceresourcequotas/finalizers + - workerslicerolebindings/finalizers verbs: - update - apiGroups: @@ -1164,10 +2590,126 @@ rules: - workerserviceimports/status - workersliceconfigs/status - workerslicegateways/status + - workerslicenodeaffinities/status + - workersliceresourcequotas/status + - workerslicerolebindings/status verbs: - get + - list - patch - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/version: v1.8.0 + name: kubeslice-controller-kube-state-metrics +rules: +- apiGroups: + - "" + resources: + - configmaps + - secrets + - nodes + - pods + - services + - resourcequotas + - replicationcontrollers + - limitranges + - persistentvolumeclaims + - persistentvolumes + - namespaces + - endpoints + verbs: + - list + - watch +- apiGroups: + - extensions + resources: + - daemonsets + - deployments + - replicasets + - ingresses + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - statefulsets + - daemonsets + - deployments + - replicasets + verbs: + - list + - watch +- apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - list + - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - list + - watch +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - list + - watch +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + - volumeattachments + verbs: + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -1227,6 +2769,38 @@ rules: - get - patch - update +--- + {{ if .Values.kubeslice.prometheus.enabled}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeslice-controller-prometheus +rules: +- apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - services + - endpoints + - pods + verbs: + - get + - list + - watch +- apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch +- nonResourceURLs: + - /metrics + verbs: + - get + {{ end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -1260,10 +2834,28 @@ subjects: name: kubeslice-controller-controller-manager namespace: kubeslice-controller --- + {{ if .Values.kubeslice.prometheus.enabled}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: kubeslice-controller-controller-rolebinding + labels: + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/version: v1.8.0 + name: kubeslice-controller-kube-state-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubeslice-controller-kube-state-metrics +subjects: +- kind: ServiceAccount + name: kube-state-metrics + namespace: kube-system + {{ end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubeslice-controller-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -1285,6 +2877,21 @@ subjects: - kind: ServiceAccount name: kubeslice-controller-ovpn-manager namespace: kubeslice-controller +--- + {{ if .Values.kubeslice.prometheus.enabled}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubeslice-controller-prometheus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubeslice-controller-prometheus +subjects: +- kind: ServiceAccount + name: default + namespace: kubeslice-controller + {{ end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -1312,11 +2919,82 @@ data: port: 9443 leaderElection: leaderElect: true - resourceName: d7f43c17.kubeslice.io + resourceName: 35a65c38.kubeslice.io kind: ConfigMap metadata: name: kubeslice-controller-manager-config namespace: kubeslice-controller +--- + {{ if .Values.kubeslice.prometheus.enabled}} +apiVersion: v1 +data: + prometheus.rules: |- + groups: + - name: Resource Quota violation alerts + rules: + - alert: Slice Resource Quota Violation + expr: kubeslice_controller_slice_quota_violation > 0 + for: 1m + labels: + severity: critical + annotations: + summary: "Slice Resource Usage Exceeded Quota" + description: "The slice {{ "{{" }} $labels.slice_name}} has CPU usage {{ "{{" }} $labels.cpu}} and memory usage {{ "{{" }} $labels.memory}}: violated by {{ "{{" }} $labels.violated_resource_type}}" + - alert: Cluster Resource Quota Violation + expr: kubeslice_controller_cluster_quota_violation > 0 + for: 1m + labels: + severity: critical + annotations: + summary: "Cluster Resource Usage Exceeded Quota" + description: "The cluster {{ "{{" }} $labels.cluster_name}} has CPU usage {{ "{{" }} $labels.cpu}} and memory usage {{ "{{" }} $labels.memory}}: violated by {{ "{{" }} $labels.violated_resource_type}}" + - alert: Namespace Resource Quota Violation + expr: kubeslice_controller_namespace_quota_violation > 0 + for: 1m + labels: + severity: critical + annotations: + summary: "Namespace Resource Usage Exceeded Quota" + description: "The namespace {{ "{{" }}$labels.namespace}} has CPU usage {{ "{{" }}$labels.cpu}} and memory usage {{ "{{" }}$labels.memory}}: violated by {{ "{{" }}$labels.violated_resource_type}}" + prometheus.yml: |- + global: + scrape_interval: 5s + evaluation_interval: 5s + rule_files: + - /etc/prometheus/prometheus.rules + scrape_configs: + - job_name: 'kubernetes-pods' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: kubernetes_pod_name +kind: ConfigMap +metadata: + labels: + name: prometheus-server-conf + name: kubeslice-controller-prometheus-server-conf + namespace: kubeslice-controller + {{ end }} +--- --- apiVersion: v1 kind: Service @@ -1333,6 +3011,21 @@ spec: targetPort: https selector: control-plane: controller-manager +--- + {{ if .Values.kubeslice.prometheus.enabled}} +apiVersion: v1 +kind: Service +metadata: + name: kubeslice-controller-prometheus-service + namespace: kubeslice-controller +spec: + ports: + - port: 9090 + targetPort: 9090 + selector: + app: prometheus-server + type: ClusterIP + {{ end }} --- apiVersion: v1 kind: Service @@ -1347,6 +3040,35 @@ spec: selector: control-plane: controller-manager --- +apiVersion: batch/v1 +kind: Job +metadata: + name: kubeslice-controller-cleanup + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + spec: + serviceAccountName: kubeslice-controller-controller-manager + containers: + - name: cleanup + image: '{{ .Values.kubeslice.controller.image }}:{{ .Values.kubeslice.controller.tag }}' + imagePullPolicy: '{{ .Values.kubeslice.controller.pullPolicy }}' + command: + - /cleanup + env: + - name: KUBESLICE_CONTROLLER_MANAGER_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + imagePullSecrets: + - name: kubeslice-image-pull-secret + restartPolicy: Never + backoffLimit: 1 +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -1363,6 +3085,8 @@ spec: metadata: annotations: kubectl.kubernetes.io/default-container: manager + prometheus.io/port: "18080" + prometheus.io/scrape: "true" labels: control-plane: controller-manager spec: @@ -1371,7 +3095,7 @@ spec: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - - --v=10 + - --v=0 image: '{{ .Values.kubeslice.rbacproxy.image }}:{{ .Values.kubeslice.rbacproxy.tag }}' name: kube-rbac-proxy ports: @@ -1386,6 +3110,7 @@ spec: - --rbac-resource-prefix={{ required "A valid value is required!" .Values.kubeslice.controller.rbacResourcePrefix }} - --project-namespace-prefix={{ required "A valid value is required!" .Values.kubeslice.controller.projectnsPrefix }} - --controller-end-point={{ required "A valid value is required!" .Values.kubeslice.controller.endpoint }} + - --prometheus-service-endpoint={{ required "A valid value is required!" .Values.kubeslice.prometheus.url}} - --ovpn-job-image={{ .Values.kubeslice.ovpnJob.image }}:{{ .Values.kubeslice.ovpnJob.tag }} command: - /manager @@ -1439,6 +3164,51 @@ spec: imagePullSecrets: - name: kubeslice-image-pull-secret {{- end }} +--- + {{ if .Values.kubeslice.prometheus.enabled}} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: prometheus-server + name: kubeslice-controller-prometheus + namespace: kubeslice-controller +spec: + replicas: 1 + selector: + matchLabels: + app: prometheus-server + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + labels: + app: prometheus-server + spec: + containers: + - args: + - --config.file=/etc/prometheus/prometheus.yml + - --storage.tsdb.path=/prometheus/ + image: prom/prometheus + name: prometheus + ports: + - containerPort: 9090 + volumeMounts: + - mountPath: /etc/prometheus/ + name: prometheus-config-volume + - mountPath: /prometheus/ + name: prometheus-storage-volume + volumes: + - configMap: + defaultMode: 420 + name: kubeslice-controller-prometheus-server-conf + name: prometheus-config-volume + - emptyDir: {} + name: prometheus-storage-volume + {{ end }} --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -1469,6 +3239,46 @@ metadata: cert-manager.io/inject-ca-from: kubeslice-controller/kubeslice-controller-serving-cert name: kubeslice-controller-mutating-webhook-configuration webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: kubeslice-controller-webhook-service + namespace: kubeslice-controller + path: /mutate-controller-kubeslice-io-v1alpha1-sliceresourcequotaconfig + failurePolicy: Fail + name: msliceresourcequotaconfig.kb.io + rules: + - apiGroups: + - controller.kubeslice.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - sliceresourcequotaconfigs + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: kubeslice-controller-webhook-service + namespace: kubeslice-controller + path: /mutate-controller-kubeslice-io-v1alpha1-slicerolebinding + failurePolicy: Fail + name: mslicerolebinding.kb.io + rules: + - apiGroups: + - controller.kubeslice.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - slicerolebindings + sideEffects: None - admissionReviewVersions: - v1 clientConfig: @@ -1617,6 +3427,69 @@ metadata: cert-manager.io/inject-ca-from: kubeslice-controller/kubeslice-controller-serving-cert name: kubeslice-controller-validating-webhook-configuration webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: kubeslice-controller-webhook-service + namespace: kubeslice-controller + path: /validate-controller-kubeslice-io-v1alpha1-sliceresourcequotaconfig + failurePolicy: Fail + name: vsliceresourcequotaconfig.kb.io + rules: + - apiGroups: + - controller.kubeslice.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - sliceresourcequotaconfigs + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: kubeslice-controller-webhook-service + namespace: kubeslice-controller + path: /validate-controller-kubeslice-io-v1alpha1-slicerolebinding + failurePolicy: Fail + name: vslicerolebinding.kb.io + rules: + - apiGroups: + - controller.kubeslice.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - slicerolebindings + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: kubeslice-controller-webhook-service + namespace: kubeslice-controller + path: /validate-controller-kubeslice-io-v1alpha1-sliceroletemplate + failurePolicy: Fail + name: vsliceroletemplate.kb.io + rules: + - apiGroups: + - controller.kubeslice.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - sliceroletemplates + sideEffects: None - admissionReviewVersions: - v1 clientConfig: @@ -1760,4 +3633,4 @@ webhooks: - UPDATE resources: - workerslicegateways - sideEffects: None + sideEffects: None \ No newline at end of file diff --git a/charts/avesha/kubeslice-controller/templates/kubeslice-ui-imagepullsecret.yaml b/charts/avesha/kubeslice-controller/templates/kubeslice-ui-imagepullsecret.yaml new file mode 100644 index 000000000..b1cefd2dd --- /dev/null +++ b/charts/avesha/kubeslice-controller/templates/kubeslice-ui-imagepullsecret.yaml @@ -0,0 +1,19 @@ +--- + {{- if and .Values.imagePullSecrets .Values.imagePullSecrets.repository .Values.imagePullSecrets.username .Values.imagePullSecrets.password }} +apiVersion: v1 +data: + .dockerconfigjson: {{ + printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" + .Values.imagePullSecrets.repository + .Values.imagePullSecrets.username + .Values.imagePullSecrets.password + .Values.imagePullSecrets.email + (printf "%s:%s" .Values.imagePullSecrets.username .Values.imagePullSecrets.password | b64enc) + | b64enc + }} +kind: Secret +metadata: + name: kubeslice-ui-image-pull-secret + namespace: kubeslice-controller +type: kubernetes.io/dockerconfigjson + {{- end }} \ No newline at end of file diff --git a/charts/avesha/kubeslice-controller/templates/kubeslice-ui-oidc-secret.yaml b/charts/avesha/kubeslice-controller/templates/kubeslice-ui-oidc-secret.yaml new file mode 100644 index 000000000..a722c8974 --- /dev/null +++ b/charts/avesha/kubeslice-controller/templates/kubeslice-ui-oidc-secret.yaml @@ -0,0 +1,10 @@ +--- + {{- if .Values.kubeslice.ui.idp}} +apiVersion: v1 +kind: Secret +metadata: + name: kubeslice-ui-oidc + namespace: kubeslice-controller +data: + oidc-secrets.yaml: {{ (printf "idp:%s" (.Values.kubeslice.ui.idp | toYaml | nindent 2)) | b64enc }} + {{- end}} diff --git a/charts/avesha/kubeslice-controller/templates/kubeslice-ui-proxy.yaml b/charts/avesha/kubeslice-controller/templates/kubeslice-ui-proxy.yaml index 46d14cc93..b5435b98f 100644 --- a/charts/avesha/kubeslice-controller/templates/kubeslice-ui-proxy.yaml +++ b/charts/avesha/kubeslice-controller/templates/kubeslice-ui-proxy.yaml @@ -33,9 +33,14 @@ spec: - name: kubeslice-ui-proxy image: '{{ .Values.kubeslice.uiproxy.image }}:{{ .Values.kubeslice.uiproxy.tag }}' imagePullPolicy: '{{ .Values.kubeslice.uiproxy.pullPolicy }}' + env: + - name: KUBESLICE-CONTROLLER-PROMETHEUS + value: {{ .Values.kubeslice.prometheus.url }} + - name: REACT_APP_SOCKET_URL + value: 'ws://kubeslice-api-gw.kubeslice-controller.svc.cluster.local:3000' ports: - containerPort: 443 {{- if and .Values.imagePullSecrets .Values.imagePullSecrets.repository .Values.imagePullSecrets.username .Values.imagePullSecrets.password }} imagePullSecrets: - name: kubeslice-ui-image-pull-secret - {{- end }} \ No newline at end of file + {{- end }} diff --git a/charts/avesha/kubeslice-controller/templates/kubeslice-ui.yaml b/charts/avesha/kubeslice-controller/templates/kubeslice-ui.yaml index 5002159d4..00aaef791 100644 --- a/charts/avesha/kubeslice-controller/templates/kubeslice-ui.yaml +++ b/charts/avesha/kubeslice-controller/templates/kubeslice-ui.yaml @@ -1,22 +1,3 @@ ---- - {{- if and .Values.imagePullSecrets .Values.imagePullSecrets.repository .Values.imagePullSecrets.username .Values.imagePullSecrets.password }} -apiVersion: v1 -data: - .dockerconfigjson: {{ - printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" - .Values.imagePullSecrets.repository - .Values.imagePullSecrets.username - .Values.imagePullSecrets.password - .Values.imagePullSecrets.email - (printf "%s:%s" .Values.imagePullSecrets.username .Values.imagePullSecrets.password | b64enc) - | b64enc - }} -kind: Secret -metadata: - name: kubeslice-ui-image-pull-secret - namespace: kubeslice-controller -type: kubernetes.io/dockerconfigjson - {{- end }} --- apiVersion: v1 kind: Service @@ -30,7 +11,7 @@ spec: - name: http port: 80 protocol: TCP - targetPort: 3000 + targetPort: 80 selector: app: kubeslice-ui type: ClusterIP @@ -54,11 +35,16 @@ spec: - image: '{{ .Values.kubeslice.ui.image }}:{{ .Values.kubeslice.ui.tag }}' imagePullPolicy: '{{ .Values.kubeslice.ui.pullPolicy }}' name: kubeslice-ui + env: + - name: KUBESLICE_CONTROLLER_PROMETHEUS + value: {{ .Values.kubeslice.prometheus.url }} + - name: REACT_APP_SOCKET_URL + value: 'ws://kubeslice-api-gw.kubeslice-controller.svc.cluster.local:3000' ports: - containerPort: 3000 {{- if and .Values.imagePullSecrets .Values.imagePullSecrets.repository .Values.imagePullSecrets.username .Values.imagePullSecrets.password }} imagePullSecrets: - name: kubeslice-ui-image-pull-secret {{- end }} - serviceAccountName: kubeslice-ui - serviceAccount: kubeslice-ui + serviceAccountName: kubeslice-api-gw + serviceAccount: kubeslice-api-gw diff --git a/charts/avesha/kubeslice-controller/values.yaml b/charts/avesha/kubeslice-controller/values.yaml index e1143dc5f..724bc04cd 100644 --- a/charts/avesha/kubeslice-controller/values.yaml +++ b/charts/avesha/kubeslice-controller/values.yaml @@ -7,18 +7,21 @@ kubeslice: logLevel: info rbacResourcePrefix: kubeslice-rbac projectnsPrefix: kubeslice - endpoint: + endpoint: image: aveshasystems/kubeslice-controller-ent - tag: 0.2.0 + tag: 0.5.0 pullPolicy: IfNotPresent ovpnJob: image: aveshasystems/gateway-certs-generator - tag: 0.1.5 + tag: 0.1.10 + prometheus: + enabled: true + url: http://kubeslice-controller-prometheus-service:9090 # Kubeslice UI settings ui: image: aveshasystems/kubeslice-ui-ent - tag: 0.2.3 + tag: 0.5.0 pullPolicy: IfNotPresent dashboard: image: aveshasystems/kubeslice-kubernetes-dashboard @@ -26,14 +29,18 @@ kubeslice: pullPolicy: IfNotPresent uiproxy: image: aveshasystems/kubeslice-ui-proxy - tag: 1.0.1 + tag: 1.0.4 pullPolicy: IfNotPresent service: ## For kind, set this to NodePort, elsewhere use LoadBalancer or NodePort ## Ref: https://kubernetes.io/docs/user-guide/services/#publishing-services---service-types ## type: LoadBalancer - + apigw: + image: aveshasystems/kubeslice-api-gw-ent + tag: 1.3.5 + pullPolicy: IfNotPresent + # username & password & email values for imagePullSecrets has to provided to create a secret imagePullSecrets: repository: https://index.docker.io/v1/ diff --git a/charts/avesha/kubeslice-worker/Chart.yaml b/charts/avesha/kubeslice-worker/Chart.yaml index e03a59777..a225ad9b8 100644 --- a/charts/avesha/kubeslice-worker/Chart.yaml +++ b/charts/avesha/kubeslice-worker/Chart.yaml @@ -5,7 +5,7 @@ annotations: catalog.cattle.io/namespace: kubeslice-system catalog.cattle.io/release-name: kubeslice-worker apiVersion: v2 -appVersion: 0.2.1 +appVersion: 0.5.0 description: Multi cloud networking (MCN), multi cluster, hybrid cloud networking tool for efficient, secure, policy-enforced connectivity and true multi-tenancy capabilities. KubeSlice enables enterprise platform teams to reduce infrastructure @@ -36,4 +36,4 @@ keywords: kubeVersion: '>= 1.19.0-0' name: kubeslice-worker type: application -version: 0.4.7 +version: 0.5.0 diff --git a/charts/avesha/kubeslice-worker/Readme.MD b/charts/avesha/kubeslice-worker/Readme.MD index 023f5c1f1..441bd2029 100644 --- a/charts/avesha/kubeslice-worker/Readme.MD +++ b/charts/avesha/kubeslice-worker/Readme.MD @@ -2,7 +2,7 @@ ## Prerequisites - KubeSlice Controller needs to be installed -- Create and configure the worker cluster following instructions in prerequisites and "registering the worker cluster" sections [documentation](https://staging2-docs.avesha.io/documentation/enterprise/0.4.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher) +- Create and configure the worker cluster following instructions in prerequisites and "registering the worker cluster" sections [documentation](https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher) - Copy the chart version from the upper right hand section of this page [VERSION parameter need during install and upgrade] - Click on the download link from the upper right hand section of this page, save it to location available from command prompt - Untar the chart to get the values.yaml file and edit the following fields @@ -34,14 +34,17 @@ helm upgrade --history-max=5 --namespace=kubeslice-system kubeslice-worker kubes ``` ### Uninstall Kubeslice Worker -- Follow instructions [documentation](https://staging2-docs.avesha.io/documentation/enterprise/0.2.0/getting-started-with-cloud-clusters/uninstalling-kubeslice/deregistering-the-worker-cluster) +- Follow instructions [documentation](https://docs.avesha.io/documentation/enterprise/0.5.0/getting-started-with-cloud-clusters/uninstalling-kubeslice/deregistering-the-worker-cluster) ```console export KUBECONFIG= helm uninstall --namespace=kubeslice-system --timeout=10m0s --wait=true kubeslice-worker kubectl delete crd serviceexports.networking.kubeslice.io kubectl delete crd serviceimports.networking.kubeslice.io -kubectl delete crd slice.networking.kubeslice.io kubectl delete crd slicegateways.networking.kubeslice.io +kubectl delete crd slicenodeaffinities.networking.kubeslice.io +kubectl delete crd sliceresourcequotas.networking.kubeslice.io +kubectl delete crd slicerolebindings.networking.kubeslice.io +kubectl delete crd slices.networking.kubeslice.io kubectl delete ns kubeslice-system ``` diff --git a/charts/avesha/kubeslice-worker/charts/jaeger/Chart.yaml b/charts/avesha/kubeslice-worker/charts/jaeger/Chart.yaml deleted file mode 100644 index 595bab58c..000000000 --- a/charts/avesha/kubeslice-worker/charts/jaeger/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -appVersion: 0.2.0 -description: Simple Jaeger installation for use by NSM Developers -name: jaeger -version: 0.2.0 diff --git a/charts/avesha/kubeslice-worker/charts/jaeger/templates/jaeger.tpl b/charts/avesha/kubeslice-worker/charts/jaeger/templates/jaeger.tpl deleted file mode 100644 index 77ba68d82..000000000 --- a/charts/avesha/kubeslice-worker/charts/jaeger/templates/jaeger.tpl +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: jaeger - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - run: jaeger - replicas: 1 - template: - metadata: - labels: - run: jaeger - spec: - containers: - - name: jaeger - image: {{ .Values.image }} - imagePullPolicy: {{ .Values.pullPolicy }} - ports: - - name: http - containerPort: 16686 - - name: jaeger - containerPort: 6831 - protocol: UDP - tolerations: - - key: kubeslice.io/node-type - operator: Equal - value: gateway - effect: NoSchedule - - key: kubeslice.io/node-type - operator: Equal - value: gateway - effect: NoExecute ---- -apiVersion: v1 -kind: Service -metadata: - name: jaeger - namespace: {{ .Release.Namespace }} - labels: - run: jaeger - namespace: {{ .Release.Namespace }} -spec: - ports: - - name: http -{{- if eq .Values.monSvcType "NodePort" }} - nodePort: 31922 -{{- end }} - port: 16686 - protocol: TCP - - name: jaeger - port: 6831 - protocol: UDP - selector: - run: jaeger - type: {{ .Values.monSvcType }} diff --git a/charts/avesha/kubeslice-worker/charts/jaeger/values.yaml b/charts/avesha/kubeslice-worker/charts/jaeger/values.yaml deleted file mode 100644 index 567e7b5d8..000000000 --- a/charts/avesha/kubeslice-worker/charts/jaeger/values.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# Default values for jaeger. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -pullPolicy: IfNotPresent -image: jaegertracing/all-in-one:1.14.0 - -# The type for monitoring services, i.e. Jaeger -# May be set to valid Kubernetes ServiceTypes values--ClusterIP, NodePort, LoadBalancer, ExternalName -monSvcType: NodePort - -# Variable used to deploy Prometheus -# Values can be true or false -prometheus: false - -metricsCollectorEnabled: false diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/Chart.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/Chart.yaml index 369a55135..6ff35c6fd 100644 --- a/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/Chart.yaml +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 0.2.0 +appVersion: 0.2.1 description: A Helm chart for Kubernetes name: admission-webhook -version: 0.2.0 +version: 0.2.1 diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/admission-webhook-secret.tpl b/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/admission-webhook-secret.tpl deleted file mode 100644 index 0795e00a8..000000000 --- a/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/admission-webhook-secret.tpl +++ /dev/null @@ -1,118 +0,0 @@ -{{- $ca := genCA "admission-controller-ca" 3650 -}} -{{- $cn := printf "nsm-admission-webhook-svc" -}} -{{- $altName1 := printf "%s.%s.svc" $cn .Release.Namespace }} -{{- $altName2 := printf "%s.%s.svc.cluster.local" $cn .Release.Namespace }} -{{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca -}} -apiVersion: v1 -kind: Secret -metadata: - name: nsm-admission-webhook-certs - namespace: {{ .Release.Namespace }} -type: Opaque -data: - tls.key: {{ $cert.Key | b64enc }} - tls.crt: {{ $cert.Cert | b64enc }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nsm-admission-webhook - namespace: {{ .Release.Namespace }} - labels: - app: nsm-admission-webhook -spec: - replicas: 1 - selector: - matchLabels: - app: nsm-admission-webhook - template: - metadata: - labels: - app: nsm-admission-webhook - spec: - imagePullSecrets: - - name: avesha-nexus - containers: - - name: nsm-admission-webhook - image: docker.io/aveshasystems/nsm-admission-webhook:1.0.1 - imagePullPolicy: {{ .Values.pullPolicy }} - env: - - name: INITCONTAINER_REPO - value: "{{ .Values.initContainerRegistry }}" - - name: INITCONTAINER_TAG - value: "{{ .Values.initContainerTag }}" - - name: DNS_SIDECAR_REPO - value: "{{ .Values.dnsSidecarContainerRegistry }}" - - name: DNS_SIDECAR_TAG - value: "{{ .Values.dnsSidecarContainerTag }}" - - name: NSM_NAMESPACE - value: "{{ .Values.clientNamespace }}" - - name: TRACER_ENABLED - value: {{ .Values.global.JaegerTracing | default false | quote }} - - name: JAEGER_AGENT_HOST - value: jaeger.{{ .Release.Namespace }} - - name: JAEGER_AGENT_PORT - value: "6831" - - name: CABUNDLE - value: {{ $ca.Cert | b64enc }} - volumeMounts: - - name: webhook-certs - mountPath: /etc/webhook/certs - readOnly: true - livenessProbe: - httpGet: - path: /liveness - port: 5555 - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: /readiness - port: 5555 - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - volumes: - - name: webhook-certs - secret: - secretName: nsm-admission-webhook-certs ---- -apiVersion: v1 -kind: Service -metadata: - name: nsm-admission-webhook-svc - namespace: {{ .Release.Namespace }} - labels: - app: nsm-admission-webhook -spec: - ports: - - port: 443 - targetPort: 443 - selector: - app: nsm-admission-webhook ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: nsm-admission-webhook-cfg - namespace: {{ .Release.Namespace }} - labels: - app: nsm-admission-webhook -webhooks: - - name: admission-webhook.networkservicemesh.io - sideEffects: None - admissionReviewVersions: ["v1", "v1beta1"] - failurePolicy: Ignore - matchPolicy: Equivalent - clientConfig: - service: - name: nsm-admission-webhook-svc - namespace: {{ .Release.Namespace }} - path: "/mutate" - caBundle: {{ $ca.Cert | b64enc }} - rules: - - operations: ["CREATE"] - apiGroups: ["apps", "extensions", ""] - apiVersions: ["v1", "v1beta1"] - resources: ["deployments", "services", "pods"] diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/admission-webhook.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/admission-webhook.yaml new file mode 100644 index 000000000..9107e5346 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/admission-webhook.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nsm-admission-webhook-k8s + namespace: {{ .Release.Namespace }} + labels: + app: admission-webhook-k8s +spec: + selector: + matchLabels: + app: admission-webhook-k8s + template: + metadata: + labels: + app: admission-webhook-k8s + spec: + serviceAccountName: admission-webhook-sa + containers: + - name: admission-webhook-k8s + image: {{ .Values.webhookImageRegistry }}:{{ .Values.webhookImageTag }} + imagePullPolicy: IfNotPresent + readinessProbe: + httpGet: + path: /ready + port: 443 + scheme: HTTPS + env: + - name: SPIFFE_ENDPOINT_SOCKET + value: unix:///run/spire/sockets/agent.sock + - name: NSM_SERVICE_NAME + value: admission-webhook-svc + - name: NSM_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NSM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NSM_ANNOTATION + value: networkservicemesh.io +{{/* - name: NSM_CONTAINER_IMAGES*/}} +{{/* value: ghcr.io/networkservicemesh/cmd-nsc:v1.5.0*/}} + - name: NSM_CONTAINER_IMAGES + value: "{{ .Values.nsmInjectContainerImageRegistry }}:{{ .Values.nsmInjectContainerImageTag }}" + - name: NSM_INIT_CONTAINER_IMAGES + value: "{{ .Values.nsmInjectInitContainerImageRegistry }}:{{ .Values.nsmInjectInitContainerImageTag }}" + - name: NSM_LABELS + value: spiffe.io/spiffe-id:true + - name: NSM_ENVS + value: NSM_LOG_LEVEL=TRACE,NSM_LIVENESSCHECKENABLED=false diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/binding.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/binding.yaml new file mode 100644 index 000000000..bd632d007 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/binding.yaml @@ -0,0 +1,13 @@ +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: admission-webhook-binding +subjects: + - kind: ServiceAccount + name: admission-webhook-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: admission-webhook-role + apiGroup: rbac.authorization.k8s.io diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/priorityClass.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/priorityClass.yaml new file mode 100644 index 000000000..194e24904 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/priorityClass.yaml @@ -0,0 +1,7 @@ +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: nsm-webhook-high-priority +value: 1000000 +globalDefault: false +description: "This priority class should be used for nsm webhook pods only." \ No newline at end of file diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/role.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/role.yaml new file mode 100644 index 000000000..6224924e3 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/role.yaml @@ -0,0 +1,13 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: admission-webhook-role + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["admissionregistration.k8s.io"] + resources: + - "mutatingwebhookconfigurations" + verbs: ["*"] diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/sa.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/sa.yaml new file mode 100644 index 000000000..696aef6f4 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/sa.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: admission-webhook-sa + namespace: {{ .Release.Namespace }} diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/service.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/service.yaml new file mode 100644 index 000000000..d43040e31 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/service.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: admission-webhook-svc + namespace: {{ .Release.Namespace }} + labels: + app: admission-webhook-k8s +spec: + ports: + - port: 443 + targetPort: 443 + selector: + app: admission-webhook-k8s diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/values.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/values.yaml index 1b4f662f9..82c8c2407 100644 --- a/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/values.yaml +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/values.yaml @@ -3,11 +3,11 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -initContainerRegistry: docker.io/aveshasystems -initContainerTag: 1.0.0 +webhookImageRegistry: aveshasystems/cmd-admission-webhook-k8s +webhookImageTag: 1.5.3 -dnsSidecarContainerRegistry: docker.io/aveshasystems -dnsSidecarContainerTag: 1.0.0 +nsmInjectContainerImageRegistry: aveshasystems/cmd-nsc +nsmInjectContainerImageTag: 1.5.3 -pullPolicy: IfNotPresent -clientNamespace: kubeslice-system +nsmInjectInitContainerImageRegistry: aveshasystems/cmd-nsc-init +nsmInjectInitContainerImageTag: 1.5.3 diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/config/crds/crd-ns.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/config/crds/crd-ns.yaml new file mode 100644 index 000000000..5c48f9aa4 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/config/crds/crd-ns.yaml @@ -0,0 +1,29 @@ +# warning: please update nsm crd upgrade hook as well if you change this +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkservices.networkservicemesh.io +spec: + conversion: + strategy: None + group: networkservicemesh.io + names: + kind: NetworkService + listKind: NetworkServiceList + plural: networkservices + shortNames: + - netsvc + - netsvcs + singular: networkservice + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + x-kubernetes-preserve-unknown-fields: true diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/config/crds/crd-nse.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/config/crds/crd-nse.yaml new file mode 100644 index 000000000..12f351a71 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/config/crds/crd-nse.yaml @@ -0,0 +1,29 @@ +# warning: please update nsm crd upgrade hook as well if you change this +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkserviceendpoints.networkservicemesh.io +spec: + conversion: + strategy: None + group: networkservicemesh.io + names: + kind: NetworkServiceEndpoint + listKind: NetworkServiceEndpointList + plural: networkserviceendpoints + shortNames: + - nse + - nses + singular: networkserviceendpoint + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + x-kubernetes-preserve-unknown-fields: true diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/cluster-role-admin.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/cluster-role-admin.yaml index 6726ae940..ced002266 100644 --- a/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/cluster-role-admin.yaml +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/cluster-role-admin.yaml @@ -11,14 +11,13 @@ rules: resources: - "networkservices" - "networkserviceendpoints" - - "networkservicemanagers" verbs: ["*"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["*"] - apiGroups: [""] resources: ["configmaps"] - verbs: ["get", "update"] + verbs: ["patch", "get", "list", "watch", "update", "read", "write"] - apiGroups: [""] resources: ["nodes", "services", "namespaces"] verbs: ["get", "list", "watch"] diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/crd-networkserviceendpoints.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/crd-networkserviceendpoints.yaml deleted file mode 100644 index 74e42768a..000000000 --- a/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/crd-networkserviceendpoints.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: networkserviceendpoints.networkservicemesh.io -spec: - conversion: - strategy: None - group: networkservicemesh.io - names: - kind: NetworkServiceEndpoint - listKind: NetworkServiceEndpointList - plural: networkserviceendpoints - shortNames: - - nse - - nses - singular: networkserviceendpoint - scope: Namespaced - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - description: 'NetworkServiceEndpoints is the schema for NetworkServiceEndpoints API' - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: 'Spec defines the desired state' - type: object - x-kubernetes-preserve-unknown-fields: true diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/crd-networkservicemanagers.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/crd-networkservicemanagers.yaml deleted file mode 100644 index 53870ca5c..000000000 --- a/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/crd-networkservicemanagers.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: networkservicemanagers.networkservicemesh.io -spec: - conversion: - strategy: None - group: networkservicemesh.io - names: - kind: NetworkServiceManager - listKind: NetworkServiceManagerList - plural: networkservicemanagers - shortNames: - - nsm - - nsms - singular: networkservicemanager - scope: Namespaced - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - description: 'NetworkServiceManagers is the schema for NetworkServiceManagers API' - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: 'Spec defines the desired state' - type: object - x-kubernetes-preserve-unknown-fields: true diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/crd-networkservices.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/crd-networkservices.yaml deleted file mode 100644 index b8437804b..000000000 --- a/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/crd-networkservices.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: networkservices.networkservicemesh.io -spec: - conversion: - strategy: None - group: networkservicemesh.io - names: - kind: NetworkService - listKind: NetworkServiceList - plural: networkservices - shortNames: - - netsvc - - netsvcs - singular: networkservice - scope: Namespaced - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - description: 'NetworkServices is the schema for NetworkServices API' - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: 'Spec defines the desired state' - type: object - x-kubernetes-preserve-unknown-fields: true diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/nsm-configmap.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/nsm-configmap.yaml index 200907e5c..476717a9c 100644 --- a/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/nsm-configmap.yaml +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/nsm-configmap.yaml @@ -3,5 +3,8 @@ apiVersion: v1 kind: ConfigMap metadata: name: nsm-config + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/resource-policy": keep data: - excluded_prefixes.yaml: '' + excluded_prefixes_output.yaml: '' \ No newline at end of file diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/nsm-crd-upgrade-preinstall-hook.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/nsm-crd-upgrade-preinstall-hook.yaml new file mode 100644 index 000000000..b13d0cab9 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/nsm-crd-upgrade-preinstall-hook.yaml @@ -0,0 +1,174 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nsm-install-crds + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion | quote}} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + "helm.sh/hook": pre-install,pre-upgrade,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "1" + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nsm-install-crds + annotations: + "helm.sh/hook": pre-install,pre-upgrade,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app.kubernetes.io/name: kubeslice + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nsm-install-crds +subjects: + - kind: ServiceAccount + name: nsm-install-crds + namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: nsm-install-crds + annotations: + "helm.sh/hook": pre-install,pre-upgrade,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app.kubernetes.io/name: kubeslice + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: + - apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - patch + - update + - create + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: nsm-crd-install + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + "helm.sh/hook": pre-install,pre-upgrade,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "1" +data: + crd-ns.yaml: | + --- + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: networkservices.networkservicemesh.io + spec: + conversion: + strategy: None + group: networkservicemesh.io + names: + kind: NetworkService + listKind: NetworkServiceList + plural: networkservices + shortNames: + - netsvc + - netsvcs + singular: networkservice + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + x-kubernetes-preserve-unknown-fields: true + crd-nse.yaml: | + --- + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: networkserviceendpoints.networkservicemesh.io + spec: + conversion: + strategy: None + group: networkservicemesh.io + names: + kind: NetworkServiceEndpoint + listKind: NetworkServiceEndpointList + plural: networkserviceendpoints + shortNames: + - nse + - nses + singular: networkserviceendpoint + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + x-kubernetes-preserve-unknown-fields: true + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: nsm-install-crds + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation + "helm.sh/hook-weight": "2" + labels: + app.kubernetes.io/name: nsm + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + backoffLimit: 3 + template: + metadata: + name: nsm-install-crds + namespace: {{ .Release.Namespace }} + spec: + serviceAccountName: nsm-install-crds + containers: + - name: kubectl + image: "alpine/k8s:1.22.9" + command: + - /bin/sh + - -c + - kubectl apply -f /tmp + volumeMounts: + - mountPath: /tmp + name: crds + volumes: + - name: crds + configMap: + name: nsm-crd-install + restartPolicy: OnFailure \ No newline at end of file diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/nsm-webhook-predelete-hook.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/nsm-webhook-predelete-hook.yaml new file mode 100644 index 000000000..a61eaa239 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/nsm-webhook-predelete-hook.yaml @@ -0,0 +1,128 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nsm-delete-webhooks + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion | quote}} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + "helm.sh/hook": pre-delete,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "1" + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nsm-delete-webhooks + annotations: + "helm.sh/hook": pre-delete,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "-1" + labels: + app.kubernetes.io/name: kubeslice + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nsm-delete-webhooks +subjects: + - kind: ServiceAccount + name: nsm-delete-webhooks + namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: nsm-delete-webhooks + annotations: + "helm.sh/hook": pre-delete,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "-1" + labels: + app.kubernetes.io/name: kubeslice + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - apiGroups: + - "admissionregistration.k8s.io" + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - delete + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: nsm-delete-webhooks + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + "helm.sh/hook": pre-delete,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "1" +data: + delete-admission-webhook.sh: |- + #!/usr/bin/env bash + + echo "finding out the admission webhook " + WH=$(kubectl get pods -l app=admission-webhook-k8s -n {{ .Release.Namespace }} --template {{`'{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`}}) + echo "deleting mutatingwebhookconfiguration ${WH}" + kubectl delete mutatingwebhookconfiguration --ignore-not-found ${WH} + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: nsm-delete-webhooks + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-delete,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation + "helm.sh/hook-weight": "2" + labels: + app.kubernetes.io/name: nsm + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + backoffLimit: 3 + template: + metadata: + name: nsm-delete-webhooks + namespace: {{ .Release.Namespace }} + spec: + serviceAccountName: nsm-delete-webhooks + containers: + - name: kubectl + image: "alpine/k8s:1.22.9" + command: + - /bin/bash + - /tmp/delete-admission-webhook.sh + volumeMounts: + - mountPath: /tmp + name: nsm-delete-webhooks + volumes: + - name: nsm-delete-webhooks + configMap: + name: nsm-delete-webhooks + restartPolicy: OnFailure \ No newline at end of file diff --git a/charts/avesha/kubeslice-worker/charts/nsm/templates/service-accounts.tpl b/charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/service-accounts.tpl similarity index 100% rename from charts/avesha/kubeslice-worker/charts/nsm/templates/service-accounts.tpl rename to charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/service-accounts.tpl diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/prefix-service/Chart.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/prefix-service/Chart.yaml deleted file mode 100644 index 941b85d25..000000000 --- a/charts/avesha/kubeslice-worker/charts/nsm/charts/prefix-service/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -appVersion: "1.0" -description: A Helm chart for Kubernetes -name: prefix-service -version: 0.1.0 diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/prefix-service/templates/deployment.tpl b/charts/avesha/kubeslice-worker/charts/nsm/charts/prefix-service/templates/deployment.tpl deleted file mode 100644 index dbbee9259..000000000 --- a/charts/avesha/kubeslice-worker/charts/nsm/charts/prefix-service/templates/deployment.tpl +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }} -spec: - selector: - matchLabels: - app: {{ .Chart.Name }} - template: - metadata: - labels: - app: {{ .Chart.Name }} - spec: - serviceAccountName: {{ .Values.serviceAccount.name }} - imagePullSecrets: - - name: avesha-nexus - containers: - - name: {{ .Chart.Name }} - image: {{ .Values.registry }}/{{ .Values.org }}/{{ .Chart.Name }}:{{ .Values.tag }} - imagePullPolicy: {{ .Values.pullPolicy }} - env: - - name: NSM_NAMESPACE - value: {{ .Release.Namespace }} - tolerations: - - key: kubeslice.io/node-type - operator: Equal - value: gateway - effect: NoSchedule - - key: kubeslice.io/node-type - operator: Equal - value: gateway - effect: NoExecute diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/prefix-service/values.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/prefix-service/values.yaml deleted file mode 100644 index 9f89ade01..000000000 --- a/charts/avesha/kubeslice-worker/charts/nsm/charts/prefix-service/values.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# Default values for prefix-service. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# NOTE: the variables might be overriden by helm command line options, see helm.mk -registry: docker.io -org: aveshasystems -tag: 0.6.1 -pullPolicy: IfNotPresent - -serviceAccount: - name: nsmgr-acc diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/prefix-service/.helmignore b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/.helmignore similarity index 97% rename from charts/avesha/kubeslice-worker/charts/nsm/charts/prefix-service/.helmignore rename to charts/avesha/kubeslice-worker/charts/nsm/charts/spire/.helmignore index 50af03172..0e8a0eb36 100644 --- a/charts/avesha/kubeslice-worker/charts/nsm/charts/prefix-service/.helmignore +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/.helmignore @@ -14,6 +14,7 @@ *.swp *.bak *.tmp +*.orig *~ # Various IDEs .project diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/Chart.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/Chart.yaml new file mode 100644 index 000000000..c913ed304 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.16.0 +description: A Helm chart for Kubernetes +name: spire +type: application +version: 0.4.0 diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/.helmignore b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/Chart.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/Chart.yaml new file mode 100644 index 000000000..92edd664c --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.16.0 +description: A Helm chart for Kubernetes +name: spire-server +type: application +version: 0.1.0 diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/.helmignore b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/Chart.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/Chart.yaml new file mode 100644 index 000000000..1bf754cd8 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.16.0 +description: A Helm chart for Kubernetes +name: spire-config +type: application +version: 0.1.0 diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/agent-account.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/agent-account.yaml new file mode 100644 index 000000000..4e5794c82 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/agent-account.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-agent + namespace: spire diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/agent-cluster-role.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/agent-cluster-role.yaml new file mode 100644 index 000000000..b79564de3 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/agent-cluster-role.yaml @@ -0,0 +1,25 @@ +--- +# Required cluster role to allow spire-agent to query k8s API server +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role +rules: +- apiGroups: [""] + resources: ["pods", "nodes", "nodes/proxy"] + verbs: ["get"] + +--- +# Binds above cluster role to spire-agent service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-agent-cluster-role-binding +subjects: +- kind: ServiceAccount + name: spire-agent + namespace: spire +roleRef: + kind: ClusterRole + name: spire-agent-cluster-role + apiGroup: rbac.authorization.k8s.io diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/k8s-workload-registrar-cluster-role.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/k8s-workload-registrar-cluster-role.yaml new file mode 100644 index 000000000..d456be235 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/k8s-workload-registrar-cluster-role.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: k8s-workload-registrar-role +rules: + - apiGroups: [""] + resources: ["endpoints", "nodes", "pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["spiffeid.spiffe.io"] + resources: ["spiffeids"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["spiffeid.spiffe.io"] + resources: ["spiffeids/status"] + verbs: ["get", "patch", "update"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: k8s-workload-registrar-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: k8s-workload-registrar-role +subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire + diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/k8s-workload-registrar-crd.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/k8s-workload-registrar-crd.yaml new file mode 100644 index 000000000..5dd18a604 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/k8s-workload-registrar-crd.yaml @@ -0,0 +1,107 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.4 + name: spiffeids.spiffeid.spiffe.io +spec: + group: spiffeid.spiffe.io + names: + kind: SpiffeID + listKind: SpiffeIDList + plural: spiffeids + singular: spiffeid + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + description: SpiffeID is the Schema for the spiffeid API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SpiffeIDSpec defines the desired state of SpiffeID + properties: + dnsNames: + items: + type: string + type: array + federatesWith: + items: + type: string + type: array + parentId: + type: string + selector: + properties: + arbitrary: + description: Arbitrary selectors + items: + type: string + type: array + containerImage: + description: Container image to match for this spiffe ID + type: string + containerName: + description: Container name to match for this spiffe ID + type: string + namespace: + description: Namespace to match for this spiffe ID + type: string + nodeName: + description: Node name to match for this spiffe ID + type: string + podLabel: + additionalProperties: + type: string + description: Pod label name/value to match for this spiffe ID + type: object + podName: + description: Pod name to match for this spiffe ID + type: string + podUid: + description: Pod UID to match for this spiffe ID + type: string + serviceAccount: + description: ServiceAccount to match for this spiffe ID + type: string + cluster: + description: The k8s_psat cluster name + type: string + agent_node_uid: + description: UID of the node + type: string + type: object + spiffeId: + type: string + required: + - parentId + - selector + - spiffeId + type: object + status: + description: SpiffeIDStatus defines the observed state of SpiffeID + properties: + entryId: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state + of cluster Important: Run "make" to regenerate code after modifying + this file' + type: string + type: object + type: object diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/k8s-workload-registrar.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/k8s-workload-registrar.yaml new file mode 100644 index 000000000..740c69e2b --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/k8s-workload-registrar.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +data: + k8s-workload-registrar.conf: |- + log_level = "debug" + trust_domain = "example.org" + agent_socket_path = "/run/spire/sockets/agent.sock" + server_socket_path = "/tmp/spire-server/private/api.sock" + cluster = "nsm-cluster" + pod_controller = true + add_svc_dns_names = true + mode = "crd" + webhook_enabled = true + identity_template = "ns/{{ printf "{{.Pod.Namespace}}" }}/pod/{{ printf "{{.Pod.Name}}" }}" + identity_template_label = "spiffe.io/spiffe-id" +kind: ConfigMap +metadata: + name: k8s-workload-registrar + namespace: spire diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/server-account.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/server-account.yaml new file mode 100644 index 000000000..98d811ce2 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/server-account.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spire-server + namespace: spire diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/server-cluster-role.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/server-cluster-role.yaml new file mode 100644 index 000000000..03c59a502 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/server-cluster-role.yaml @@ -0,0 +1,35 @@ +--- +# ClusterRole to allow spire-server node attestor to query Token Review API +# and to be able to push certificate bundles to a configmap +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-trust-role +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["get", "list", "patch", "watch"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["patch", "get", "list"] +- apiGroups: [""] + resources: ["pods", "nodes"] + verbs: ["get"] + +--- +# Binds above cluster role to spire-server service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: spire-server-trust-role-binding +subjects: +- kind: ServiceAccount + name: spire-server + namespace: spire +roleRef: + kind: ClusterRole + name: spire-server-trust-role + apiGroup: rbac.authorization.k8s.io diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-agent.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-agent.yaml new file mode 100644 index 000000000..20b317078 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-agent.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: v1 +data: + agent.conf: | + agent { + data_dir = "/run/spire" + log_level = "DEBUG" + server_address = "spire-server" + server_port = "8081" + socket_path = "/run/spire/sockets/agent.sock" + trust_bundle_path = "/run/spire/bundle/bundle.crt" + trust_domain = "example.org" + } + + plugins { + NodeAttestor "k8s_psat" { + plugin_data { + # NOTE: Change this to your cluster name + cluster = "nsm-cluster" + } + } + + KeyManager "memory" { + plugin_data {} + } + + WorkloadAttestor "k8s" { + plugin_data { + # Defaults to the secure kubelet port by default. + # Minikube does not have a cert in the cluster CA bundle that + # can authenticate the kubelet cert, so skip validation. + skip_kubelet_verification = true + } + } + WorkloadAttestor "unix" { + plugin_data {} + } + } +kind: ConfigMap +metadata: + name: spire-agent + namespace: spire diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-bundle.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-bundle.yaml new file mode 100644 index 000000000..4633e426c --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-bundle.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: spire-bundle + namespace: spire diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-namespace.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-namespace.yaml new file mode 100644 index 000000000..08c7fd849 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: spire diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-server.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-server.yaml new file mode 100644 index 000000000..4b8528427 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-server.yaml @@ -0,0 +1,55 @@ +--- +apiVersion: v1 +data: + server.conf: | + server { + bind_address = "0.0.0.0" + bind_port = "8081" + trust_domain = "example.org" + data_dir = "/run/spire/data" + log_level = "DEBUG" + #AWS requires the use of RSA. EC cryptography is not supported + ca_key_type = "rsa-2048" + default_svid_ttl = "1h" + ca_subject = { + country = ["US"], + organization = ["SPIFFE"], + common_name = "", + } + } + + plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "/run/spire/data/datastore.sqlite3" + } + } + + NodeAttestor "k8s_psat" { + plugin_data { + clusters = { + # NOTE: Change this to your cluster name + "nsm-cluster" = { + use_token_review_api_validation = true + service_account_allow_list = ["spire:spire-agent"] + } + } + } + } + + KeyManager "disk" { + plugin_data { + keys_path = "/run/spire/data/keys.json" + } + } + Notifier "k8sbundle" { + plugin_data { + webhook_label = "spiffe.io/webhook" + } + } + } +kind: ConfigMap +metadata: + name: spire-server + namespace: spire diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/values.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/values.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/k8s-workload-registrar-service.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/k8s-workload-registrar-service.yaml new file mode 100644 index 000000000..e72048feb --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/k8s-workload-registrar-service.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: k8s-workload-registrar + namespace: spire +spec: + type: ClusterIP + ports: + - name: webhook + protocol: TCP + port: 443 + targetPort: 9443 + selector: + app: spire-server diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/k8s-workload-registrar-validating-webhook-configuration.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/k8s-workload-registrar-validating-webhook-configuration.yaml new file mode 100644 index 000000000..2653e8651 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/k8s-workload-registrar-validating-webhook-configuration.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: k8s-workload-registrar + labels: + spiffe.io/webhook: "true" +webhooks: + - name: k8s-workload-registrar.spire.svc + admissionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: k8s-workload-registrar + namespace: spire + path: "/validate-spiffeid-spiffe-io-v1beta1-spiffeid" + rules: + - apiGroups: ["spiffeid.spiffe.io"] + apiVersions: ["v1beta1"] + operations: ["CREATE", "UPDATE", "DELETE"] + resources: ["spiffeids"] + scope: Namespaced + sideEffects: None diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/server-service.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/server-service.yaml new file mode 100644 index 000000000..516b50770 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/server-service.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: spire-server + namespace: spire +spec: + type: ClusterIP + ports: + - name: spire-server + port: 8081 + targetPort: 8081 + protocol: TCP + - name: spire-federation + port: 8443 + targetPort: 8443 + protocol: TCP + selector: + app: spire-server diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/server-statefulset.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/server-statefulset.yaml new file mode 100644 index 000000000..7e7b0abe2 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/server-statefulset.yaml @@ -0,0 +1,93 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: spire-server + namespace: spire + labels: + app: spire-server +spec: + replicas: 1 + selector: + matchLabels: + app: spire-server + serviceName: spire-server + template: + metadata: + namespace: spire + labels: + app: spire-server + spec: + serviceAccountName: spire-server + shareProcessNamespace: true + containers: + - name: spire-server + image: {{ .Values.spireServer.imageRegistry }}:{{ .Values.spireServer.imageTag }} + args: + - -config + - /run/spire/config/server.conf + ports: + - containerPort: 8081 + volumeMounts: + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-registration-socket + mountPath: /tmp + readOnly: false + livenessProbe: + exec: + command: + - /opt/spire/bin/spire-server + - healthcheck + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + exec: + command: ["/opt/spire/bin/spire-server", "healthcheck", "--shallow"] + # This is a workaround for https://github.com/spiffe/spire/issues/2872 + # that prevents k8s-workload-registrar container restarts until + # https://github.com/spiffe/spire/pull/2921 will come with SPIRE 1.3.0. + lifecycle: + postStart: + exec: + command: ["sleep", "2"] + - name: k8s-workload-registrar + image: {{ .Values.spireServer.k8sWorkloadRegistrarImageRegistry }}:{{ .Values.spireServer.k8sWorkloadRegistrarImageTag }} + args: + - -config + - /run/spire/config/k8s-workload-registrar.conf + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - containerPort: 9443 + name: webhook + protocol: TCP + volumeMounts: + - mountPath: /run/spire/config + name: k8s-workload-registrar-config + readOnly: true + - mountPath: /run/spire/sockets + name: spire-agent-socket + readOnly: true + - name: spire-registration-socket + mountPath: /tmp + readOnly: false + volumes: + - name: spire-config + configMap: + name: spire-server + - name: spire-agent-socket + hostPath: + path: /run/spire/sockets + type: DirectoryOrCreate + - name: k8s-workload-registrar-config + configMap: + name: k8s-workload-registrar + - name: spire-registration-socket + emptyDir: {} diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/values.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/values.yaml new file mode 100644 index 000000000..771f085b6 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/values.yaml @@ -0,0 +1,91 @@ +# Default values for spire-server. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Variables added +spireServer: + imageRegistry: gcr.io/spiffe-io/spire-server + imageTag: 1.5.1 + k8sWorkloadRegistrarImageRegistry: gcr.io/spiffe-io/k8s-workload-registrar + k8sWorkloadRegistrarImageTag: 1.5.1 + +# TODO: check and remove unneeded values + +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/templates/agent-daemonset.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/templates/agent-daemonset.yaml new file mode 100644 index 000000000..cb59f730e --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/templates/agent-daemonset.yaml @@ -0,0 +1,86 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: spire-agent + namespace: spire + labels: + app: spire-agent +spec: + selector: + matchLabels: + app: spire-agent + template: + metadata: + namespace: spire + labels: + app: spire-agent + spec: + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: spire-agent + initContainers: + - name: init + # This is a small image with wait-for-it, choose whatever image + # you prefer that waits for a service to be up. This image is built + # from https://github.com/lqhl/wait-for-it + image: {{ .Values.spireAgent.waitForItImageRegistry }}:{{ .Values.spireAgent.waitForItImageTag }} + imagePullPolicy: IfNotPresent + args: ["-t", "30", "spire-server:8081"] + - name: init-bundle + # Additional init container with the same wait-for-it image to + # provide workaround for https://github.com/spiffe/spire/issues/3032 + # It checks if the bundle is in place and ready to be parsed or not. + image: {{ .Values.spireAgent.waitForItImageRegistry }}:{{ .Values.spireAgent.waitForItImageTag }} + imagePullPolicy: IfNotPresent + command: ['sh', '-c', "t=0; until [ -f /run/spire/bundle/bundle.crt 2>&1 ] || [ $t -eq 5 ]; do t=`expr $t + 1`; sleep 1; done"] + containers: + - name: spire-agent + image: {{ .Values.spireAgent.imageRegistry }}:{{ .Values.spireAgent.imageTag }} + args: ["-config", "/run/spire/config/agent.conf"] + volumeMounts: + - name: spire-config + mountPath: /run/spire/config + readOnly: true + - name: spire-bundle + mountPath: /run/spire/bundle + - name: spire-agent-socket + mountPath: /run/spire/sockets + readOnly: false + - name: spire-token + mountPath: /var/run/secrets/tokens + livenessProbe: + exec: + command: + - /opt/spire/bin/spire-agent + - healthcheck + - -socketPath + - /run/spire/sockets/agent.sock + failureThreshold: 2 + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 3 + readinessProbe: + exec: + command: ["/opt/spire/bin/spire-agent", "healthcheck", "-socketPath", "/run/spire/sockets/agent.sock", "--shallow"] + initialDelaySeconds: 5 + periodSeconds: 5 + volumes: + - name: spire-config + configMap: + name: spire-agent + - name: spire-bundle + configMap: + name: spire-bundle + - name: spire-agent-socket + hostPath: + path: /run/spire/sockets + type: DirectoryOrCreate + - name: spire-token + projected: + sources: + - serviceAccountToken: + path: spire-agent + expirationSeconds: 7200 + audience: spire-server diff --git a/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/values.yaml b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/values.yaml new file mode 100644 index 000000000..40738a534 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/charts/spire/values.yaml @@ -0,0 +1,94 @@ +# Default values for spire. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Variables added +spireAgent: + imageRegistry: gcr.io/spiffe-io/spire-agent + imageTag: 1.5.1 + waitForItImageRegistry: docker.io/aveshasystems/wait-for-it + waitForItImageTag: 1.0.0 + +# TODO: use these values/remove them +# TODO: figure how how to make this work outside of spire NS +# Official chart request https://github.com/spiffe/spire/issues/2652 + + +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/charts/avesha/kubeslice-worker/charts/nsm/requirements.yaml b/charts/avesha/kubeslice-worker/charts/nsm/requirements.yaml index 2ff69fa6f..6fa28f923 100644 --- a/charts/avesha/kubeslice-worker/charts/nsm/requirements.yaml +++ b/charts/avesha/kubeslice-worker/charts/nsm/requirements.yaml @@ -1,9 +1,4 @@ --- dependencies: - - name: spire - version: 0.1.0 - condition: spire.enabled - - name: prefix-service - version: 0.1.0 - name: config version: 0.1.0 diff --git a/charts/avesha/kubeslice-worker/charts/nsm/templates/forwarder-kernel.yaml b/charts/avesha/kubeslice-worker/charts/nsm/templates/forwarder-kernel.yaml new file mode 100644 index 000000000..414e9389c --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/templates/forwarder-kernel.yaml @@ -0,0 +1,77 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: forwarder-kernel + namespace: {{ .Release.Namespace }} + labels: + app: forwarder-kernel +spec: + selector: + matchLabels: + app: forwarder-kernel + template: + metadata: + labels: + app: forwarder-kernel + "spiffe.io/spiffe-id": "true" + spec: + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - image: {{ .Values.forwardingPlane.kernelImageRegistry }}:{{ .Values.forwardingPlane.kernelImageTag }} + imagePullPolicy: IfNotPresent + name: forwarder-kernel + securityContext: + privileged: true + env: + - name: SPIFFE_ENDPOINT_SOCKET + value: unix:///run/spire/sockets/agent.sock + - name: NSM_LOG_LEVEL + value: TRACE + - name: NSM_TUNNEL_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NSM_CONNECT_TO + value: unix:///var/lib/networkservicemesh/nsm.io.sock + - name: NSM_LISTEN_ON + value: unix:///listen.on.sock + - name: NSM_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + - name: spire-agent-socket + mountPath: /run/spire/sockets + readOnly: true + - name: nsm-socket + mountPath: /var/lib/networkservicemesh + - name: kubelet-socket + mountPath: /var/lib/kubelet + - name: cgroup + mountPath: /host/sys/fs/cgroup + resources: + requests: + cpu: 150m + limits: + memory: 500Mi + cpu: 525m + volumes: + - name: spire-agent-socket + hostPath: + path: /run/spire/sockets + type: Directory + - name: nsm-socket + hostPath: + path: /var/lib/networkservicemesh + type: DirectoryOrCreate + - name: kubelet-socket + hostPath: + path: /var/lib/kubelet + type: Directory + - name: cgroup + hostPath: + path: /sys/fs/cgroup + type: Directory diff --git a/charts/avesha/kubeslice-worker/charts/nsm/templates/forwarding-plane.tpl b/charts/avesha/kubeslice-worker/charts/nsm/templates/forwarding-plane.tpl deleted file mode 100644 index c31539511..000000000 --- a/charts/avesha/kubeslice-worker/charts/nsm/templates/forwarding-plane.tpl +++ /dev/null @@ -1,91 +0,0 @@ -{{ $fp := .Values.forwardingPlane }} - -apiVersion: apps/v1 -kind: DaemonSet -spec: - selector: - matchLabels: - app: nsm-{{ $fp }}-plane - template: - metadata: - labels: - app: nsm-{{ $fp }}-plane - spec: - hostPID: true - hostNetwork: true - serviceAccount: forward-plane-acc - {{- if and .Values.imagePullSecrets .Values.imagePullSecrets.repository .Values.imagePullSecrets.username .Values.imagePullSecrets.password }} - imagePullSecrets: - - name: kubeslice-image-pull-secret - {{- end }} - containers: - - name: {{ (index .Values $fp).image }} - securityContext: - privileged: true - image: {{ .Values.registry }}/{{ .Values.org }}/{{ (index .Values $fp).image }}:{{ (index .Values $fp).tag }} - imagePullPolicy: {{ (index .Values $fp).pullPolicy }} - env: - - name: INSECURE - value: {{ .Values.insecure | default false | quote }} - - name: METRICS_COLLECTOR_ENABLED - value: {{ .Values.metricsCollectorEnabled | default false | quote }} - - name: TRACER_ENABLED - value: {{ .Values.global.JaegerTracing | default false | quote }} - - name: JAEGER_AGENT_HOST - value: jaeger.{{ .Release.Namespace }} - - name: JAEGER_AGENT_PORT - value: "6831" - - name: NSM_FORWARDER_SRC_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - volumeMounts: - - name: workspace - mountPath: /var/lib/networkservicemesh/ - mountPropagation: Bidirectional - - name: spire-agent-socket - mountPath: /run/spire/sockets - readOnly: true - livenessProbe: - httpGet: - path: /liveness - port: 5555 - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: /readiness - port: 5555 - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - {{- if (index .Values $fp).resources }} - resources: - limits: - cpu: {{ (index .Values $fp).resources.limitCPU }} - requests: - cpu: {{ (index .Values $fp).resources.requestsCPU }} - {{- end }} - volumes: - - hostPath: - path: /var/lib/networkservicemesh - type: DirectoryOrCreate - name: workspace - - hostPath: - path: /run/spire/sockets - type: DirectoryOrCreate - name: spire-agent-socket - tolerations: - - key: "kubeslice.io/node-type" - operator: "Equal" - value: "gateway" - effect: "NoSchedule" - - key: "kubeslice.io/node-type" - operator: "Equal" - value: "gateway" - effect: "NoExecute" - -metadata: - name: nsm-{{ $fp }}-forwarder - namespace: {{ .Release.Namespace }} diff --git a/charts/avesha/kubeslice-worker/charts/nsm/templates/nsmgr.tpl b/charts/avesha/kubeslice-worker/charts/nsm/templates/nsmgr.tpl deleted file mode 100644 index e320d7d34..000000000 --- a/charts/avesha/kubeslice-worker/charts/nsm/templates/nsmgr.tpl +++ /dev/null @@ -1,142 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: nsmgr - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - app: nsmgr-daemonset - template: - metadata: - labels: - app: nsmgr-daemonset - spec: - serviceAccount: nsmgr-acc - {{- if and .Values.imagePullSecrets .Values.imagePullSecrets.repository .Values.imagePullSecrets.username .Values.imagePullSecrets.password }} - imagePullSecrets: - - name: kubeslice-image-pull-secret - {{- end }} - containers: - - name: nsmdp - image: {{ .Values.registry }}/{{ .Values.org }}/nsmdp:{{ .Values.nsmdp.tag }} - imagePullPolicy: {{ .Values.nsmdp.pullPolicy }} - env: - - name: INSECURE - value: {{ .Values.insecure | default false | quote }} - - name: TRACER_ENABLED - value: {{ .Values.global.JaegerTracing | default false | quote }} - - name: JAEGER_AGENT_HOST - value: jaeger.{{ .Release.Namespace }} - - name: NSM_NAMESPACE - value: {{ .Release.Namespace }} - - name: JAEGER_AGENT_PORT - value: "6831" - - name: PREFERRED_REMOTE_MECHANISM - value: {{ .Values.preferredRemoteMechanism | quote }} - ports: - - containerPort: 5001 - hostPort: 5001 - volumeMounts: - - name: kubelet-socket - mountPath: /var/lib/kubelet/device-plugins - - name: nsm-socket - mountPath: /var/lib/networkservicemesh - - name: spire-agent-socket - mountPath: /run/spire/sockets - readOnly: true - - name: nsmd - image: {{ .Values.registry }}/{{ .Values.org }}/nsmd:{{ .Values.nsmd.tag }} - imagePullPolicy: {{ .Values.nsmd.pullPolicy }} - env: - - name: INSECURE - value: {{ .Values.insecure | default false | quote }} - - name: TRACER_ENABLED - value: {{ .Values.global.JaegerTracing | default false | quote }} - - name: JAEGER_AGENT_HOST - value: jaeger.{{ .Release.Namespace }} - - name: JAEGER_AGENT_PORT - value: "6831" - - name: NSM_NAMESPACE - value: {{ .Release.Namespace }} - - name: PREFERRED_REMOTE_MECHANISM - value: {{ .Values.preferredRemoteMechanism | quote }} - volumeMounts: - - name: nsm-socket - mountPath: /var/lib/networkservicemesh - - name: spire-agent-socket - mountPath: /run/spire/sockets - readOnly: true - - name: nsm-config-volume - mountPath: /var/lib/networkservicemesh/config - livenessProbe: - httpGet: - host: "127.0.0.1" - path: /liveness - port: 5555 - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - readinessProbe: - httpGet: - host: "127.0.0.1" - path: /readiness - port: 5555 - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - - name: nsmd-k8s - image: {{ .Values.registry }}/{{ .Values.org }}/nsmd-k8s:{{ .Values.nsmdK8s.tag }} - imagePullPolicy: {{ .Values.nsmdK8s.pullPolicy }} - volumeMounts: - - name: spire-agent-socket - mountPath: /run/spire/sockets - readOnly: true - env: - - name: INSECURE - value: {{ .Values.insecure | default false | quote }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: TRACER_ENABLED - value: {{ .Values.global.JaegerTracing | default false | quote }} - - name: JAEGER_AGENT_HOST - value: jaeger.{{ .Release.Namespace }} - - name: JAEGER_AGENT_PORT - value: "6831" - - name: NSM_NAMESPACE - value: {{ .Release.Namespace }} - volumes: - - hostPath: - path: /var/lib/kubelet/device-plugins - type: DirectoryOrCreate - name: kubelet-socket - - hostPath: - path: /var/lib/networkservicemesh - type: DirectoryOrCreate - name: nsm-socket - - name: nsm-config-volume - configMap: - name: nsm-config - - hostPath: - path: /run/spire/sockets - type: DirectoryOrCreate - name: spire-agent-socket - tolerations: - - key: "kubeslice.io/node-type" - operator: "Equal" - value: "gateway" - effect: "NoSchedule" - - key: "kubeslice.io/node-type" - operator: "Equal" - value: "gateway" - effect: "NoExecute" diff --git a/charts/avesha/kubeslice-worker/charts/nsm/templates/nsmgr.yaml b/charts/avesha/kubeslice-worker/charts/nsm/templates/nsmgr.yaml new file mode 100644 index 000000000..6b7d3704a --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/templates/nsmgr.yaml @@ -0,0 +1,152 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: nsmgr + labels: + app: nsmgr + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + app: nsmgr + template: + metadata: + labels: + app: nsmgr + "spiffe.io/spiffe-id": "true" + spec: + serviceAccountName: nsmgr-acc + initContainers: + - name: init + # This is a small image with wait-for-it, choose whatever image + # you prefer that waits for a service to be up. This image is built + # from https://github.com/lqhl/wait-for-it + image: {{ .Values.nsmgr.waitForItImageRegistry }}:{{ .Values.nsmgr.waitForItImageTag }} + imagePullPolicy: IfNotPresent + args: [ "-t", "120", "spire-server.spire:8081" ] + #command: ['sh', '-c', 'sleep 120'] + #command: ['sh', '-c', "t=0; until [ -f /run/spire/sockets/agent.sock 2>&1 ] || [ $t -eq 5 ]; do t=`expr $t + 1`; sleep 15; done;"] + containers: + - image: {{ .Values.nsmgr.imageRegistry }}:{{ .Values.nsmgr.imageTag }} + imagePullPolicy: IfNotPresent + name: nsmgr + ports: + - containerPort: 5001 + hostPort: 5001 + env: + - name: SPIFFE_ENDPOINT_SOCKET + value: unix:///run/spire/sockets/agent.sock + - name: NSM_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NSM_LOG_LEVEL + value: TRACE + - name: NSM_REGISTRY_URL + value: "registry:5002" + # - name: DLV_LISTEN_NSMGR + # value: :40000 + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NSM_LISTEN_ON + value: unix:///var/lib/networkservicemesh/nsm.io.sock,tcp://:5001 + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSECURE + value: {{ .Values.insecure | default false | quote }} + - name: TRACER_ENABLED + value: {{ .Values.global.JaegerTracing | default false | quote }} + - name: NSM_OPENTELEMETRYENDPOINT + value: jaeger.{{ .Release.Namespace }}:6831 + - name: JAEGER_AGENT_HOST + value: jaeger.{{ .Release.Namespace }} + - name: JAEGER_AGENT_PORT + value: "6831" + - name: FORWARDER_NAME + value: "kernel" + volumeMounts: + - name: kubelet-socket + mountPath: /var/lib/kubelet/device-plugins + - name: spire-agent-socket + mountPath: /run/spire/sockets + readOnly: true + - name: nsm-socket + mountPath: /var/lib/networkservicemesh + - name: nsm-config-volume + mountPath: /var/lib/networkservicemesh/config/ + resources: + requests: + cpu: 200m + memory: 100Mi + limits: + memory: 200Mi + cpu: 400m + readinessProbe: + exec: + command: ["/bin/grpc-health-probe", "-spiffe", "-addr=:5001"] + failureThreshold: 300 + initialDelaySeconds: 1 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + exec: + command: ["/bin/grpc-health-probe", "-spiffe", "-addr=:5001"] + failureThreshold: 25 + initialDelaySeconds: 10 + periodSeconds: 5 + timeoutSeconds: 2 + startupProbe: + exec: + command: ["/bin/grpc-health-probe", "-spiffe", "-addr=:5001"] + failureThreshold: 25 + periodSeconds: 5 + - image: {{ .Values.nsmgr.excludePrefixesImageRegistry }}:{{ .Values.nsmgr.excludePrefixesImageTag }} + imagePullPolicy: IfNotPresent + name: exclude-prefixes + env: + - name: NSM_LOG_LEVEL + value: TRACE + - name: NSM_CONFIG_MAP_NAMESPACE + value: {{ .Release.Namespace }} + - name: NSM_PREFIXES_OUTPUT_TYPE + value: config-map + volumeMounts: + - name: nsm-config-volume + mountPath: /var/lib/networkservicemesh/config/ + resources: + limits: + memory: 40Mi + cpu: 75m + volumes: + - hostPath: + path: /var/lib/kubelet/device-plugins + type: DirectoryOrCreate + name: kubelet-socket + - name: spire-agent-socket + hostPath: + path: /run/spire/sockets + type: Directory + - name: nsm-socket + hostPath: + path: /var/lib/networkservicemesh + type: DirectoryOrCreate + - name: nsm-config-volume +{{/* emptyDir:*/}} +{{/* {}*/}} + configMap: + name: nsm-config + tolerations: + - key: "kubeslice.io/node-type" + operator: "Equal" + value: "gateway" + effect: "NoSchedule" + - key: "kubeslice.io/node-type" + operator: "Equal" + value: "gateway" + effect: "NoExecute" \ No newline at end of file diff --git a/charts/avesha/kubeslice-worker/charts/nsm/templates/registry-k8s.yaml b/charts/avesha/kubeslice-worker/charts/nsm/templates/registry-k8s.yaml new file mode 100644 index 000000000..5f619b25f --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/templates/registry-k8s.yaml @@ -0,0 +1,57 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: registry-k8s + namespace: {{ .Release.Namespace }} + labels: + app: registry +spec: + selector: + matchLabels: + app: registry + template: + metadata: + labels: + app: registry + "spiffe.io/spiffe-id": "true" + spec: + serviceAccountName: nsmgr-acc + containers: + - image: {{ .Values.registryK8sImageRegistry }}:{{ .Values.registryK8sImageTag }} + env: + - name: SPIFFE_ENDPOINT_SOCKET + value: unix:///run/spire/sockets/agent.sock + - name: REGISTRY_K8S_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: REGISTRY_K8S_LOG_LEVEL + value: TRACE + - name: REGISTRY_K8S_LISTEN_ON + value: tcp://:5002 + - name: REGISTRY_K8S_PROXY_REGISTRY_URL + value: nsmgr-proxy:5004 + imagePullPolicy: IfNotPresent + name: registry + ports: + - containerPort: 5002 + hostPort: 5002 + volumeMounts: + - name: spire-agent-socket + mountPath: /run/spire/sockets + resources: + requests: + cpu: 100m + limits: + memory: 40Mi + cpu: 200m + volumes: + - name: spire-agent-socket + hostPath: + path: /run/spire/sockets + type: DirectoryOrCreate + - name: nsm-socket + hostPath: + path: /var/lib/networkservicemesh + type: DirectoryOrCreate \ No newline at end of file diff --git a/charts/avesha/kubeslice-worker/charts/nsm/templates/registry-service.yaml b/charts/avesha/kubeslice-worker/charts/nsm/templates/registry-service.yaml new file mode 100644 index 000000000..22240e2a4 --- /dev/null +++ b/charts/avesha/kubeslice-worker/charts/nsm/templates/registry-service.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: registry + namespace: {{ .Release.Namespace }} +spec: + selector: + app: registry + ports: + - name: registry + protocol: TCP + port: 5002 + targetPort: 5002 + type: ClusterIP diff --git a/charts/avesha/kubeslice-worker/charts/nsm/values.yaml b/charts/avesha/kubeslice-worker/charts/nsm/values.yaml index 92797ffef..9c1048d80 100644 --- a/charts/avesha/kubeslice-worker/charts/nsm/values.yaml +++ b/charts/avesha/kubeslice-worker/charts/nsm/values.yaml @@ -3,50 +3,22 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -registry: docker.io -org: aveshasystems -tag: 0.6.1 -pullPolicy: IfNotPresent - -forwardingPlane: kernel insecure: true -preferredRemoteMechanism: - -vpp: - image: vppagent-forwarder - -nsmd: - image: nsmd - tag: 0.6.1 - pullPolicy: IfNotPresent - -nsmdp: - image: nsmdp - tag: 0.6.1 - pullPolicy: IfNotPresent - -nsmdK8s: - image: nsmd-k8s - tag: 0.6.2 - pullPolicy: IfNotPresent - -kernel: - image: kernel-forwarder - tag: 0.6.2 - pullPolicy: IfNotPresent - resources: - limitCPU: 1 - requestsCPU: 1m - global: # set to true to enable Jaeger tracing for NSM components JaegerTracing: true -metricsCollectorEnabled: false +forwardingPlane: + kernelImageRegistry: docker.io/aveshasystems/cmd-forwarder-kernel + kernelImageTag: 1.0.0 -# username & password & email values for imagePullSecrets has to provided to create a secret -imagePullSecrets: - repository: https://index.docker.io/v1/ - username: - password: - email: +nsmgr: + imageRegistry: docker.io/aveshasystems/cmd-nsmgr + imageTag: 1.5.2 + waitForItImageRegistry: docker.io/aveshasystems/wait-for-it + waitForItImageTag: 1.0.0 + excludePrefixesImageRegistry: docker.io/aveshasystems/cmd-exclude-prefixes-k8s + excludePrefixesImageTag: 1.5.2 + +registryK8sImageRegistry: docker.io/aveshasystems/cmd-registry-k8s +registryK8sImageTag: 1.5.2 diff --git a/charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_slicenodeaffinities.yaml b/charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_slicenodeaffinities.yaml new file mode 100644 index 000000000..8b5a64553 --- /dev/null +++ b/charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_slicenodeaffinities.yaml @@ -0,0 +1,103 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: slicenodeaffinities.networking.kubeslice.io +spec: + group: networking.kubeslice.io + names: + kind: SliceNodeAffinity + listKind: SliceNodeAffinityList + plural: slicenodeaffinities + singular: slicenodeaffinity + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SliceNodeAffinity is the Schema for the slicenodeaffinities API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SliceNodeAffinitySpec defines the desired state of SliceNodeAffinity + type: object + status: + description: SliceNodeAffinityStatus defines the observed state of SliceNodeAffinity + properties: + nodeAffinityRules: + description: NodeAffinityRules contains the list of rules per namespace + items: + description: NodeAffinityRule defines the rules to select nodes + for a particular namespace + properties: + namespace: + description: Namespace is the namespace in the slice this rule + applies to + type: string + nodeSelectorLabels: + description: NodeSelectorLabels defines the label selectors + to select nodes for assigning to pods + items: + description: A node selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. If the operator + is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. If the operator is Gt or Lt, the + values array must have a single element, which will + be interpreted as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + required: + - namespace + - nodeSelectorLabels + type: object + type: array + sliceName: + description: SliceName defines the name of the slice for the NodeAffinity + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_sliceresourcequotas.yaml b/charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_sliceresourcequotas.yaml new file mode 100644 index 000000000..66315fe27 --- /dev/null +++ b/charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_sliceresourcequotas.yaml @@ -0,0 +1,527 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: sliceresourcequotas.networking.kubeslice.io +spec: + group: networking.kubeslice.io + names: + kind: SliceResourceQuota + listKind: SliceResourceQuotaList + plural: sliceresourcequotas + singular: sliceresourcequota + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SliceResourceQuota is the Schema for the sliceresourcequota API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + status: + properties: + clusterName: + description: ClusterName defines the name of the cluster for the ResourceQuota + type: string + configUpdatedOn: + format: int64 + type: integer + resourceQuotaProfile: + description: ResourceQuotaProfile defines the resource quota profile + for the slice + properties: + clusterQuota: + description: ClusterQuota defines the configuration for cluster + quota of a resource quota + properties: + namespaceQuota: + description: NamespaceQuota defines the configuration for + namespace quota of a ClusterQuota + items: + description: NamespaceQuota defines the configuration for + namespace quota of a ClusterQuota + properties: + enforceQuota: + default: false + description: EnforceQuota defines the enforceQuota status + flag for NamespaceQuota + type: boolean + namespace: + description: Namespace defines the namespace of the + NamespaceQuota + type: string + resources: + description: Resources defines the configuration for + resources for NamespaceQuota + properties: + defaultLimitPerContainer: + description: DefaultResourcePerContainerList is + a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral + storage, in bytes. (500Gi = 500GiB = 500 * + 1024 * 1024 * 1024) The resource name for + EphemeralStorage is alpha, and it can change + across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB + = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + defaultRequestPerContainer: + description: DefaultRequestPerContainer is a set + of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage LoNamespaceResourceQuotaStatuscal + ephemeral storage, in bytes. (500Gi = 500GiB + = 500 * 1024 * 1024 * 1024) The resource name + for EphemeralStorage is alpha, and it can + change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB + = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + limit: + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral + storage, in bytes. (500Gi = 500GiB = 500 * + 1024 * 1024 * 1024) The resource name for + EphemeralStorage is alpha, and it can change + across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB + = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + podCount: + description: PodCount in number. + format: int64 + type: integer + type: object + request: + description: RequestResourceList is a set of (resource + name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral + storage, in bytes. (500Gi = 500GiB = 500 * + 1024 * 1024 * 1024) The resource name for + EphemeralStorage is alpha, and it can change + across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB + = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + type: object + type: array + resources: + description: Resources defines the configuration for resources + for ClusterQuota + properties: + limit: + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, + in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * + 1024) The resource name for EphemeralStorage is + alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 + * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + podCount: + description: PodCount in number. + format: int64 + type: integer + type: object + request: + description: RequestResourceList is a set of (resource + name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, + in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * + 1024) The resource name for EphemeralStorage is + alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 + * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + type: object + sliceQuota: + description: SliceQuota defines the configuration for slice quota + of a resource quota + properties: + resources: + description: Resources defines the configuration for resources + for SliceQuota + properties: + defaultRequestPerContainer: + description: DefaultRequestPerContainer is a set of (resource + name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage LoNamespaceResourceQuotaStatuscal + ephemeral storage, in bytes. (500Gi = 500GiB = 500 + * 1024 * 1024 * 1024) The resource name for EphemeralStorage + is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 + * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + limit: + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, + in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * + 1024) The resource name for EphemeralStorage is + alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 + * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + podCount: + description: PodCount in number. + format: int64 + type: integer + type: object + request: + description: RequestResourceList is a set of (resource + name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, + in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * + 1024) The resource name for EphemeralStorage is + alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 + * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + type: object + type: object + sliceName: + description: SliceName defines the name of the slice for the ResourceQuota + type: string + sliceResourceQuotaStatus: + description: WorkerSliceResourceQuotaStatus defines the observed state + of WorkerSliceResourceQuota + properties: + clusterResourceQuotaStatus: + properties: + namespaceResourceQuotaStatus: + items: + properties: + namespace: + type: string + requestResourceUsage: + description: RequestResourceList is a set of (resource + name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, + in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 + * 1024) The resource name for EphemeralStorage + is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = + 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + resourceUsage: + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, + in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 + * 1024) The resource name for EphemeralStorage + is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = + 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + podCount: + description: PodCount in number. + format: int64 + type: integer + type: object + type: object + type: array + requestResourceUsage: + description: RequestResourceList is a set of (resource name, + quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, + in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + The resource name for EphemeralStorage is alpha, and + it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * + 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + resourceUsage: + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, + in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + The resource name for EphemeralStorage is alpha, and + it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * + 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + podCount: + description: PodCount in number. + format: int64 + type: integer + type: object + type: object + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_slicerolebindings.yaml b/charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_slicerolebindings.yaml new file mode 100644 index 000000000..34e861a95 --- /dev/null +++ b/charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_slicerolebindings.yaml @@ -0,0 +1,214 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: slicerolebindings.networking.kubeslice.io +spec: + group: networking.kubeslice.io + names: + kind: SliceRoleBinding + listKind: SliceRoleBindingList + plural: slicerolebindings + singular: slicerolebinding + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SliceRoleBinding is the Schema for the slicerolebindings API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SliceRoleBindingSpec defines the desired state of SliceRoleBinding + type: object + status: + properties: + roleRefCondition: + properties: + condition: + description: Condition defines conditions of the RoleRef, one + of INVALID_RULE, INVALID_ROLE_BINDING. + type: string + lastUpdateTime: + description: The last time this condition was updated. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + roleRef: + description: Name, APIGroup and Kind of the RoleRef + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this + representation of an object. Servers should convert recognized + schemas to the latest internal value, and may reject unrecognized + values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - apiVersion + - kind + - name + type: object + status: + description: Status of the condition, one of True, False, Unknown. + type: string + required: + - condition + - lastUpdateTime + - reason + - roleRef + - status + type: object + sliceRbConfig: + description: RoleBindingConfig references a role, but does not contain + it. + properties: + applyTo: + description: ApplyTo contains information about the namespace + and the Subjects. + items: + description: ApplyTo contains information about the namespace + and the Subjects. It adds who information via Subjects and + namespace information by which namespace it exists in. + properties: + namespace: + description: Namespace of the referenced object. If the + object kind is non-namespace, such as "User" or "Group", + and this value is not empty the Authorizer should report + an error. '*' Represents all namespaces + type: string + subjects: + description: Subjects holds references to the objects the + role applies to. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + type: array + type: object + type: array + roleRefName: + description: Name of the RoleRef + type: string + rules: + description: PolicyRule holds information that describes a policy + rule + items: + description: PolicyRule holds information that describes a policy + rule, but does not contain information about who the rule + applies to or which namespace the rule applies to. + properties: + apiGroups: + description: APIGroups is the name of the APIGroup that + contains the resources. If multiple API groups are specified, + any action requested against one of the enumerated resources + in any API group will be allowed. + items: + type: string + type: array + nonResourceURLs: + description: NonResourceURLs is a set of partial urls that + a user should have access to. *s are allowed, but only + as the full, final step in the path Since non-resource + URLs are not namespaced, this field is only applicable + for ClusterRoles referenced from a ClusterRoleBinding. + Rules can either apply to API resources (such as "pods" + or "secrets") or non-resource URL paths (such as "/api"), but + not both. + items: + type: string + type: array + resourceNames: + description: ResourceNames is an optional white list of + names that the rule applies to. An empty set means that + everything is allowed. + items: + type: string + type: array + resources: + description: Resources is a list of resources this rule + applies to. '*' represents all resources. + items: + type: string + type: array + verbs: + description: Verbs is a list of Verbs that apply to ALL + the ResourceKinds contained in this rule. '*' represents + all verbs. + items: + type: string + type: array + required: + - verbs + type: object + type: array + sliceName: + description: sliceName is the name of the slice + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_slice.yaml b/charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_slices.yaml similarity index 98% rename from charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_slice.yaml rename to charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_slices.yaml index c616c755a..f79770644 100644 --- a/charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_slice.yaml +++ b/charts/avesha/kubeslice-worker/crds/networking.kubeslice.io_slices.yaml @@ -1,4 +1,3 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -6,20 +5,20 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null - name: slice.networking.kubeslice.io + name: slices.networking.kubeslice.io spec: group: networking.kubeslice.io names: kind: Slice listKind: SliceList - plural: slice + plural: slices singular: slice scope: Namespaced versions: - name: v1beta1 schema: openAPIV3Schema: - description: Slice is the Schema for the slice API + description: Slice is the Schema for the slices API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -203,3 +202,4 @@ status: plural: "" conditions: [] storedVersions: [] + diff --git a/charts/avesha/kubeslice-worker/questions.yaml b/charts/avesha/kubeslice-worker/questions.yaml index 254b5f8c6..84e4284fc 100644 --- a/charts/avesha/kubeslice-worker/questions.yaml +++ b/charts/avesha/kubeslice-worker/questions.yaml @@ -17,7 +17,7 @@ questions: variable: imagePullSecrets.password - default: "" - description: "https://docs.avesha.io/documentation/enterprise/0.2.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster" + description: "https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster" group: "Worker Secrets from Controller" label: "Controller Namespace" required: true @@ -25,7 +25,7 @@ questions: variable: controllerSecret.namespace - default: "" - description: "https://docs.avesha.io/documentation/enterprise/0.2.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster" + description: "https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster" group: "Worker Secrets from Controller" label: "Controller Endpoint" required: true @@ -33,7 +33,7 @@ questions: variable: controllerSecret.endpoint - default: "" - description: "https://docs.avesha.io/documentation/enterprise/0.2.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster" + description: "https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster" group: "Worker Secrets from Controller" label: "Controller CA Cert" required: true @@ -41,7 +41,7 @@ questions: variable: controllerSecret.'ca.crt' - default: "" - description: "https://docs.avesha.io/documentation/enterprise/0.2.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster" + description: "https://docs.avesha.io/documentation/enterprise/0.5.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster" group: "Worker Secrets from Controller" label: "Controller Token" required: true @@ -57,7 +57,7 @@ questions: variable: cluster.name - default: "" - description: "Worker Cluster Endpoint,use 'kubectl cluster-info on worker cluster' or for details please follow https://docs.avesha.io/documentation/enterprise/0.2.0/" + description: "Worker Cluster Endpoint,use 'kubectl cluster-info on worker cluster' or for details please follow https://docs.avesha.io/documentation/enterprise/0.5.0/" group: "Worker Cluster Details" label: "Cluster Endpoint" required: true diff --git a/charts/avesha/kubeslice-worker/templates/cleanUp.yaml b/charts/avesha/kubeslice-worker/templates/cleanUp.yaml new file mode 100644 index 000000000..fb7a8b2b7 --- /dev/null +++ b/charts/avesha/kubeslice-worker/templates/cleanUp.yaml @@ -0,0 +1,93 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubeslice-cleanup + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion | quote}} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "1" + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubeslice-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app.kubernetes.io/name: kubeslice + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubeslice-cleanup +subjects: + - kind: ServiceAccount + name: kubeslice-cleanup + namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeslice-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app.kubernetes.io/name: kubeslice + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - patch + - update + - create + - delete + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: kubeslice-cleanup + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed + "helm.sh/hook-weight": "2" + labels: + app.kubernetes.io/name: nsm + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + backoffLimit: 3 + template: + metadata: + name: kubeslice-cleanup + namespace: {{ .Release.Namespace }} + spec: + serviceAccountName: kubeslice-cleanup + containers: + - name: kubectl + image: "alpine/k8s:1.22.9" + command: + - /bin/sh + - -c + - kubectl delete cm nsm-config --ignore-not-found -n {{ .Release.Namespace }} + restartPolicy: OnFailure \ No newline at end of file diff --git a/charts/avesha/kubeslice-worker/templates/opertor-secret.yaml b/charts/avesha/kubeslice-worker/templates/dashboard-rbac.yaml similarity index 71% rename from charts/avesha/kubeslice-worker/templates/opertor-secret.yaml rename to charts/avesha/kubeslice-worker/templates/dashboard-rbac.yaml index 4a9cd22be..08cdcc46a 100644 --- a/charts/avesha/kubeslice-worker/templates/opertor-secret.yaml +++ b/charts/avesha/kubeslice-worker/templates/dashboard-rbac.yaml @@ -18,6 +18,8 @@ kind: ServiceAccount metadata: name: kubeslice-kubernetes-dashboard namespace: kubeslice-system +secrets: + - name: kubeslice-kubernetes-dashboard-creds --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -31,3 +33,11 @@ subjects: - kind: ServiceAccount name: kubeslice-kubernetes-dashboard namespace: kubeslice-system +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: kubeslice-kubernetes-dashboard-creds + annotations: + kubernetes.io/service-account.name: "kubeslice-kubernetes-dashboard" \ No newline at end of file diff --git a/charts/avesha/kubeslice-worker/templates/kubeslice-predelete-hook.yaml b/charts/avesha/kubeslice-worker/templates/kubeslice-predelete-hook.yaml new file mode 100644 index 000000000..e10034b72 --- /dev/null +++ b/charts/avesha/kubeslice-worker/templates/kubeslice-predelete-hook.yaml @@ -0,0 +1,136 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubeslice-delete-webhooks + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion | quote}} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + "helm.sh/hook": pre-delete,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "1" + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubeslice-delete-webhooks + annotations: + "helm.sh/hook": pre-delete,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "-1" + labels: + app.kubernetes.io/name: kubeslice + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubeslice-delete-webhooks +subjects: + - kind: ServiceAccount + name: kubeslice-delete-webhooks + namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeslice-delete-webhooks + annotations: + "helm.sh/hook": pre-delete,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "-1" + labels: + app.kubernetes.io/name: kubeslice + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - apiGroups: ["spiffeid.spiffe.io"] + resources: ["spiffeids"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["spiffeid.spiffe.io"] + resources: ["spiffeids/status"] + verbs: ["get", "patch", "update"] + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kubeslice-delete-webhooks + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + "helm.sh/hook": pre-delete,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "1" +data: + delete-admission-webhook.sh: |- + #!/usr/bin/env bash + NAMESPACE={{ .Release.Namespace | quote}} + echo "finding and removing spiffeids in namespace $NAMESPACE ..." + for item in $(kubectl get spiffeid.spiffeid.spiffe.io -n $NAMESPACE -o name); do + echo "removing item $item" + kubectl patch $item -p '{"metadata":{"finalizers":null}}' --type=merge -n $NAMESPACE + kubectl delete $item --ignore-not-found -n $NAMESPACE + done + # TODO: once we figure out how to keep spire in release ns then we could remove this + NAMESPACE="spire" + echo "finding and removing spiffeids in namespace $NAMESPACE ..." + for item in $(kubectl get spiffeid.spiffeid.spiffe.io -n $NAMESPACE -o name); do + echo "removing item $item" + kubectl patch $item -p '{"metadata":{"finalizers":null}}' --type=merge -n $NAMESPACE + kubectl delete $item --ignore-not-found -n $NAMESPACE + done + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: kubeslice-delete-webhooks + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-delete,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation + "helm.sh/hook-weight": "2" + labels: + app.kubernetes.io/name: nsm + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + backoffLimit: 3 + template: + metadata: + name: kubeslice-delete-webhooks + namespace: {{ .Release.Namespace }} + spec: + serviceAccountName: kubeslice-delete-webhooks + containers: + - name: kubectl + image: "alpine/k8s:1.22.9" + command: + - /bin/bash + - /tmp/delete-admission-webhook.sh + volumeMounts: + - mountPath: /tmp + name: kubeslice-delete-webhooks + volumes: + - name: kubeslice-delete-webhooks + configMap: + name: kubeslice-delete-webhooks + restartPolicy: OnFailure \ No newline at end of file diff --git a/charts/avesha/kubeslice-worker/templates/operator-rbac.yaml b/charts/avesha/kubeslice-worker/templates/operator-rbac.yaml index 3372ebdac..7c596aa99 100644 --- a/charts/avesha/kubeslice-worker/templates/operator-rbac.yaml +++ b/charts/avesha/kubeslice-worker/templates/operator-rbac.yaml @@ -73,6 +73,32 @@ metadata: creationTimestamp: null name: kubeslice-manager-role rules: +- apiGroups: + - networking.kubeslice.io + resources: + - slicenodeaffinities + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - networking.kubeslice.io + resources: + - slicenodeaffinities/finalizers + verbs: + - update +- apiGroups: + - networking.kubeslice.io + resources: + - slicenodeaffinities/status + verbs: + - get + - patch + - update - apiGroups: - apps resources: @@ -85,6 +111,42 @@ rules: - patch - update - watch +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - daemonsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - replicasets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - "" resources: @@ -102,8 +164,11 @@ rules: resources: - pods verbs: + - create + - delete - get - list + - patch - update - watch - apiGroups: @@ -130,6 +195,30 @@ rules: - patch - update - watch +- apiGroups: + - "" + resources: + - resourcequotas + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - limitranges + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - "" resources: @@ -154,10 +243,34 @@ rules: - update - patch - delete +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - batch + resources: + - cronjobs + verbs: + - get + - list + - watch + - create + - update + - patch + - delete - apiGroups: - networking.kubeslice.io resources: - - slice + - slicerolebindings verbs: - create - delete @@ -169,13 +282,39 @@ rules: - apiGroups: - networking.kubeslice.io resources: - - slice/finalizers + - slicerolebindings/finalizers verbs: - update - apiGroups: - networking.kubeslice.io resources: - - slice/status + - slicerolebindings/status + verbs: + - get + - patch + - update +- apiGroups: + - networking.kubeslice.io + resources: + - slices + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - networking.kubeslice.io + resources: + - slices/finalizers + verbs: + - update +- apiGroups: + - networking.kubeslice.io + resources: + - slices/status verbs: - get - patch @@ -206,6 +345,14 @@ rules: - get - patch - update +- apiGroups: + - networking.kubeslice.io + resources: + - sliceresourcequotas/status + verbs: + - get + - patch + - update - apiGroups: - networking.kubeslice.io resources: @@ -218,6 +365,18 @@ rules: - patch - update - watch +- apiGroups: + - networking.kubeslice.io + resources: + - sliceresourcequotas + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - networking.kubeslice.io resources: @@ -362,6 +521,47 @@ rules: - list - update - watch +- apiGroups: + - metrics.k8s.io + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + - extensions + - apps + - rbac.authorization.k8s.io + - coordination.k8s.io + - discovery.k8s.io + - events.k8s.io + - networking.k8s.io + - policy + - batch + - authorization.k8s.io + - autoscaling + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - nodes/proxy + verbs: + - get + - watch + - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/charts/avesha/kubeslice-worker/templates/preinstall-configmap.yaml b/charts/avesha/kubeslice-worker/templates/preinstall-configmap.yaml new file mode 100644 index 000000000..3d767ac0c --- /dev/null +++ b/charts/avesha/kubeslice-worker/templates/preinstall-configmap.yaml @@ -0,0 +1,245 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-preinstall-configmap + namespace: kubeslice-system + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-7" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +data: + metrics-server.yaml: |- + # source https://github.com/kubernetes-sigs/metrics-server/releases/download/metrics-server-helm-chart-3.8.2/components.yaml + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + k8s-app: metrics-server + name: metrics-server + namespace: kube-system + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + k8s-app: metrics-server + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: system:aggregated-metrics-reader + rules: + - apiGroups: + - metrics.k8s.io + resources: + - pods + - nodes + verbs: + - get + - list + - watch + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + k8s-app: metrics-server + name: system:metrics-server + rules: + - apiGroups: + - "" + resources: + - nodes/metrics + verbs: + - get + - apiGroups: + - "" + resources: + - pods + - nodes + verbs: + - get + - list + - watch + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + k8s-app: metrics-server + name: metrics-server-auth-reader + namespace: kube-system + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader + subjects: + - kind: ServiceAccount + name: metrics-server + namespace: kube-system + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + k8s-app: metrics-server + name: metrics-server:system:auth-delegator + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator + subjects: + - kind: ServiceAccount + name: metrics-server + namespace: kube-system + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + k8s-app: metrics-server + name: system:metrics-server + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:metrics-server + subjects: + - kind: ServiceAccount + name: metrics-server + namespace: kube-system + --- + apiVersion: v1 + kind: Service + metadata: + labels: + k8s-app: metrics-server + name: metrics-server + namespace: kube-system + spec: + ports: + - name: https + port: 443 + protocol: TCP + targetPort: https + selector: + k8s-app: metrics-server + --- + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + k8s-app: metrics-server + name: metrics-server + namespace: kube-system + spec: + selector: + matchLabels: + k8s-app: metrics-server + strategy: + rollingUpdate: + maxUnavailable: 0 + template: + metadata: + labels: + k8s-app: metrics-server + spec: + containers: + - args: + - --cert-dir=/tmp + - --secure-port=4443 + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-use-node-status-port + - --metric-resolution={{ .Values.metrics.metricResolution }} +{{ if eq (toString .Values.metrics.insecure) "true" }} + - --kubelet-insecure-tls +{{ end }} + image: k8s.gcr.io/metrics-server/metrics-server:v0.6.1 + imagePullPolicy: "{{ .Values.metrics.imagePullPolicy }}" + livenessProbe: + failureThreshold: 3 + httpGet: + path: /livez + port: https + scheme: HTTPS + periodSeconds: 10 + name: metrics-server + ports: + - containerPort: 4443 + name: https + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: https + scheme: HTTPS + initialDelaySeconds: 20 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + volumeMounts: + - mountPath: /tmp + name: tmp-dir + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: metrics-server + volumes: + - emptyDir: {} + name: tmp-dir + --- + apiVersion: apiregistration.k8s.io/v1 + kind: APIService + metadata: + labels: + k8s-app: metrics-server + name: v1beta1.metrics.k8s.io + spec: + group: metrics.k8s.io + groupPriorityMinimum: 100 + insecureSkipTLSVerify: true + service: + name: metrics-server + namespace: kube-system + version: v1beta1 + versionPriority: 100 + pre-install.sh: |- + #!/usr/bin/env bash + + set -euo pipefail + + BASE_DIR="$(dirname "$0")" + metrics_server_file="${BASE_DIR}/metrics-server.yaml" + + # detect and install metrics server + echo "detecting if metrics server is installed" + if kubectl get apiservice v1beta1.metrics.k8s.io | grep True || kubectl get apiservice v1.metrics.k8s.io | grep True; then + echo "metrics server is already installed, skipping" + exit 0 + fi + echo "installing metrics server" + kubectl apply -f "$metrics_server_file" + echo "checking for successful installation" + for _ in $(seq 1 25); do + if kubectl get apiservice v1beta1.metrics.k8s.io | grep True || kubectl get apiservice v1.metrics.k8s.io | grep True; then + echo "metrics server installation successful" + exit 0 + fi + echo "not yet up" + sleep 3 + done + echo "failed to validate installation of metrics server" + exit 1 diff --git a/charts/avesha/kubeslice-worker/templates/preinstall-job.yaml b/charts/avesha/kubeslice-worker/templates/preinstall-job.yaml new file mode 100644 index 000000000..429d692ca --- /dev/null +++ b/charts/avesha/kubeslice-worker/templates/preinstall-job.yaml @@ -0,0 +1,40 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ .Release.Name }}-preinstall-job" + namespace: kubeslice-system + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-6" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +spec: + template: + metadata: + name: "{{ .Release.Name }}" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + spec: + restartPolicy: Never + serviceAccountName: kubeslice-preinstall + containers: + - name: pre-install-job + image: "alpine/k8s:1.22.9" + imagePullPolicy: IfNotPresent + command: ["/bin/bash","/opt/scripts/pre-install.sh"] + volumeMounts: + - name: config-volume + mountPath: /opt/scripts + volumes: + - name: config-volume + configMap: + name: {{ .Release.Name }}-preinstall-configmap + defaultMode: 0777 diff --git a/charts/avesha/kubeslice-worker/templates/preinstall-rbac.yaml b/charts/avesha/kubeslice-worker/templates/preinstall-rbac.yaml new file mode 100644 index 000000000..8c22a959f --- /dev/null +++ b/charts/avesha/kubeslice-worker/templates/preinstall-rbac.yaml @@ -0,0 +1,128 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubeslice-preinstall + namespace: kubeslice-system + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-10" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeslice-preinstall-role + namespace: kubeslice-system + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-9" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +rules: + - apiGroups: + - "" + resources: + - serviceaccounts + - services + verbs: + - get + - create + - update + - apiGroups: + - "" + resources: + - nodes + - pods + - nodes/metrics + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "authentication.k8s.io" + resources: + - tokenreviews + verbs: + - create + - update + - apiGroups: + - "authorization.k8s.io" + resources: + - subjectaccessreviews + verbs: + - create + - update + - apiGroups: + - "rbac.authorization.k8s.io" + resources: + - clusterroles + - rolebindings + - clusterrolebindings + verbs: + - get + - create + - update + - apiGroups: + - apps + resources: + - deployments + verbs: + - get + - create + - update + - patch + - apiGroups: + - "apiregistration.k8s.io" + resources: + - apiservices + verbs: + - get + - create + - apiGroups: + - "metrics.k8s.io" + resources: + - nodes + - pods + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubeslice-preinstall-rolebinding + namespace: kubeslice-system + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-8" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubeslice-preinstall-role +subjects: + - kind: ServiceAccount + name: kubeslice-preinstall + namespace: kubeslice-system diff --git a/charts/avesha/kubeslice-worker/templates/upgrade-crds.yaml b/charts/avesha/kubeslice-worker/templates/upgrade-crds.yaml new file mode 100644 index 000000000..497ee2d20 --- /dev/null +++ b/charts/avesha/kubeslice-worker/templates/upgrade-crds.yaml @@ -0,0 +1,1353 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubeslice-install-crds + namespace: kubeslice-system + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + "helm.sh/hook": pre-install,pre-upgrade,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "1" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubeslice-install-crds + annotations: + "helm.sh/hook": pre-install,pre-upgrade,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app.kubernetes.io/name: kubeslice + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubeslice-install-crds +subjects: +- kind: ServiceAccount + name: kubeslice-install-crds + namespace: kubeslice-system + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeslice-install-crds + annotations: + "helm.sh/hook": pre-install,pre-upgrade,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app.kubernetes.io/name: kubeslice + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - patch + - update + - create +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kubeslice-install-crds + annotations: + "helm.sh/hook": pre-install,pre-upgrade,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app.kubernetes.io/name: kubeslice + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + crds.yaml: | + --- + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: sliceresourcequotas.networking.kubeslice.io + spec: + group: networking.kubeslice.io + names: + kind: SliceResourceQuota + listKind: SliceResourceQuotaList + plural: sliceresourcequotas + singular: sliceresourcequota + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SliceResourceQuota is the Schema for the sliceresourcequota API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + status: + properties: + clusterName: + description: ClusterName defines the name of the cluster for the ResourceQuota + type: string + configUpdatedOn: + format: int64 + type: integer + resourceQuotaProfile: + description: ResourceQuotaProfile defines the resource quota profile + for the slice + properties: + clusterQuota: + description: ClusterQuota defines the configuration for cluster + quota of a resource quota + properties: + namespaceQuota: + description: NamespaceQuota defines the configuration for + namespace quota of a ClusterQuota + items: + description: NamespaceQuota defines the configuration for + namespace quota of a ClusterQuota + properties: + enforceQuota: + default: false + description: EnforceQuota defines the enforceQuota status + flag for NamespaceQuota + type: boolean + namespace: + description: Namespace defines the namespace of the + NamespaceQuota + type: string + resources: + description: Resources defines the configuration for + resources for NamespaceQuota + properties: + defaultLimitPerContainer: + description: DefaultResourcePerContainerList is + a set of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral + storage, in bytes. (500Gi = 500GiB = 500 * + 1024 * 1024 * 1024) The resource name for + EphemeralStorage is alpha, and it can change + across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB + = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + defaultRequestPerContainer: + description: DefaultRequestPerContainer is a set + of (resource name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage LoNamespaceResourceQuotaStatuscal + ephemeral storage, in bytes. (500Gi = 500GiB + = 500 * 1024 * 1024 * 1024) The resource name + for EphemeralStorage is alpha, and it can + change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB + = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + limit: + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral + storage, in bytes. (500Gi = 500GiB = 500 * + 1024 * 1024 * 1024) The resource name for + EphemeralStorage is alpha, and it can change + across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB + = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + podCount: + description: PodCount in number. + format: int64 + type: integer + type: object + request: + description: RequestResourceList is a set of (resource + name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral + storage, in bytes. (500Gi = 500GiB = 500 * + 1024 * 1024 * 1024) The resource name for + EphemeralStorage is alpha, and it can change + across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB + = 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + type: object + type: array + resources: + description: Resources defines the configuration for resources + for ClusterQuota + properties: + limit: + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, + in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * + 1024) The resource name for EphemeralStorage is + alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 + * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + podCount: + description: PodCount in number. + format: int64 + type: integer + type: object + request: + description: RequestResourceList is a set of (resource + name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, + in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * + 1024) The resource name for EphemeralStorage is + alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 + * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + type: object + sliceQuota: + description: SliceQuota defines the configuration for slice quota + of a resource quota + properties: + resources: + description: Resources defines the configuration for resources + for SliceQuota + properties: + defaultRequestPerContainer: + description: DefaultRequestPerContainer is a set of (resource + name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage LoNamespaceResourceQuotaStatuscal + ephemeral storage, in bytes. (500Gi = 500GiB = 500 + * 1024 * 1024 * 1024) The resource name for EphemeralStorage + is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 + * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + limit: + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, + in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * + 1024) The resource name for EphemeralStorage is + alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 + * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + podCount: + description: PodCount in number. + format: int64 + type: integer + type: object + request: + description: RequestResourceList is a set of (resource + name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, + in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * + 1024) The resource name for EphemeralStorage is + alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 + * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + type: object + type: object + sliceName: + description: SliceName defines the name of the slice for the ResourceQuota + type: string + sliceResourceQuotaStatus: + description: WorkerSliceResourceQuotaStatus defines the observed state + of WorkerSliceResourceQuota + properties: + clusterResourceQuotaStatus: + properties: + namespaceResourceQuotaStatus: + items: + properties: + namespace: + type: string + requestResourceUsage: + description: RequestResourceList is a set of (resource + name, quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, + in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 + * 1024) The resource name for EphemeralStorage + is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = + 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + resourceUsage: + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, + in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 + * 1024) The resource name for EphemeralStorage + is alpha, and it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = + 500 * 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + podCount: + description: PodCount in number. + format: int64 + type: integer + type: object + type: object + type: array + requestResourceUsage: + description: RequestResourceList is a set of (resource name, + quantity) pairs. + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, + in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + The resource name for EphemeralStorage is alpha, and + it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * + 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + resourceUsage: + properties: + cpu: + anyOf: + - type: integer + - type: string + description: CPU in cores. (500m = .5 cores) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + ephemeralStorage: + anyOf: + - type: integer + - type: string + description: EphemeralStorage Local ephemeral storage, + in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + The resource name for EphemeralStorage is alpha, and + it can change across releases. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + memory: + anyOf: + - type: integer + - type: string + description: Memory in bytes. (500Gi = 500GiB = 500 * + 1024 * 1024 * 1024) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + podCount: + description: PodCount in number. + format: int64 + type: integer + type: object + type: object + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} + status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + + --- + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: serviceexports.networking.kubeslice.io + spec: + group: networking.kubeslice.io + names: + kind: ServiceExport + listKind: ServiceExportList + plural: serviceexports + shortNames: + - svcex + singular: serviceexport + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.slice + name: Slice + type: string + - jsonPath: .spec.ingressEnabled + name: Ingress + type: boolean + - jsonPath: .status.exposedPorts + name: Port(s) + type: string + - jsonPath: .status.availableEndpoints + name: Endpoints + type: integer + - jsonPath: .status.exportStatus + name: Status + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: ServiceExport is the Schema for the serviceexports API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceExportSpec defines the desired state of ServiceExport + properties: + ingressEnabled: + description: IngressEnabled denotes whether the traffic should be + proxied through an ingress gateway + type: boolean + ports: + description: Ports which should be exposed through the service + items: + description: ServicePort is the port exposed by ServicePod + properties: + containerPort: + description: Port number exposed from the container + format: int32 + type: integer + name: + description: Name of the port + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults + to "TCP". + type: string + required: + - containerPort + type: object + type: array + selector: + description: Selector is a label query over pods that should be exposed + as a service + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + slice: + description: Slice denotes the slice which the app is part of + type: string + required: + - ports + - selector + - slice + type: object + status: + description: ServiceExportStatus defines the observed state of ServiceExport + properties: + availableEndpoints: + description: AvailableEndpoints shows the number of available endpoints + type: integer + dnsName: + description: DNSName is the FQDN to reach the service + type: string + exportStatus: + description: ExportStatus denotes the export status of the service + type: string + exposedPorts: + description: ExposedPorts shows a one line representation of ports + and protocols exposed only used to show as a printercolumn + type: string + ingressGwEnabled: + description: IngressGwEnabled denotes ingress gw is enabled for the + serviceexport + type: boolean + ingressGwPod: + description: IngressGwPod contains ingress gateway pod info + properties: + name: + description: Name of the pod + type: string + nsmIp: + description: NsmIP of the pod which is reachable within slice + type: string + required: + - name + type: object + lastSync: + description: Last sync time with backend + format: int64 + type: integer + pods: + description: Pods denotes the service endpoint pods + items: + description: ServicePod contains pod information which offers a + service + properties: + dnsName: + description: DNSName is the dns A record name for the pod + type: string + name: + description: Name of the pod + type: string + nsmIp: + description: NsmIP of the pod which is reachable within slice + type: string + podIp: + description: PodIp of the pod which is reachable within cluster + type: string + required: + - dnsName + - name + - podIp + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + + --- + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: serviceimports.networking.kubeslice.io + spec: + group: networking.kubeslice.io + names: + kind: ServiceImport + listKind: ServiceImportList + plural: serviceimports + shortNames: + - svcim + singular: serviceimport + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.slice + name: Slice + type: string + - jsonPath: .status.exposedPorts + name: Port(s) + type: string + - jsonPath: .status.availableEndpoints + name: Endpoints + type: integer + - jsonPath: .status.importStatus + name: Status + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: ServiceImport is the Schema for the serviceimports API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceImportSpec defines the desired state of ServiceImport + properties: + dnsName: + description: DNSName shows the FQDN to reach the service + type: string + ports: + description: Ports which should be exposed through the service + items: + description: ServicePort is the port exposed by ServicePod + properties: + containerPort: + description: Port number exposed from the container + format: int32 + type: integer + name: + description: Name of the port + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults + to "TCP". + type: string + required: + - containerPort + type: object + type: array + slice: + description: Slice denotes the slice which the app is part of + type: string + required: + - dnsName + - ports + - slice + type: object + status: + description: ServiceImportStatus defines the observed state of ServiceImport + properties: + availableEndpoints: + description: AvailableEndpoints shows the number of available endpoints + type: integer + endpoints: + description: Endpoints which provide the service + items: + description: ServiceEndpoint contains details of a single endpoint + which offers a particular service + properties: + clusterId: + description: ClusterID which the endpoint belongs to + type: string + dnsName: + description: DNSName + type: string + ip: + description: IP of the pod which is reachable within slice + type: string + name: + description: Name of the endpoint + type: string + port: + description: Port to reach the endpoint + format: int32 + type: integer + required: + - clusterId + - dnsName + - ip + - port + type: object + type: array + exposedPorts: + description: ExposedPorts shows a one line representation of ports + and protocols exposed only used to show as a printercolumn + type: string + importStatus: + description: ImportStatus denotes the status of the imported service + type: string + lastSync: + description: Last sync time with backend + format: int64 + type: integer + updatedOn: + description: Used to match if the service is updated from backend + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} + status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + networking.kubeslice.io_slicegateways.yaml: |2 + + --- + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: slicegateways.networking.kubeslice.io + spec: + group: networking.kubeslice.io + names: + kind: SliceGateway + listKind: SliceGatewayList + plural: slicegateways + shortNames: + - slicegw + singular: slicegateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.config.sliceGatewaySubnet + name: Subnet + type: string + - jsonPath: .status.config.sliceGatewayRemoteSubnet + name: Remote Subnet + type: string + - jsonPath: .status.config.sliceGatewayRemoteClusterId + name: Remote Cluster + type: string + - jsonPath: .status.config.sliceGatewayStatus + name: GW Status + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: SliceGateway is the Schema for the slicegateways API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SliceGatewaySpec defines the desired state of SliceGateway + properties: + siteName: + description: SiteName is site name + type: string + sliceName: + description: SliceName is the Name of the slice this gateway is attached + into + type: string + type: object + status: + description: SliceGatewayStatus defines the observed state of SliceGateway + properties: + config: + description: SliceGatewayConfig defines the config received from backend + properties: + sliceGatewayHostType: + description: 'Host Type : server or client' + type: string + sliceGatewayId: + description: UUID of the slice gateway. + type: string + sliceGatewayLocalVpnIp: + description: Local VPN IP + type: string + sliceGatewayName: + description: Slice Gateway Name + type: string + sliceGatewayNodePort: + description: Node port + type: integer + sliceGatewayRemoteClusterId: + description: Remote Cluster ID + type: string + sliceGatewayRemoteGatewayId: + description: Remote Gateway ID + type: string + sliceGatewayRemoteNodeIp: + description: Remote Node IP + type: string + sliceGatewayRemoteNodePort: + description: Remote Node Port + type: integer + sliceGatewayRemoteSubnet: + description: Remote Node Subnet + type: string + sliceGatewayRemoteVpnIp: + description: Remote VPN IP + type: string + sliceGatewayStatus: + description: SliceGateway status + type: string + sliceGatewaySubnet: + description: Slice gateway subnet range. + type: string + sliceName: + description: Name of the slice. + type: string + sliceSiteName: + description: Slice gateway subnet range. + type: string + type: object + configUpdatedOn: + description: ConfigUpdatedOn is the time when Config updated from + backend + format: int64 + type: integer + connectionContextUpdatedOn: + description: ConnectionContextUpdated is the time when context updated + in pod + format: int64 + type: integer + localIp: + description: LocalIP is the gateway tunnel ip + type: string + localNsmIp: + description: LocalNsmIP is the IP on the nsm interface to Slice Router + type: string + peerIp: + description: PeerIP is the gateway tunnel peer ip + type: string + podIp: + description: PodIP is the Ip of the gateway pod running in cluster + type: string + podName: + description: PodName is the name of the gateway pod running in cluster + type: string + podStatus: + description: PodStatus shows whether gateway pod is healthy + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + networking.kubeslice.io_slices.yaml: |2- + + --- + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + name: slices.networking.kubeslice.io + spec: + group: networking.kubeslice.io + names: + kind: Slice + listKind: SliceList + plural: slices + singular: slice + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: Slice is the Schema for the slices API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SliceSpec defines the desired state of Slice + type: object + status: + description: SliceStatus defines the observed state of Slice + properties: + allowedNamespaces: + description: Slice Allowed Namespace list + items: + type: string + type: array + appPods: + description: AppPods contains the list of app pods connected to the + slice + items: + description: AppPod defines the app pods connected to slice + properties: + nsmInterface: + description: NsmInterface is the nsm interface of App + type: string + nsmIp: + description: NsmIP is the nsm ip of App + type: string + nsmPeerIp: + description: PeerIp is the nsm peer ip of gateway + type: string + podIp: + description: PodIP is App Pod IP + type: string + podName: + description: PodName is App Pod Name + type: string + podNamespace: + description: PodNamespace is App Pod Namespace + type: string + type: object + type: array + appPodsUpdatedOn: + description: AppPodsUpdatedOn is the time when app pods list was updated + format: int64 + type: integer + applicationNamespaces: + description: Slice Application Namespace list + items: + type: string + type: array + dnsIP: + description: DNSIP is the IP of Coredns server + type: string + networkPoliciesInstalled: + default: false + description: NetworkPoliciesInstalled defines whether the netpol are + installed in atleast one applicationNamespace + type: boolean + sliceConfig: + description: SliceConfig is the spec for slice received from hub cluster + properties: + clusterSubnetCIDR: + description: ClusterSubnetCIDR is the subnet to be used by the + current cluster + type: string + externalGatewayConfig: + description: ExternalGatewayConfig determines istio ingress/egress + configuration + properties: + egress: + properties: + enabled: + type: boolean + type: object + gatewayType: + type: string + ingress: + properties: + enabled: + type: boolean + type: object + nsIngress: + properties: + enabled: + type: boolean + type: object + type: object + namespaceIsolationProfile: + description: Namespace Isolation profile contains fields related + to namespace binding to slice + properties: + allowedNamespaces: + description: Allowed namespaces is a list of namespaces that + can send and receive traffic to app namespaces + items: + type: string + type: array + applicationNamespaces: + description: Application namespaces is a list of namespaces + that are bound to the slice + items: + type: string + type: array + isolationEnabled: + default: false + description: Enable Namespace Isolation in the slice + type: boolean + type: object + qosProfileDetails: + description: QOS profile details + properties: + bandwidthCeilingKbps: + description: Bandwidth Ceiling eg:5000 + type: integer + bandwidthGuaranteedKbps: + description: Bandwidth Guaranteed eg:4000 + type: integer + dscpClass: + description: DSCP code for inter cluster traffic + type: string + priority: + description: Priority 0-3 + type: integer + queueType: + description: Queue Type + type: string + tcType: + description: TC type + type: string + type: object + sliceDisplayName: + description: display name of the slice. + type: string + sliceId: + description: UUID of the slice. + type: string + sliceIpam: + description: IPAM configuration for the slice + properties: + ipamClusterOctet: + description: Cluster specific octet for IPAM root subnet + type: integer + sliceIpamType: + description: IPAM Type for slice + type: string + required: + - sliceIpamType + type: object + sliceSubnet: + description: IP subnet range of the slice. + type: string + sliceType: + description: Type of the slice. + type: string + required: + - qosProfileDetails + - sliceDisplayName + - sliceId + - sliceIpam + - sliceSubnet + - sliceType + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} + status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: kubeslice-install-crds + namespace: kubeslice-system + annotations: + "helm.sh/hook": pre-install,pre-upgrade,pre-rollback + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "2" + labels: + app.kubernetes.io/name: kubeslice + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + backoffLimit: 3 + template: + metadata: + name: kubeslice-install-crds + spec: + serviceAccountName: kubeslice-install-crds + containers: + - name: kubectl + image: "alpine/k8s:1.22.9" + command: + - /bin/sh + - -c + - kubectl apply -f /tmp/crds.yaml + volumeMounts: + - mountPath: /tmp + name: crds + volumes: + - name: crds + configMap: + name: kubeslice-install-crds + items: + - key: "crds.yaml" + path: "crds.yaml" + restartPolicy: OnFailure diff --git a/charts/avesha/kubeslice-worker/templates/webhook.yaml b/charts/avesha/kubeslice-worker/templates/webhook.yaml index b9f8bf43e..f51a31d99 100644 --- a/charts/avesha/kubeslice-worker/templates/webhook.yaml +++ b/charts/avesha/kubeslice-worker/templates/webhook.yaml @@ -38,11 +38,12 @@ webhooks: service: name: kubeslice-webhook-service namespace: {{ .Release.Namespace }} - path: /mutate-appsv1-deploy + path: /mutate-webhook failurePolicy: Fail - name: mdeploy.avesha.io + name: webhook.kubeslice.io rules: - apiGroups: + - "" - apps apiVersions: - v1 @@ -50,17 +51,26 @@ webhooks: - CREATE - UPDATE resources: + - pods - deployments + - statefulsets + - daemonsets sideEffects: NoneOnDryRun namespaceSelector: matchExpressions: + - key: kubeslice.io/slice + operator: Exists - key: name operator: NotIn values: - - kube-system - - {{ .Release.Namespace }} + - kube-system + - spire + - {{ .Release.Namespace | quote}} + - {{ .Values.controllerNamespace | quote }} - key: kubernetes.io/metadata.name operator: NotIn values: - - kube-system - - {{ .Release.Namespace }} + - kube-system + - spire + - {{ .Release.Namespace | quote }} + - {{ .Values.controllerNamespace | quote }} diff --git a/charts/avesha/kubeslice-worker/values.yaml b/charts/avesha/kubeslice-worker/values.yaml index dfd8197e6..36ffde5b9 100644 --- a/charts/avesha/kubeslice-worker/values.yaml +++ b/charts/avesha/kubeslice-worker/values.yaml @@ -1,6 +1,6 @@ operator: image: docker.io/aveshasystems/worker-operator-ent - tag: 0.2.1 + tag: 0.5.0 pullPolicy: IfNotPresent logLevel: INFO @@ -17,51 +17,55 @@ cluster: endpoint: router: - image: docker.io/aveshasystems/vl3_ucnf-nse + image: docker.io/aveshasystems/cmd-nse-vl3 tag: 1.0.0 - pullPolicy: IfNotPresent + pullPolicy: IfNotPresent routerSidecar: - image: docker.io/aveshasystems/kubeslice-router-sidecar-ent - tag: 0.1.1 + image: docker.io/aveshasystems/kubeslice-router-sidecar + tag: 0.3.1 pullPolicy: IfNotPresent netop: - networkInterface: - image: docker.io/aveshasystems/netops-ent - tag: 0.1.0 + networkInterface: eth0 + image: docker.io/aveshasystems/netops + tag: 0.1.1 pullPolicy: IfNotPresent gateway: - image: docker.io/aveshasystems/gw-sidecar-ent - tag: 0.1.3 + image: docker.io/aveshasystems/gw-sidecar + tag: 0.1.4 pullPolicy: IfNotPresent logLevel: INFO openvpn: server: - image: docker.io/aveshasystems/openvpn-server.ubuntu.18.04 - tag: 1.0.0 + image: docker.io/aveshasystems/openvpn-server.alpine.amd64 + tag: 1.0.1 pullPolicy: IfNotPresent client: image: docker.io/aveshasystems/openvpn-client.alpine.amd64 - tag: 1.0.0 + tag: 1.0.1 pullPolicy: IfNotPresent dns: image: docker.io/aveshasystems/dns - tag: 0.0.2 + tag: 0.0.3 pullPolicy: IfNotPresent -nsm: - forwardingPlane: kernel - jaeger: enabled: false +metrics: + insecure: false + metricResolution: "15s" + imagePullPolicy: IfNotPresent + # username & password & email values for imagePullSecrets has to provided to create a secret imagePullSecrets: repository: https://index.docker.io/v1/ username: password: email: + +controllerNamespace: kubeslice-controller diff --git a/charts/bitnami/airflow/Chart.lock b/charts/bitnami/airflow/Chart.lock index a812d85e1..a7afc847f 100644 --- a/charts/bitnami/airflow/Chart.lock +++ b/charts/bitnami/airflow/Chart.lock @@ -4,9 +4,9 @@ dependencies: version: 17.6.0 - name: postgresql repository: https://charts.bitnami.com/bitnami - version: 12.1.10 + version: 12.1.14 - name: common repository: https://charts.bitnami.com/bitnami version: 2.2.2 -digest: sha256:ee18c87bfd8a3bd8527b9644a0e51112762fe1722d7b1e1a81f7c55617a4cf74 -generated: "2023-01-26T12:25:32.085167719Z" +digest: sha256:245de8b17e6c836197d271e160ba44ee3b6fb119ba8becc70e590bdcb0e3bc5f +generated: "2023-02-02T13:03:40.325978595Z" diff --git a/charts/bitnami/airflow/Chart.yaml b/charts/bitnami/airflow/Chart.yaml index 5a39ea1f7..c098419ce 100644 --- a/charts/bitnami/airflow/Chart.yaml +++ b/charts/bitnami/airflow/Chart.yaml @@ -38,4 +38,4 @@ name: airflow sources: - https://github.com/bitnami/containers/tree/main/bitnami/airflow - https://airflow.apache.org/ -version: 14.0.10 +version: 14.0.11 diff --git a/charts/bitnami/airflow/README.md b/charts/bitnami/airflow/README.md index 258952cfd..44a164b05 100644 --- a/charts/bitnami/airflow/README.md +++ b/charts/bitnami/airflow/README.md @@ -92,7 +92,7 @@ The command removes all the Kubernetes components associated with the chart and | `dags.existingConfigmap` | Name of an existing ConfigMap with all the DAGs files you want to load in Airflow | `""` | | `dags.image.registry` | Init container load-dags image registry | `docker.io` | | `dags.image.repository` | Init container load-dags image repository | `bitnami/bitnami-shell` | -| `dags.image.tag` | Init container load-dags image tag (immutable tags are recommended) | `11-debian-11-r76` | +| `dags.image.tag` | Init container load-dags image tag (immutable tags are recommended) | `11-debian-11-r79` | | `dags.image.digest` | Init container load-dags image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `dags.image.pullPolicy` | Init container load-dags image pull policy | `IfNotPresent` | | `dags.image.pullSecrets` | Init container load-dags image pull secrets | `[]` | @@ -112,7 +112,7 @@ The command removes all the Kubernetes components associated with the chart and | ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | -------------------- | | `web.image.registry` | Airflow image registry | `docker.io` | | `web.image.repository` | Airflow image repository | `bitnami/airflow` | -| `web.image.tag` | Airflow image tag (immutable tags are recommended) | `2.5.1-debian-11-r2` | +| `web.image.tag` | Airflow image tag (immutable tags are recommended) | `2.5.1-debian-11-r5` | | `web.image.digest` | Airflow image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `web.image.pullPolicy` | Airflow image pull policy | `IfNotPresent` | | `web.image.pullSecrets` | Airflow image pull secrets | `[]` | @@ -188,7 +188,7 @@ The command removes all the Kubernetes components associated with the chart and | ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------------- | | `scheduler.image.registry` | Airflow Scheduler image registry | `docker.io` | | `scheduler.image.repository` | Airflow Scheduler image repository | `bitnami/airflow-scheduler` | -| `scheduler.image.tag` | Airflow Scheduler image tag (immutable tags are recommended) | `2.5.1-debian-11-r1` | +| `scheduler.image.tag` | Airflow Scheduler image tag (immutable tags are recommended) | `2.5.1-debian-11-r5` | | `scheduler.image.digest` | Airflow Schefuler image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `scheduler.image.pullPolicy` | Airflow Scheduler image pull policy | `IfNotPresent` | | `scheduler.image.pullSecrets` | Airflow Scheduler image pull secrets | `[]` | @@ -243,7 +243,7 @@ The command removes all the Kubernetes components associated with the chart and | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ------------------------ | | `worker.image.registry` | Airflow Worker image registry | `docker.io` | | `worker.image.repository` | Airflow Worker image repository | `bitnami/airflow-worker` | -| `worker.image.tag` | Airflow Worker image tag (immutable tags are recommended) | `2.5.1-debian-11-r1` | +| `worker.image.tag` | Airflow Worker image tag (immutable tags are recommended) | `2.5.1-debian-11-r5` | | `worker.image.digest` | Airflow Worker image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `worker.image.pullPolicy` | Airflow Worker image pull policy | `IfNotPresent` | | `worker.image.pullSecrets` | Airflow Worker image pull secrets | `[]` | @@ -324,7 +324,7 @@ The command removes all the Kubernetes components associated with the chart and | ------------------------------ | --------------------------------------------------------------------------------------------------- | --------------------- | | `git.image.registry` | Git image registry | `docker.io` | | `git.image.repository` | Git image repository | `bitnami/git` | -| `git.image.tag` | Git image tag (immutable tags are recommended) | `2.39.1-debian-11-r3` | +| `git.image.tag` | Git image tag (immutable tags are recommended) | `2.39.1-debian-11-r6` | | `git.image.digest` | Git image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `git.image.pullPolicy` | Git image pull policy | `IfNotPresent` | | `git.image.pullSecrets` | Git image pull secrets | `[]` | @@ -420,7 +420,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.enabled` | Whether or not to create a standalone Airflow exporter to expose Airflow metrics | `false` | | `metrics.image.registry` | Airflow exporter image registry | `docker.io` | | `metrics.image.repository` | Airflow exporter image repository | `bitnami/airflow-exporter` | -| `metrics.image.tag` | Airflow exporter image tag (immutable tags are recommended) | `0.20220314.0-debian-11-r84` | +| `metrics.image.tag` | Airflow exporter image tag (immutable tags are recommended) | `0.20220314.0-debian-11-r86` | | `metrics.image.digest` | Airflow exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `metrics.image.pullPolicy` | Airflow exporter image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Airflow exporter image pull secrets | `[]` | diff --git a/charts/bitnami/airflow/charts/postgresql/Chart.yaml b/charts/bitnami/airflow/charts/postgresql/Chart.yaml index 78b34f246..57f3af1e1 100644 --- a/charts/bitnami/airflow/charts/postgresql/Chart.yaml +++ b/charts/bitnami/airflow/charts/postgresql/Chart.yaml @@ -28,4 +28,4 @@ name: postgresql sources: - https://github.com/bitnami/containers/tree/main/bitnami/postgresql - https://www.postgresql.org/ -version: 12.1.10 +version: 12.1.14 diff --git a/charts/bitnami/airflow/charts/postgresql/README.md b/charts/bitnami/airflow/charts/postgresql/README.md index c9e9dbec8..e6259ab32 100644 --- a/charts/bitnami/airflow/charts/postgresql/README.md +++ b/charts/bitnami/airflow/charts/postgresql/README.md @@ -7,7 +7,7 @@ PostgreSQL (Postgres) is an open source object-relational database known for rel [Overview of PostgreSQL](http://www.postgresql.org) Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. - + ## TL;DR ```console @@ -102,7 +102,7 @@ $ kubectl delete pvc -l release=my-release | ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | | `image.registry` | PostgreSQL image registry | `docker.io` | | `image.repository` | PostgreSQL image repository | `bitnami/postgresql` | -| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `15.1.0-debian-11-r20` | +| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `15.1.0-debian-11-r31` | | `image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` | | `image.pullSecrets` | Specify image pull secrets | `[]` | @@ -383,7 +383,7 @@ $ kubectl delete pvc -l release=my-release | `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | | `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | | `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r69` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r79` | | `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | @@ -412,7 +412,7 @@ $ kubectl delete pvc -l release=my-release | `metrics.enabled` | Start a prometheus exporter | `false` | | `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `docker.io` | | `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `bitnami/postgres-exporter` | -| `metrics.image.tag` | PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) | `0.11.1-debian-11-r46` | +| `metrics.image.tag` | PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) | `0.11.1-debian-11-r55` | | `metrics.image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `metrics.image.pullPolicy` | PostgreSQL Prometheus Exporter image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Specify image pull secrets | `[]` | @@ -679,7 +679,7 @@ Refer to the [chart documentation for more information about how to upgrade from ## License -Copyright © 2022 Bitnami +Copyright © 2023 Bitnami Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/airflow/charts/postgresql/templates/primary/metrics-svc.yaml b/charts/bitnami/airflow/charts/postgresql/templates/primary/metrics-svc.yaml index 75a1b81be..a38b52a8a 100644 --- a/charts/bitnami/airflow/charts/postgresql/templates/primary/metrics-svc.yaml +++ b/charts/bitnami/airflow/charts/postgresql/templates/primary/metrics-svc.yaml @@ -9,6 +9,7 @@ metadata: {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} {{- end }} + {{- if or .Values.commonAnnotations .Values.metrics.service.annotations }} annotations: {{- if .Values.commonAnnotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} @@ -16,6 +17,7 @@ metadata: {{- if .Values.metrics.service.annotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }} {{- end }} + {{- end }} spec: type: ClusterIP sessionAffinity: {{ .Values.metrics.service.sessionAffinity }} diff --git a/charts/bitnami/airflow/charts/postgresql/templates/primary/statefulset.yaml b/charts/bitnami/airflow/charts/postgresql/templates/primary/statefulset.yaml index 653138cde..0e312ea63 100644 --- a/charts/bitnami/airflow/charts/postgresql/templates/primary/statefulset.yaml +++ b/charts/bitnami/airflow/charts/postgresql/templates/primary/statefulset.yaml @@ -12,6 +12,7 @@ metadata: {{- if .Values.primary.labels }} {{- include "common.tplvalues.render" ( dict "value" .Values.primary.labels "context" $ ) | nindent 4 }} {{- end }} + {{- if or .Values.commonAnnotations .Values.primary.annotations }} annotations: {{- if .Values.commonAnnotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} @@ -19,6 +20,7 @@ metadata: {{- if .Values.primary.annotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.primary.annotations "context" $ ) | nindent 4 }} {{- end }} + {{- end }} spec: replicas: 1 serviceName: {{ include "postgresql.primary.svc.headless" . }} @@ -39,6 +41,7 @@ spec: {{- if .Values.primary.podLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.primary.podLabels "context" $ ) | nindent 8 }} {{- end }} + {{- if or (include "postgresql.primary.createConfigmap" .) (include "postgresql.primary.createExtendedConfigmap" .) .Values.primary.podAnnotations }} annotations: {{- if (include "postgresql.primary.createConfigmap" .) }} checksum/configuration: {{ include (print $.Template.BasePath "/primary/configmap.yaml") . | sha256sum }} @@ -49,6 +52,7 @@ spec: {{- if .Values.primary.podAnnotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.primary.podAnnotations "context" $ ) | nindent 8 }} {{- end }} + {{- end }} spec: {{- if .Values.primary.extraPodSpec }} {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraPodSpec "context" $) | nindent 6 }} @@ -89,6 +93,7 @@ spec: {{- end }} hostNetwork: {{ .Values.primary.hostNetwork }} hostIPC: {{ .Values.primary.hostIPC }} + {{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled)) .Values.primary.initContainers }} initContainers: {{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} - name: copy-certs @@ -177,6 +182,7 @@ spec: {{- if .Values.primary.initContainers }} {{- include "common.tplvalues.render" ( dict "value" .Values.primary.initContainers "context" $ ) | nindent 8 }} {{- end }} + {{- end }} containers: - name: postgresql image: {{ include "postgresql.image" . }} diff --git a/charts/bitnami/airflow/charts/postgresql/templates/primary/svc.yaml b/charts/bitnami/airflow/charts/postgresql/templates/primary/svc.yaml index cf184809a..6ddd55b7b 100644 --- a/charts/bitnami/airflow/charts/postgresql/templates/primary/svc.yaml +++ b/charts/bitnami/airflow/charts/postgresql/templates/primary/svc.yaml @@ -8,6 +8,7 @@ metadata: {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} {{- end }} app.kubernetes.io/component: primary + {{- if or .Values.commonAnnotations .Values.primary.service.annotations }} annotations: {{- if .Values.commonAnnotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} @@ -15,6 +16,7 @@ metadata: {{- if .Values.primary.service.annotations }} {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.annotations "context" $) | nindent 4 }} {{- end }} + {{- end }} spec: type: {{ .Values.primary.service.type }} {{- if or (eq .Values.primary.service.type "LoadBalancer") (eq .Values.primary.service.type "NodePort") }} diff --git a/charts/bitnami/airflow/charts/postgresql/templates/read/metrics-svc.yaml b/charts/bitnami/airflow/charts/postgresql/templates/read/metrics-svc.yaml index b3e54974e..6f54ed243 100644 --- a/charts/bitnami/airflow/charts/postgresql/templates/read/metrics-svc.yaml +++ b/charts/bitnami/airflow/charts/postgresql/templates/read/metrics-svc.yaml @@ -9,6 +9,7 @@ metadata: {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} {{- end }} + {{- if or .Values.commonAnnotations .Values.metrics.service.annotations }} annotations: {{- if .Values.commonAnnotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} @@ -16,6 +17,7 @@ metadata: {{- if .Values.metrics.service.annotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }} {{- end }} + {{- end }} spec: type: ClusterIP sessionAffinity: {{ .Values.metrics.service.sessionAffinity }} diff --git a/charts/bitnami/airflow/charts/postgresql/templates/read/statefulset.yaml b/charts/bitnami/airflow/charts/postgresql/templates/read/statefulset.yaml index 80c8e8bba..6d35e4747 100644 --- a/charts/bitnami/airflow/charts/postgresql/templates/read/statefulset.yaml +++ b/charts/bitnami/airflow/charts/postgresql/templates/read/statefulset.yaml @@ -13,6 +13,7 @@ metadata: {{- if .Values.readReplicas.labels }} {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.labels "context" $ ) | nindent 4 }} {{- end }} + {{- if or .Values.commonAnnotations .Values.readReplicas.annotations }} annotations: {{- if .Values.commonAnnotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} @@ -20,6 +21,7 @@ metadata: {{- if .Values.readReplicas.annotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.annotations "context" $ ) | nindent 4 }} {{- end }} + {{- end }} spec: replicas: {{ .Values.readReplicas.replicaCount }} serviceName: {{ include "postgresql.readReplica.svc.headless" . }} @@ -40,6 +42,7 @@ spec: {{- if .Values.readReplicas.podLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podLabels "context" $ ) | nindent 8 }} {{- end }} + {{- if or (include "postgresql.readReplicas.createExtendedConfigmap" .) .Values.readReplicas.podAnnotations }} annotations: {{- if (include "postgresql.readReplicas.createExtendedConfigmap" .) }} checksum/extended-configuration: {{ include (print $.Template.BasePath "/read/extended-configmap.yaml") . | sha256sum }} @@ -47,6 +50,7 @@ spec: {{- if .Values.readReplicas.podAnnotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podAnnotations "context" $ ) | nindent 8 }} {{- end }} + {{- end }} spec: {{- if .Values.readReplicas.extraPodSpec }} {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraPodSpec "context" $) | nindent 6 }} @@ -87,6 +91,7 @@ spec: {{- end }} hostNetwork: {{ .Values.readReplicas.hostNetwork }} hostIPC: {{ .Values.readReplicas.hostIPC }} + {{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled)) .Values.readReplicas.initContainers }} initContainers: {{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} - name: copy-certs @@ -175,6 +180,7 @@ spec: {{- if .Values.readReplicas.initContainers }} {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.initContainers "context" $ ) | nindent 8 }} {{- end }} + {{- end }} containers: - name: postgresql image: {{ include "postgresql.image" . }} diff --git a/charts/bitnami/airflow/charts/postgresql/templates/read/svc.yaml b/charts/bitnami/airflow/charts/postgresql/templates/read/svc.yaml index 3eece4dbb..c308c3f60 100644 --- a/charts/bitnami/airflow/charts/postgresql/templates/read/svc.yaml +++ b/charts/bitnami/airflow/charts/postgresql/templates/read/svc.yaml @@ -9,6 +9,7 @@ metadata: {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} {{- end }} app.kubernetes.io/component: read + {{- if or .Values.commonAnnotations .Values.readReplicas.service.annotations }} annotations: {{- if .Values.commonAnnotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} @@ -16,6 +17,7 @@ metadata: {{- if .Values.readReplicas.service.annotations }} {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.annotations "context" $) | nindent 4 }} {{- end }} + {{- end }} spec: type: {{ .Values.readReplicas.service.type }} {{- if or (eq .Values.readReplicas.service.type "LoadBalancer") (eq .Values.readReplicas.service.type "NodePort") }} diff --git a/charts/bitnami/airflow/charts/postgresql/templates/tls-secrets.yaml b/charts/bitnami/airflow/charts/postgresql/templates/tls-secrets.yaml index 59c577647..482e29876 100644 --- a/charts/bitnami/airflow/charts/postgresql/templates/tls-secrets.yaml +++ b/charts/bitnami/airflow/charts/postgresql/templates/tls-secrets.yaml @@ -1,4 +1,5 @@ {{- if (include "postgresql.createTlsSecret" . ) }} +{{- $secretName := printf "%s-crt" (include "common.names.fullname" .) }} {{- $ca := genCA "postgresql-ca" 365 }} {{- $fullname := include "common.names.fullname" . }} {{- $releaseNamespace := .Release.Namespace }} @@ -6,11 +7,11 @@ {{- $primaryHeadlessServiceName := include "postgresql.primary.svc.headless" . }} {{- $readHeadlessServiceName := include "postgresql.readReplica.svc.headless" . }} {{- $altNames := list (printf "*.%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) $fullname }} -{{- $crt := genSignedCert $fullname nil $altNames 365 $ca }} +{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }} apiVersion: v1 kind: Secret metadata: - name: {{ printf "%s-crt" (include "common.names.fullname" .) }} + name: {{ $secretName }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} @@ -21,7 +22,7 @@ metadata: {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $crt.Cert | b64enc | quote }} - tls.key: {{ $crt.Key | b64enc | quote }} + tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }} + tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }} + ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }} {{- end }} diff --git a/charts/bitnami/airflow/charts/postgresql/values.yaml b/charts/bitnami/airflow/charts/postgresql/values.yaml index b4785a4f5..7bf35af20 100644 --- a/charts/bitnami/airflow/charts/postgresql/values.yaml +++ b/charts/bitnami/airflow/charts/postgresql/values.yaml @@ -95,7 +95,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/postgresql - tag: 15.1.0-debian-11-r20 + tag: 15.1.0-debian-11-r31 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1130,7 +1130,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/bitnami-shell - tag: 11-debian-11-r69 + tag: 11-debian-11-r79 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1217,7 +1217,7 @@ metrics: image: registry: docker.io repository: bitnami/postgres-exporter - tag: 0.11.1-debian-11-r46 + tag: 0.11.1-debian-11-r55 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/airflow/values.yaml b/charts/bitnami/airflow/values.yaml index bf37be054..722953cb4 100644 --- a/charts/bitnami/airflow/values.yaml +++ b/charts/bitnami/airflow/values.yaml @@ -118,7 +118,7 @@ dags: image: registry: docker.io repository: bitnami/bitnami-shell - tag: 11-debian-11-r76 + tag: 11-debian-11-r79 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -185,7 +185,7 @@ web: image: registry: docker.io repository: bitnami/airflow - tag: 2.5.1-debian-11-r2 + tag: 2.5.1-debian-11-r5 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -443,7 +443,7 @@ scheduler: image: registry: docker.io repository: bitnami/airflow-scheduler - tag: 2.5.1-debian-11-r1 + tag: 2.5.1-debian-11-r5 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -647,7 +647,7 @@ worker: image: registry: docker.io repository: bitnami/airflow-worker - tag: 2.5.1-debian-11-r1 + tag: 2.5.1-debian-11-r5 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -920,7 +920,7 @@ git: image: registry: docker.io repository: bitnami/git - tag: 2.39.1-debian-11-r3 + tag: 2.39.1-debian-11-r6 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1283,7 +1283,7 @@ metrics: image: registry: docker.io repository: bitnami/airflow-exporter - tag: 0.20220314.0-debian-11-r84 + tag: 0.20220314.0-debian-11-r86 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/cassandra/Chart.yaml b/charts/bitnami/cassandra/Chart.yaml index b300bf614..9533cede2 100644 --- a/charts/bitnami/cassandra/Chart.yaml +++ b/charts/bitnami/cassandra/Chart.yaml @@ -29,4 +29,4 @@ name: cassandra sources: - https://github.com/bitnami/containers/tree/main/bitnami/cassandra - http://cassandra.apache.org -version: 10.0.1 +version: 10.0.2 diff --git a/charts/bitnami/cassandra/README.md b/charts/bitnami/cassandra/README.md index 18a1a57cc..b5dde0cb3 100644 --- a/charts/bitnami/cassandra/README.md +++ b/charts/bitnami/cassandra/README.md @@ -461,7 +461,7 @@ This release make it possible to specify custom initialization scripts in both c ## License -Copyright © 2022 Bitnami +Copyright © 2023 Bitnami Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/cassandra/templates/_helpers.tpl b/charts/bitnami/cassandra/templates/_helpers.tpl index 5c715383d..0bd03d525 100644 --- a/charts/bitnami/cassandra/templates/_helpers.tpl +++ b/charts/bitnami/cassandra/templates/_helpers.tpl @@ -220,39 +220,6 @@ otherwise it generates a random value. {{- end }} {{- end -}} - -{{/* -Returns the available TLS Cert in an existing secret (if it exists), -otherwise it generates a new one. -*/}} -{{- define "cassandra.getTlsCertStrFromSecret" }} - {{- $len := (default 365 .Length) | int -}} - {{- $ca := "" -}} - {{- $crt := "" -}} - {{- $key := "" -}} - {{- $tlsCert := (lookup "v1" "Secret" .Release.Namespace (printf "%s-%s" (include "common.names.fullname" .) "crt" | trunc 63 | trimSuffix "-")).data -}} - - {{- if $tlsCert }} - {{- $ca = (get $tlsCert "ca.crt" | b64dec) -}} - {{- $crt = (get $tlsCert "tls.crt" | b64dec) -}} - {{- $key = (get $tlsCert "tls.key" | b64dec) -}} - {{- else -}} - {{- $caFull := genCA "cassandra-ca" 365 }} - {{- $fullname := include "common.names.fullname" . }} - {{- $releaseNamespace := .Release.Namespace }} - {{- $clusterDomain := .Values.clusterDomain }} - {{- $serviceName := include "common.names.fullname" . }} - {{- $headlessServiceName := printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} - {{- $altNames := list (printf "*.%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) "localhost" "127.0.0.1" $fullname }} - {{- $cert := genSignedCert $fullname nil $altNames 365 $caFull }} - {{- $ca = $caFull.Cert -}} - {{- $crt = $cert.Cert -}} - {{- $key = $cert.Key -}} - {{- end -}} - - {{- printf "%s###%s###%s" $ca $crt $key -}} -{{- end }} - {{/* Get the metrics config map name. */}} diff --git a/charts/bitnami/cassandra/templates/tls-secret.yaml b/charts/bitnami/cassandra/templates/tls-secret.yaml index e704ce904..4dcb6e9d4 100644 --- a/charts/bitnami/cassandra/templates/tls-secret.yaml +++ b/charts/bitnami/cassandra/templates/tls-secret.yaml @@ -1,14 +1,17 @@ {{- if (include "cassandra.createTlsSecret" . ) }} - -{{- $tlsCertStr := regexSplit "###" (include "cassandra.getTlsCertStrFromSecret" .) -1 }} -{{- $ca := index $tlsCertStr 0 }} -{{- $crt := index $tlsCertStr 1 }} -{{- $key := index $tlsCertStr 2 }} - +{{- $secretName := printf "%s-crt" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- $ca := genCA "cassandra-ca" 365 }} +{{- $fullname := include "common.names.fullname" . }} +{{- $releaseNamespace := .Release.Namespace }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $serviceName := include "common.names.fullname" . }} +{{- $headlessServiceName := printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- $altNames := list (printf "*.%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) "localhost" "127.0.0.1" $fullname }} +{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }} apiVersion: v1 kind: Secret metadata: - name: {{ printf "%s-crt" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + name: {{ $secretName }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} @@ -19,7 +22,7 @@ metadata: {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ $ca | b64enc | quote }} - tls.crt: {{ $crt | b64enc | quote }} - tls.key: {{ $key | b64enc | quote }} + tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }} + tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }} + ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }} {{- end }} diff --git a/charts/bitnami/postgresql/Chart.yaml b/charts/bitnami/postgresql/Chart.yaml index 53347d4ce..8b7bec158 100644 --- a/charts/bitnami/postgresql/Chart.yaml +++ b/charts/bitnami/postgresql/Chart.yaml @@ -32,4 +32,4 @@ name: postgresql sources: - https://github.com/bitnami/containers/tree/main/bitnami/postgresql - https://www.postgresql.org/ -version: 12.1.13 +version: 12.1.14 diff --git a/charts/bitnami/postgresql/README.md b/charts/bitnami/postgresql/README.md index d8c4fb49a..e6259ab32 100644 --- a/charts/bitnami/postgresql/README.md +++ b/charts/bitnami/postgresql/README.md @@ -102,7 +102,7 @@ $ kubectl delete pvc -l release=my-release | ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | | `image.registry` | PostgreSQL image registry | `docker.io` | | `image.repository` | PostgreSQL image repository | `bitnami/postgresql` | -| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `15.1.0-debian-11-r30` | +| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `15.1.0-debian-11-r31` | | `image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` | | `image.pullSecrets` | Specify image pull secrets | `[]` | @@ -383,7 +383,7 @@ $ kubectl delete pvc -l release=my-release | `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | | `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | | `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r77` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r79` | | `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | @@ -412,7 +412,7 @@ $ kubectl delete pvc -l release=my-release | `metrics.enabled` | Start a prometheus exporter | `false` | | `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `docker.io` | | `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `bitnami/postgres-exporter` | -| `metrics.image.tag` | PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) | `0.11.1-debian-11-r54` | +| `metrics.image.tag` | PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) | `0.11.1-debian-11-r55` | | `metrics.image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `metrics.image.pullPolicy` | PostgreSQL Prometheus Exporter image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Specify image pull secrets | `[]` | diff --git a/charts/bitnami/postgresql/templates/tls-secrets.yaml b/charts/bitnami/postgresql/templates/tls-secrets.yaml index 59c577647..482e29876 100644 --- a/charts/bitnami/postgresql/templates/tls-secrets.yaml +++ b/charts/bitnami/postgresql/templates/tls-secrets.yaml @@ -1,4 +1,5 @@ {{- if (include "postgresql.createTlsSecret" . ) }} +{{- $secretName := printf "%s-crt" (include "common.names.fullname" .) }} {{- $ca := genCA "postgresql-ca" 365 }} {{- $fullname := include "common.names.fullname" . }} {{- $releaseNamespace := .Release.Namespace }} @@ -6,11 +7,11 @@ {{- $primaryHeadlessServiceName := include "postgresql.primary.svc.headless" . }} {{- $readHeadlessServiceName := include "postgresql.readReplica.svc.headless" . }} {{- $altNames := list (printf "*.%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) $fullname }} -{{- $crt := genSignedCert $fullname nil $altNames 365 $ca }} +{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }} apiVersion: v1 kind: Secret metadata: - name: {{ printf "%s-crt" (include "common.names.fullname" .) }} + name: {{ $secretName }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} @@ -21,7 +22,7 @@ metadata: {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $crt.Cert | b64enc | quote }} - tls.key: {{ $crt.Key | b64enc | quote }} + tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }} + tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }} + ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }} {{- end }} diff --git a/charts/bitnami/postgresql/values.yaml b/charts/bitnami/postgresql/values.yaml index 5dc54be9c..7bf35af20 100644 --- a/charts/bitnami/postgresql/values.yaml +++ b/charts/bitnami/postgresql/values.yaml @@ -95,7 +95,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/postgresql - tag: 15.1.0-debian-11-r30 + tag: 15.1.0-debian-11-r31 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1130,7 +1130,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/bitnami-shell - tag: 11-debian-11-r77 + tag: 11-debian-11-r79 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1217,7 +1217,7 @@ metrics: image: registry: docker.io repository: bitnami/postgres-exporter - tag: 0.11.1-debian-11-r54 + tag: 0.11.1-debian-11-r55 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/tomcat/Chart.yaml b/charts/bitnami/tomcat/Chart.yaml index e17b0abcb..1f65875df 100644 --- a/charts/bitnami/tomcat/Chart.yaml +++ b/charts/bitnami/tomcat/Chart.yaml @@ -32,4 +32,4 @@ name: tomcat sources: - https://github.com/bitnami/containers/tree/main/bitnami/tomcat - http://tomcat.apache.org -version: 10.5.10 +version: 10.5.13 diff --git a/charts/bitnami/tomcat/README.md b/charts/bitnami/tomcat/README.md index 0baf0b283..ff1ad7d77 100644 --- a/charts/bitnami/tomcat/README.md +++ b/charts/bitnami/tomcat/README.md @@ -7,7 +7,7 @@ Apache Tomcat is an open-source web server designed to host and run Java-based w [Overview of Apache Tomcat](http://tomcat.apache.org/) Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. - + ## TL;DR ```console @@ -79,25 +79,25 @@ The command removes all the Kubernetes components associated with the chart and ### Tomcat parameters -| Name | Description | Value | -| ----------------------------- | ------------------------------------------------------------------------------------------------------ | --------------------- | -| `image.registry` | Tomcat image registry | `docker.io` | -| `image.repository` | Tomcat image repository | `bitnami/tomcat` | -| `image.tag` | Tomcat image tag (immutable tags are recommended) | `10.1.5-debian-11-r4` | -| `image.digest` | Tomcat image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | Tomcat image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `image.debug` | Specify if debug logs should be enabled | `false` | -| `hostAliases` | Deployment pod host aliases | `[]` | -| `tomcatUsername` | Tomcat admin user | `user` | -| `tomcatPassword` | Tomcat admin password | `""` | -| `tomcatAllowRemoteManagement` | Enable remote access to management interface | `0` | -| `catalinaOpts` | Java runtime option used by tomcat JVM | `""` | -| `command` | Override default container command (useful when using custom images) | `[]` | -| `args` | Override default container args (useful when using custom images) | `[]` | -| `extraEnvVars` | Extra environment variables to be set on Tomcat container | `[]` | -| `extraEnvVarsCM` | Name of existing ConfigMap containing extra environment variables | `""` | -| `extraEnvVarsSecret` | Name of existing Secret containing extra environment variables | `""` | +| Name | Description | Value | +| ----------------------------- | ------------------------------------------------------------------------------------------------------ | ---------------------- | +| `image.registry` | Tomcat image registry | `docker.io` | +| `image.repository` | Tomcat image repository | `bitnami/tomcat` | +| `image.tag` | Tomcat image tag (immutable tags are recommended) | `10.1.5-debian-11-r11` | +| `image.digest` | Tomcat image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | Tomcat image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Specify if debug logs should be enabled | `false` | +| `hostAliases` | Deployment pod host aliases | `[]` | +| `tomcatUsername` | Tomcat admin user | `user` | +| `tomcatPassword` | Tomcat admin password | `""` | +| `tomcatAllowRemoteManagement` | Enable remote access to management interface | `0` | +| `catalinaOpts` | Java runtime option used by tomcat JVM | `""` | +| `command` | Override default container command (useful when using custom images) | `[]` | +| `args` | Override default container args (useful when using custom images) | `[]` | +| `extraEnvVars` | Extra environment variables to be set on Tomcat container | `[]` | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra environment variables | `""` | +| `extraEnvVarsSecret` | Name of existing Secret containing extra environment variables | `""` | ### Tomcat deployment parameters @@ -207,7 +207,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory | `false` | | `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | | `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag | `11-debian-11-r74` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag | `11-debian-11-r79` | | `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | @@ -223,7 +223,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.jmx.catalinaOpts` | custom option used to enabled JMX on tomcat jvm evaluated as template | `-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=5555 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=true` | | `metrics.jmx.image.registry` | JMX exporter image registry | `docker.io` | | `metrics.jmx.image.repository` | JMX exporter image repository | `bitnami/jmx-exporter` | -| `metrics.jmx.image.tag` | JMX exporter image tag (immutable tags are recommended) | `0.17.2-debian-11-r40` | +| `metrics.jmx.image.tag` | JMX exporter image tag (immutable tags are recommended) | `0.17.2-debian-11-r44` | | `metrics.jmx.image.digest` | JMX exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `metrics.jmx.image.pullPolicy` | JMX exporter image pull policy | `IfNotPresent` | | `metrics.jmx.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | @@ -390,7 +390,7 @@ $ kubectl patch deployment tomcat --type=json -p='[{"op": "remove", "path": "/sp ## License -Copyright © 2022 Bitnami +Copyright © 2023 Bitnami Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/tomcat/values.yaml b/charts/bitnami/tomcat/values.yaml index 28f2cd9b8..a1062ecac 100644 --- a/charts/bitnami/tomcat/values.yaml +++ b/charts/bitnami/tomcat/values.yaml @@ -58,7 +58,7 @@ extraDeploy: [] image: registry: docker.io repository: bitnami/tomcat - tag: 10.1.5-debian-11-r4 + tag: 10.1.5-debian-11-r11 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -576,7 +576,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/bitnami-shell - tag: 11-debian-11-r74 + tag: 11-debian-11-r79 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -636,7 +636,7 @@ metrics: image: registry: docker.io repository: bitnami/jmx-exporter - tag: 0.17.2-debian-11-r40 + tag: 0.17.2-debian-11-r44 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' diff --git a/charts/bitnami/wordpress/Chart.lock b/charts/bitnami/wordpress/Chart.lock index 09cf6599b..18666eb50 100644 --- a/charts/bitnami/wordpress/Chart.lock +++ b/charts/bitnami/wordpress/Chart.lock @@ -4,9 +4,9 @@ dependencies: version: 6.3.5 - name: mariadb repository: https://charts.bitnami.com/bitnami - version: 11.4.4 + version: 11.4.5 - name: common repository: https://charts.bitnami.com/bitnami version: 2.2.2 -digest: sha256:a917b459cd4db5baea69506921dd13e699f8a1a330fbe76bb80d24f668874d9d -generated: "2023-01-19T00:46:08.195009985Z" +digest: sha256:ec3e466caf2f2204b19e2ececdfa7e0f398cebd6518b4467414a3a503c6b58a6 +generated: "2023-01-31T18:29:29.691174539Z" diff --git a/charts/bitnami/wordpress/Chart.yaml b/charts/bitnami/wordpress/Chart.yaml index 2ffa7158e..6638d6c83 100644 --- a/charts/bitnami/wordpress/Chart.yaml +++ b/charts/bitnami/wordpress/Chart.yaml @@ -41,4 +41,4 @@ name: wordpress sources: - https://github.com/bitnami/containers/tree/main/bitnami/wordpress - https://wordpress.org/ -version: 15.2.36 +version: 15.2.37 diff --git a/charts/bitnami/wordpress/README.md b/charts/bitnami/wordpress/README.md index b561ba2ef..c10889303 100644 --- a/charts/bitnami/wordpress/README.md +++ b/charts/bitnami/wordpress/README.md @@ -7,7 +7,7 @@ WordPress is the world's most popular blogging and content management platform. [Overview of WordPress](http://www.wordpress.org) - + ## TL;DR ```console @@ -86,7 +86,7 @@ The command removes all the Kubernetes components associated with the chart and | ------------------- | --------------------------------------------------------------------------------------------------------- | --------------------- | | `image.registry` | WordPress image registry | `docker.io` | | `image.repository` | WordPress image repository | `bitnami/wordpress` | -| `image.tag` | WordPress image tag (immutable tags are recommended) | `6.1.1-debian-11-r34` | +| `image.tag` | WordPress image tag (immutable tags are recommended) | `6.1.1-debian-11-r39` | | `image.digest` | WordPress image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `image.pullPolicy` | WordPress image pull policy | `IfNotPresent` | | `image.pullSecrets` | WordPress image pull secrets | `[]` | @@ -257,7 +257,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | | `volumePermissions.image.registry` | Bitnami Shell image registry | `docker.io` | | `volumePermissions.image.repository` | Bitnami Shell image repository | `bitnami/bitnami-shell` | -| `volumePermissions.image.tag` | Bitnami Shell image tag (immutable tags are recommended) | `11-debian-11-r74` | +| `volumePermissions.image.tag` | Bitnami Shell image tag (immutable tags are recommended) | `11-debian-11-r78` | | `volumePermissions.image.digest` | Bitnami Shell image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Bitnami Shell image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Bitnami Shell image pull secrets | `[]` | @@ -291,7 +291,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.enabled` | Start a sidecar prometheus exporter to expose metrics | `false` | | `metrics.image.registry` | Apache exporter image registry | `docker.io` | | `metrics.image.repository` | Apache exporter image repository | `bitnami/apache-exporter` | -| `metrics.image.tag` | Apache exporter image tag (immutable tags are recommended) | `0.11.0-debian-11-r84` | +| `metrics.image.tag` | Apache exporter image tag (immutable tags are recommended) | `0.11.0-debian-11-r88` | | `metrics.image.digest` | Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `metrics.image.pullPolicy` | Apache exporter image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Apache exporter image pull secrets | `[]` | @@ -633,7 +633,7 @@ $ kubectl delete statefulset wordpress-mariadb --cascade=false ## License -Copyright © 2022 Bitnami +Copyright © 2023 Bitnami Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/wordpress/charts/mariadb/Chart.yaml b/charts/bitnami/wordpress/charts/mariadb/Chart.yaml index 18aaa8516..406efffe6 100644 --- a/charts/bitnami/wordpress/charts/mariadb/Chart.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/Chart.yaml @@ -28,4 +28,4 @@ sources: - https://github.com/bitnami/containers/tree/main/bitnami/mariadb - https://github.com/prometheus/mysqld_exporter - https://mariadb.org -version: 11.4.4 +version: 11.4.5 diff --git a/charts/bitnami/wordpress/charts/mariadb/README.md b/charts/bitnami/wordpress/charts/mariadb/README.md index 381149316..d9236ee13 100644 --- a/charts/bitnami/wordpress/charts/mariadb/README.md +++ b/charts/bitnami/wordpress/charts/mariadb/README.md @@ -7,10 +7,10 @@ MariaDB is an open source, community-developed SQL database server that is widel [Overview of MariaDB](https://mariadb.org/) Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. - + ## TL;DR -```bash +```console $ helm repo add my-repo https://charts.bitnami.com/bitnami $ helm install my-release my-repo/mariadb ``` @@ -33,7 +33,8 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment To install the chart with the release name `my-release`: -```bash +```console +$ helm repo add my-repo https://charts.bitnami.com/bitnami $ helm install my-release my-repo/mariadb ``` @@ -45,7 +46,7 @@ The command deploys MariaDB on the Kubernetes cluster in the default configurati To uninstall/delete the `my-release` deployment: -```bash +```console $ helm delete my-release ``` @@ -108,184 +109,188 @@ The command removes all the Kubernetes components associated with the chart and ### MariaDB Primary parameters -| Name | Description | Value | -| ----------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------- | -| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` | -| `primary.command` | Override default container command on MariaDB Primary container(s) (useful when using custom images) | `[]` | -| `primary.args` | Override default container args on MariaDB Primary container(s) (useful when using custom images) | `[]` | -| `primary.lifecycleHooks` | for the MariaDB Primary container(s) to automate configuration before or after startup | `{}` | -| `primary.hostAliases` | Add deployment host aliases | `[]` | -| `primary.configuration` | MariaDB Primary configuration to be injected as ConfigMap | `""` | -| `primary.existingConfigmap` | Name of existing ConfigMap with MariaDB Primary configuration. | `""` | -| `primary.updateStrategy.type` | MariaDB primary statefulset strategy type | `RollingUpdate` | -| `primary.rollingUpdatePartition` | Partition update strategy for Mariadb Primary statefulset | `""` | -| `primary.podAnnotations` | Additional pod annotations for MariaDB primary pods | `{}` | -| `primary.podLabels` | Extra labels for MariaDB primary pods | `{}` | -| `primary.podAffinityPreset` | MariaDB primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `primary.podAntiAffinityPreset` | MariaDB primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `primary.nodeAffinityPreset.type` | MariaDB primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `primary.nodeAffinityPreset.key` | MariaDB primary node label key to match Ignored if `primary.affinity` is set. | `""` | -| `primary.nodeAffinityPreset.values` | MariaDB primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | -| `primary.affinity` | Affinity for MariaDB primary pods assignment | `{}` | -| `primary.nodeSelector` | Node labels for MariaDB primary pods assignment | `{}` | -| `primary.tolerations` | Tolerations for MariaDB primary pods assignment | `[]` | -| `primary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | -| `primary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MariaDB primary pods | `""` | -| `primary.topologySpreadConstraints` | Topology Spread Constraints for MariaDB primary pods assignment | `[]` | -| `primary.priorityClassName` | Priority class for MariaDB primary pods assignment | `""` | -| `primary.runtimeClassName` | Runtime Class for MariaDB primary pods | `""` | -| `primary.podSecurityContext.enabled` | Enable security context for MariaDB primary pods | `true` | -| `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | -| `primary.containerSecurityContext.enabled` | MariaDB primary container securityContext | `true` | -| `primary.containerSecurityContext.runAsUser` | User ID for the MariaDB primary container | `1001` | -| `primary.containerSecurityContext.runAsNonRoot` | Set Controller container's Security Context runAsNonRoot | `true` | -| `primary.resources.limits` | The resources limits for MariaDB primary containers | `{}` | -| `primary.resources.requests` | The requested resources for MariaDB primary containers | `{}` | -| `primary.startupProbe.enabled` | Enable startupProbe | `false` | -| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` | -| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `15` | -| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | -| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `primary.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | -| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | -| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `primary.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | -| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `primary.customStartupProbe` | Override default startup probe for MariaDB primary containers | `{}` | -| `primary.customLivenessProbe` | Override default liveness probe for MariaDB primary containers | `{}` | -| `primary.customReadinessProbe` | Override default readiness probe for MariaDB primary containers | `{}` | -| `primary.startupWaitOptions` | Override default builtin startup wait check options for MariaDB primary containers | `{}` | -| `primary.extraFlags` | MariaDB primary additional command line flags | `""` | -| `primary.extraEnvVars` | Extra environment variables to be set on MariaDB primary containers | `[]` | -| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MariaDB primary containers | `""` | -| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MariaDB primary containers | `""` | -| `primary.persistence.enabled` | Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir | `true` | -| `primary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas | `""` | -| `primary.persistence.subPath` | Subdirectory of the volume to mount at | `""` | -| `primary.persistence.storageClass` | MariaDB primary persistent volume storage Class | `""` | -| `primary.persistence.annotations` | MariaDB primary persistent volume claim annotations | `{}` | -| `primary.persistence.accessModes` | MariaDB primary persistent volume access Modes | `["ReadWriteOnce"]` | -| `primary.persistence.size` | MariaDB primary persistent volume size | `8Gi` | -| `primary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | -| `primary.extraVolumes` | Optionally specify extra list of additional volumes to the MariaDB Primary pod(s) | `[]` | -| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB Primary container(s) | `[]` | -| `primary.initContainers` | Add additional init containers for the MariaDB Primary pod(s) | `[]` | -| `primary.sidecars` | Add additional sidecar containers for the MariaDB Primary pod(s) | `[]` | -| `primary.service.type` | MariaDB Primary Kubernetes service type | `ClusterIP` | -| `primary.service.ports.mysql` | MariaDB Primary Kubernetes service port for MariaDB | `3306` | -| `primary.service.ports.metrics` | MariaDB Primary Kubernetes service port for metrics | `9104` | -| `primary.service.nodePorts.mysql` | MariaDB Primary Kubernetes service node port | `""` | -| `primary.service.clusterIP` | MariaDB Primary Kubernetes service clusterIP IP | `""` | -| `primary.service.loadBalancerIP` | MariaDB Primary loadBalancerIP if service type is `LoadBalancer` | `""` | -| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `primary.service.loadBalancerSourceRanges` | Address that are allowed when MariaDB Primary service is LoadBalancer | `[]` | -| `primary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `primary.service.annotations` | Provide any additional annotations which may be required | `{}` | -| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `primary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MariaDB primary pods | `false` | -| `primary.pdb.minAvailable` | Minimum number/percentage of MariaDB primary pods that must still be available after the eviction | `1` | -| `primary.pdb.maxUnavailable` | Maximum number/percentage of MariaDB primary pods that can be unavailable after the eviction | `""` | -| `primary.revisionHistoryLimit` | Maximum number of revisions that will be maintained in the StatefulSet | `10` | +| Name | Description | Value | +| ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------- | +| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` | +| `primary.command` | Override default container command on MariaDB Primary container(s) (useful when using custom images) | `[]` | +| `primary.args` | Override default container args on MariaDB Primary container(s) (useful when using custom images) | `[]` | +| `primary.lifecycleHooks` | for the MariaDB Primary container(s) to automate configuration before or after startup | `{}` | +| `primary.hostAliases` | Add deployment host aliases | `[]` | +| `primary.configuration` | MariaDB Primary configuration to be injected as ConfigMap | `""` | +| `primary.existingConfigmap` | Name of existing ConfigMap with MariaDB Primary configuration. | `""` | +| `primary.updateStrategy.type` | MariaDB primary statefulset strategy type | `RollingUpdate` | +| `primary.rollingUpdatePartition` | Partition update strategy for Mariadb Primary statefulset | `""` | +| `primary.podAnnotations` | Additional pod annotations for MariaDB primary pods | `{}` | +| `primary.podLabels` | Extra labels for MariaDB primary pods | `{}` | +| `primary.podAffinityPreset` | MariaDB primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.podAntiAffinityPreset` | MariaDB primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `primary.nodeAffinityPreset.type` | MariaDB primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.nodeAffinityPreset.key` | MariaDB primary node label key to match Ignored if `primary.affinity` is set. | `""` | +| `primary.nodeAffinityPreset.values` | MariaDB primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `primary.affinity` | Affinity for MariaDB primary pods assignment | `{}` | +| `primary.nodeSelector` | Node labels for MariaDB primary pods assignment | `{}` | +| `primary.tolerations` | Tolerations for MariaDB primary pods assignment | `[]` | +| `primary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `primary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MariaDB primary pods | `""` | +| `primary.topologySpreadConstraints` | Topology Spread Constraints for MariaDB primary pods assignment | `[]` | +| `primary.priorityClassName` | Priority class for MariaDB primary pods assignment | `""` | +| `primary.runtimeClassName` | Runtime Class for MariaDB primary pods | `""` | +| `primary.podSecurityContext.enabled` | Enable security context for MariaDB primary pods | `true` | +| `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | +| `primary.containerSecurityContext.enabled` | MariaDB primary container securityContext | `true` | +| `primary.containerSecurityContext.runAsUser` | User ID for the MariaDB primary container | `1001` | +| `primary.containerSecurityContext.runAsNonRoot` | Set primary container's Security Context runAsNonRoot | `true` | +| `primary.containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` | +| `primary.containerSecurityContext.allowPrivilegeEscalation` | Set primary container's Security Context allowPrivilegeEscalation | `false` | +| `primary.resources.limits` | The resources limits for MariaDB primary containers | `{}` | +| `primary.resources.requests` | The requested resources for MariaDB primary containers | `{}` | +| `primary.startupProbe.enabled` | Enable startupProbe | `false` | +| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` | +| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `15` | +| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | +| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `primary.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | +| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `primary.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | +| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `primary.customStartupProbe` | Override default startup probe for MariaDB primary containers | `{}` | +| `primary.customLivenessProbe` | Override default liveness probe for MariaDB primary containers | `{}` | +| `primary.customReadinessProbe` | Override default readiness probe for MariaDB primary containers | `{}` | +| `primary.startupWaitOptions` | Override default builtin startup wait check options for MariaDB primary containers | `{}` | +| `primary.extraFlags` | MariaDB primary additional command line flags | `""` | +| `primary.extraEnvVars` | Extra environment variables to be set on MariaDB primary containers | `[]` | +| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MariaDB primary containers | `""` | +| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MariaDB primary containers | `""` | +| `primary.persistence.enabled` | Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir | `true` | +| `primary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas | `""` | +| `primary.persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `primary.persistence.storageClass` | MariaDB primary persistent volume storage Class | `""` | +| `primary.persistence.annotations` | MariaDB primary persistent volume claim annotations | `{}` | +| `primary.persistence.accessModes` | MariaDB primary persistent volume access Modes | `["ReadWriteOnce"]` | +| `primary.persistence.size` | MariaDB primary persistent volume size | `8Gi` | +| `primary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | +| `primary.extraVolumes` | Optionally specify extra list of additional volumes to the MariaDB Primary pod(s) | `[]` | +| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB Primary container(s) | `[]` | +| `primary.initContainers` | Add additional init containers for the MariaDB Primary pod(s) | `[]` | +| `primary.sidecars` | Add additional sidecar containers for the MariaDB Primary pod(s) | `[]` | +| `primary.service.type` | MariaDB Primary Kubernetes service type | `ClusterIP` | +| `primary.service.ports.mysql` | MariaDB Primary Kubernetes service port for MariaDB | `3306` | +| `primary.service.ports.metrics` | MariaDB Primary Kubernetes service port for metrics | `9104` | +| `primary.service.nodePorts.mysql` | MariaDB Primary Kubernetes service node port | `""` | +| `primary.service.clusterIP` | MariaDB Primary Kubernetes service clusterIP IP | `""` | +| `primary.service.loadBalancerIP` | MariaDB Primary loadBalancerIP if service type is `LoadBalancer` | `""` | +| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `primary.service.loadBalancerSourceRanges` | Address that are allowed when MariaDB Primary service is LoadBalancer | `[]` | +| `primary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `primary.service.annotations` | Provide any additional annotations which may be required | `{}` | +| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `primary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MariaDB primary pods | `false` | +| `primary.pdb.minAvailable` | Minimum number/percentage of MariaDB primary pods that must still be available after the eviction | `1` | +| `primary.pdb.maxUnavailable` | Maximum number/percentage of MariaDB primary pods that can be unavailable after the eviction | `""` | +| `primary.revisionHistoryLimit` | Maximum number of revisions that will be maintained in the StatefulSet | `10` | ### MariaDB Secondary parameters -| Name | Description | Value | -| ------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | ------------------- | -| `secondary.name` | Name of the secondary database (eg secondary, slave, ...) | `secondary` | -| `secondary.replicaCount` | Number of MariaDB secondary replicas | `1` | -| `secondary.command` | Override default container command on MariaDB Secondary container(s) (useful when using custom images) | `[]` | -| `secondary.args` | Override default container args on MariaDB Secondary container(s) (useful when using custom images) | `[]` | -| `secondary.lifecycleHooks` | for the MariaDB Secondary container(s) to automate configuration before or after startup | `{}` | -| `secondary.hostAliases` | Add deployment host aliases | `[]` | -| `secondary.configuration` | MariaDB Secondary configuration to be injected as ConfigMap | `""` | -| `secondary.existingConfigmap` | Name of existing ConfigMap with MariaDB Secondary configuration. | `""` | -| `secondary.updateStrategy.type` | MariaDB secondary statefulset strategy type | `RollingUpdate` | -| `secondary.rollingUpdatePartition` | Partition update strategy for Mariadb Secondary statefulset | `""` | -| `secondary.podAnnotations` | Additional pod annotations for MariaDB secondary pods | `{}` | -| `secondary.podLabels` | Extra labels for MariaDB secondary pods | `{}` | -| `secondary.podAffinityPreset` | MariaDB secondary pod affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `secondary.podAntiAffinityPreset` | MariaDB secondary pod anti-affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `secondary.nodeAffinityPreset.type` | MariaDB secondary node affinity preset type. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `secondary.nodeAffinityPreset.key` | MariaDB secondary node label key to match Ignored if `secondary.affinity` is set. | `""` | -| `secondary.nodeAffinityPreset.values` | MariaDB secondary node label values to match. Ignored if `secondary.affinity` is set. | `[]` | -| `secondary.affinity` | Affinity for MariaDB secondary pods assignment | `{}` | -| `secondary.nodeSelector` | Node labels for MariaDB secondary pods assignment | `{}` | -| `secondary.tolerations` | Tolerations for MariaDB secondary pods assignment | `[]` | -| `secondary.topologySpreadConstraints` | Topology Spread Constraints for MariaDB secondary pods assignment | `[]` | -| `secondary.priorityClassName` | Priority class for MariaDB secondary pods assignment | `""` | -| `secondary.runtimeClassName` | Runtime Class for MariaDB secondary pods | `""` | -| `secondary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | -| `secondary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MariaDB secondary pods | `""` | -| `secondary.podSecurityContext.enabled` | Enable security context for MariaDB secondary pods | `true` | -| `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | -| `secondary.containerSecurityContext.enabled` | MariaDB secondary container securityContext | `true` | -| `secondary.containerSecurityContext.runAsUser` | User ID for the MariaDB secondary container | `1001` | -| `secondary.containerSecurityContext.runAsNonRoot` | Set Controller container's Security Context runAsNonRoot | `true` | -| `secondary.resources.limits` | The resources limits for MariaDB secondary containers | `{}` | -| `secondary.resources.requests` | The requested resources for MariaDB secondary containers | `{}` | -| `secondary.startupProbe.enabled` | Enable startupProbe | `false` | -| `secondary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` | -| `secondary.startupProbe.periodSeconds` | Period seconds for startupProbe | `15` | -| `secondary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `secondary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | -| `secondary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `secondary.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `secondary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | -| `secondary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `secondary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | -| `secondary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `secondary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `secondary.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `secondary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | -| `secondary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `secondary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `secondary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `secondary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `secondary.customStartupProbe` | Override default startup probe for MariaDB secondary containers | `{}` | -| `secondary.customLivenessProbe` | Override default liveness probe for MariaDB secondary containers | `{}` | -| `secondary.customReadinessProbe` | Override default readiness probe for MariaDB secondary containers | `{}` | -| `secondary.startupWaitOptions` | Override default builtin startup wait check options for MariaDB secondary containers | `{}` | -| `secondary.extraFlags` | MariaDB secondary additional command line flags | `""` | -| `secondary.extraEnvVars` | Extra environment variables to be set on MariaDB secondary containers | `[]` | -| `secondary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MariaDB secondary containers | `""` | -| `secondary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MariaDB secondary containers | `""` | -| `secondary.persistence.enabled` | Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim` | `true` | -| `secondary.persistence.subPath` | Subdirectory of the volume to mount at | `""` | -| `secondary.persistence.storageClass` | MariaDB secondary persistent volume storage Class | `""` | -| `secondary.persistence.annotations` | MariaDB secondary persistent volume claim annotations | `{}` | -| `secondary.persistence.accessModes` | MariaDB secondary persistent volume access Modes | `["ReadWriteOnce"]` | -| `secondary.persistence.size` | MariaDB secondary persistent volume size | `8Gi` | -| `secondary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | -| `secondary.extraVolumes` | Optionally specify extra list of additional volumes to the MariaDB secondary pod(s) | `[]` | -| `secondary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB secondary container(s) | `[]` | -| `secondary.initContainers` | Add additional init containers for the MariaDB secondary pod(s) | `[]` | -| `secondary.sidecars` | Add additional sidecar containers for the MariaDB secondary pod(s) | `[]` | -| `secondary.service.type` | MariaDB secondary Kubernetes service type | `ClusterIP` | -| `secondary.service.ports.mysql` | MariaDB secondary Kubernetes service port for MariaDB | `3306` | -| `secondary.service.ports.metrics` | MariaDB secondary Kubernetes service port for metrics | `9104` | -| `secondary.service.nodePorts.mysql` | MariaDB secondary Kubernetes service node port | `""` | -| `secondary.service.clusterIP` | MariaDB secondary Kubernetes service clusterIP IP | `""` | -| `secondary.service.loadBalancerIP` | MariaDB secondary loadBalancerIP if service type is `LoadBalancer` | `""` | -| `secondary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `secondary.service.loadBalancerSourceRanges` | Address that are allowed when MariaDB secondary service is LoadBalancer | `[]` | -| `secondary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `secondary.service.annotations` | Provide any additional annotations which may be required | `{}` | -| `secondary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `secondary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `secondary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MariaDB secondary pods | `false` | -| `secondary.pdb.minAvailable` | Minimum number/percentage of MariaDB secondary pods that should remain scheduled | `1` | -| `secondary.pdb.maxUnavailable` | Maximum number/percentage of MariaDB secondary pods that may be made unavailable | `""` | -| `secondary.revisionHistoryLimit` | Maximum number of revisions that will be maintained in the StatefulSet | `10` | +| Name | Description | Value | +| ------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `secondary.name` | Name of the secondary database (eg secondary, slave, ...) | `secondary` | +| `secondary.replicaCount` | Number of MariaDB secondary replicas | `1` | +| `secondary.command` | Override default container command on MariaDB Secondary container(s) (useful when using custom images) | `[]` | +| `secondary.args` | Override default container args on MariaDB Secondary container(s) (useful when using custom images) | `[]` | +| `secondary.lifecycleHooks` | for the MariaDB Secondary container(s) to automate configuration before or after startup | `{}` | +| `secondary.hostAliases` | Add deployment host aliases | `[]` | +| `secondary.configuration` | MariaDB Secondary configuration to be injected as ConfigMap | `""` | +| `secondary.existingConfigmap` | Name of existing ConfigMap with MariaDB Secondary configuration. | `""` | +| `secondary.updateStrategy.type` | MariaDB secondary statefulset strategy type | `RollingUpdate` | +| `secondary.rollingUpdatePartition` | Partition update strategy for Mariadb Secondary statefulset | `""` | +| `secondary.podAnnotations` | Additional pod annotations for MariaDB secondary pods | `{}` | +| `secondary.podLabels` | Extra labels for MariaDB secondary pods | `{}` | +| `secondary.podAffinityPreset` | MariaDB secondary pod affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `secondary.podAntiAffinityPreset` | MariaDB secondary pod anti-affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `secondary.nodeAffinityPreset.type` | MariaDB secondary node affinity preset type. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `secondary.nodeAffinityPreset.key` | MariaDB secondary node label key to match Ignored if `secondary.affinity` is set. | `""` | +| `secondary.nodeAffinityPreset.values` | MariaDB secondary node label values to match. Ignored if `secondary.affinity` is set. | `[]` | +| `secondary.affinity` | Affinity for MariaDB secondary pods assignment | `{}` | +| `secondary.nodeSelector` | Node labels for MariaDB secondary pods assignment | `{}` | +| `secondary.tolerations` | Tolerations for MariaDB secondary pods assignment | `[]` | +| `secondary.topologySpreadConstraints` | Topology Spread Constraints for MariaDB secondary pods assignment | `[]` | +| `secondary.priorityClassName` | Priority class for MariaDB secondary pods assignment | `""` | +| `secondary.runtimeClassName` | Runtime Class for MariaDB secondary pods | `""` | +| `secondary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `secondary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MariaDB secondary pods | `""` | +| `secondary.podSecurityContext.enabled` | Enable security context for MariaDB secondary pods | `true` | +| `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | +| `secondary.containerSecurityContext.enabled` | MariaDB secondary container securityContext | `true` | +| `secondary.containerSecurityContext.runAsUser` | User ID for the MariaDB secondary container | `1001` | +| `secondary.containerSecurityContext.runAsNonRoot` | Set secondary container's Security Context runAsNonRoot | `true` | +| `secondary.containerSecurityContext.privileged` | Set secondary container's Security Context privileged | `false` | +| `secondary.containerSecurityContext.allowPrivilegeEscalation` | Set secondary container's Security Context allowPrivilegeEscalation | `false` | +| `secondary.resources.limits` | The resources limits for MariaDB secondary containers | `{}` | +| `secondary.resources.requests` | The requested resources for MariaDB secondary containers | `{}` | +| `secondary.startupProbe.enabled` | Enable startupProbe | `false` | +| `secondary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` | +| `secondary.startupProbe.periodSeconds` | Period seconds for startupProbe | `15` | +| `secondary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `secondary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | +| `secondary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `secondary.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `secondary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | +| `secondary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `secondary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `secondary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `secondary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `secondary.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `secondary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | +| `secondary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `secondary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `secondary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `secondary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `secondary.customStartupProbe` | Override default startup probe for MariaDB secondary containers | `{}` | +| `secondary.customLivenessProbe` | Override default liveness probe for MariaDB secondary containers | `{}` | +| `secondary.customReadinessProbe` | Override default readiness probe for MariaDB secondary containers | `{}` | +| `secondary.startupWaitOptions` | Override default builtin startup wait check options for MariaDB secondary containers | `{}` | +| `secondary.extraFlags` | MariaDB secondary additional command line flags | `""` | +| `secondary.extraEnvVars` | Extra environment variables to be set on MariaDB secondary containers | `[]` | +| `secondary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MariaDB secondary containers | `""` | +| `secondary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MariaDB secondary containers | `""` | +| `secondary.persistence.enabled` | Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim` | `true` | +| `secondary.persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `secondary.persistence.storageClass` | MariaDB secondary persistent volume storage Class | `""` | +| `secondary.persistence.annotations` | MariaDB secondary persistent volume claim annotations | `{}` | +| `secondary.persistence.accessModes` | MariaDB secondary persistent volume access Modes | `["ReadWriteOnce"]` | +| `secondary.persistence.size` | MariaDB secondary persistent volume size | `8Gi` | +| `secondary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | +| `secondary.extraVolumes` | Optionally specify extra list of additional volumes to the MariaDB secondary pod(s) | `[]` | +| `secondary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB secondary container(s) | `[]` | +| `secondary.initContainers` | Add additional init containers for the MariaDB secondary pod(s) | `[]` | +| `secondary.sidecars` | Add additional sidecar containers for the MariaDB secondary pod(s) | `[]` | +| `secondary.service.type` | MariaDB secondary Kubernetes service type | `ClusterIP` | +| `secondary.service.ports.mysql` | MariaDB secondary Kubernetes service port for MariaDB | `3306` | +| `secondary.service.ports.metrics` | MariaDB secondary Kubernetes service port for metrics | `9104` | +| `secondary.service.nodePorts.mysql` | MariaDB secondary Kubernetes service node port | `""` | +| `secondary.service.clusterIP` | MariaDB secondary Kubernetes service clusterIP IP | `""` | +| `secondary.service.loadBalancerIP` | MariaDB secondary loadBalancerIP if service type is `LoadBalancer` | `""` | +| `secondary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `secondary.service.loadBalancerSourceRanges` | Address that are allowed when MariaDB secondary service is LoadBalancer | `[]` | +| `secondary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `secondary.service.annotations` | Provide any additional annotations which may be required | `{}` | +| `secondary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `secondary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `secondary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MariaDB secondary pods | `false` | +| `secondary.pdb.minAvailable` | Minimum number/percentage of MariaDB secondary pods that should remain scheduled | `1` | +| `secondary.pdb.maxUnavailable` | Maximum number/percentage of MariaDB secondary pods that may be made unavailable | `""` | +| `secondary.revisionHistoryLimit` | Maximum number of revisions that will be maintained in the StatefulSet | `10` | ### RBAC parameters @@ -316,47 +321,49 @@ The command removes all the Kubernetes components associated with the chart and ### Metrics parameters -| Name | Description | Value | -| -------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | -| `metrics.enabled` | Start a side-car prometheus exporter | `false` | -| `metrics.image.registry` | Exporter image registry | `docker.io` | -| `metrics.image.repository` | Exporter image repository | `bitnami/mysqld-exporter` | -| `metrics.image.tag` | Exporter image tag (immutable tags are recommended) | `0.14.0-debian-11-r77` | -| `metrics.image.digest` | Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `metrics.annotations` | Annotations for the Exporter pod | `{}` | -| `metrics.extraArgs` | Extra args to be passed to mysqld_exporter | `{}` | -| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB metrics container(s) | `{}` | -| `metrics.containerSecurityContext.enabled` | Enable security context for MariaDB metrics container | `false` | -| `metrics.resources.limits` | The resources limits for MariaDB prometheus exporter containers | `{}` | -| `metrics.resources.requests` | The requested resources for MariaDB prometheus exporter containers | `{}` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | -| `metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | -| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | -| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | -| `metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` | -| `metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` | -| `metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` | -| `metrics.prometheusRule.enabled` | if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` | -| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | -| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | -| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` | +| Name | Description | Value | +| ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | +| `metrics.enabled` | Start a side-car prometheus exporter | `false` | +| `metrics.image.registry` | Exporter image registry | `docker.io` | +| `metrics.image.repository` | Exporter image repository | `bitnami/mysqld-exporter` | +| `metrics.image.tag` | Exporter image tag (immutable tags are recommended) | `0.14.0-debian-11-r77` | +| `metrics.image.digest` | Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.annotations` | Annotations for the Exporter pod | `{}` | +| `metrics.extraArgs` | Extra args to be passed to mysqld_exporter | `{}` | +| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB metrics container(s) | `{}` | +| `metrics.containerSecurityContext.enabled` | Enable security context for MariaDB metrics container | `false` | +| `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set metrics container's Security Context allowPrivilegeEscalation | `false` | +| `metrics.resources.limits` | The resources limits for MariaDB prometheus exporter containers | `{}` | +| `metrics.resources.requests` | The requested resources for MariaDB prometheus exporter containers | `{}` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` | +| `metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` | +| `metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` | +| `metrics.prometheusRule.enabled` | if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` | +| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` | ### NetworkPolicy parameters @@ -383,7 +390,7 @@ The above parameters map to the env variables defined in [bitnami/mariadb](https Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, -```bash +```console $ helm install my-release \ --set auth.rootPassword=secretpassword,auth.database=app_database \ my-repo/mariadb @@ -395,7 +402,7 @@ The above command sets the MariaDB `root` account password to `secretpassword`. Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, -```bash +```console $ helm install my-release -f values.yaml my-repo/mariadb ``` @@ -455,7 +462,7 @@ Find more information about how to deal with common errors related to Bitnami's It's necessary to set the `auth.rootPassword` parameter when upgrading for readiness/liveness probes to work properly. When you install this chart for the first time, some notes will be displayed providing the credentials you must use under the 'Administrator credentials' section. Please note down the password and run the command below to upgrade your chart: -```bash +```console $ helm upgrade my-release my-repo/mariadb --set auth.rootPassword=[ROOT_PASSWORD] ``` @@ -512,7 +519,7 @@ Backwards compatibility is not guaranteed. To upgrade to `8.0.0`, install a new - Create a backup of the database, and restore it on the new release using tools such as [mysqldump](https://mariadb.com/kb/en/mysqldump/). - Reuse the PVC used to hold the master data on your previous release. To do so, use the `primary.persistence.existingClaim` parameter. The following example assumes that the release name is `mariadb`: -```bash +```console $ helm install mariadb my-repo/mariadb --set auth.rootPassword=[ROOT_PASSWORD] --set primary.persistence.existingClaim=[EXISTING_PVC] ``` diff --git a/charts/bitnami/wordpress/charts/mariadb/values.yaml b/charts/bitnami/wordpress/charts/mariadb/values.yaml index 5050374c6..dc40d203b 100644 --- a/charts/bitnami/wordpress/charts/mariadb/values.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/values.yaml @@ -313,12 +313,16 @@ primary: ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param primary.containerSecurityContext.enabled MariaDB primary container securityContext ## @param primary.containerSecurityContext.runAsUser User ID for the MariaDB primary container - ## @param primary.containerSecurityContext.runAsNonRoot Set Controller container's Security Context runAsNonRoot + ## @param primary.containerSecurityContext.runAsNonRoot Set primary container's Security Context runAsNonRoot + ## @param primary.containerSecurityContext.privileged Set primary container's Security Context privileged + ## @param primary.containerSecurityContext.allowPrivilegeEscalation Set primary container's Security Context allowPrivilegeEscalation ## containerSecurityContext: enabled: true runAsUser: 1001 runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false ## MariaDB primary container's resource requests and limits ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ ## We usually recommend not to specify default resources and to leave this as a conscious @@ -702,12 +706,16 @@ secondary: ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param secondary.containerSecurityContext.enabled MariaDB secondary container securityContext ## @param secondary.containerSecurityContext.runAsUser User ID for the MariaDB secondary container - ## @param secondary.containerSecurityContext.runAsNonRoot Set Controller container's Security Context runAsNonRoot + ## @param secondary.containerSecurityContext.runAsNonRoot Set secondary container's Security Context runAsNonRoot + ## @param secondary.containerSecurityContext.privileged Set secondary container's Security Context privileged + ## @param secondary.containerSecurityContext.allowPrivilegeEscalation Set secondary container's Security Context allowPrivilegeEscalation ## containerSecurityContext: enabled: true runAsUser: 1001 runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false ## MariaDB secondary container's resource requests and limits ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ ## We usually recommend not to specify default resources and to leave this as a conscious @@ -1081,6 +1089,8 @@ metrics: ## MariaDB metrics container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enable security context for MariaDB metrics container + ## @param metrics.containerSecurityContext.privileged Set metrics container's Security Context privileged + ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set metrics container's Security Context allowPrivilegeEscalation ## Example: ## containerSecurityContext: ## enabled: true @@ -1090,6 +1100,8 @@ metrics: ## containerSecurityContext: enabled: false + privileged: false + allowPrivilegeEscalation: false ## Mysqld Prometheus exporter resource requests and limits ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ ## We usually recommend not to specify default resources and to leave this as a conscious diff --git a/charts/bitnami/wordpress/values.yaml b/charts/bitnami/wordpress/values.yaml index d69fabb22..6b2b8990b 100644 --- a/charts/bitnami/wordpress/values.yaml +++ b/charts/bitnami/wordpress/values.yaml @@ -73,7 +73,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/wordpress - tag: 6.1.1-debian-11-r34 + tag: 6.1.1-debian-11-r39 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -759,7 +759,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/bitnami-shell - tag: 11-debian-11-r74 + tag: 11-debian-11-r78 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -853,7 +853,7 @@ metrics: image: registry: docker.io repository: bitnami/apache-exporter - tag: 0.11.0-debian-11-r84 + tag: 0.11.0-debian-11-r88 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/datadog/datadog/CHANGELOG.md b/charts/datadog/datadog/CHANGELOG.md index 91ec663f8..3955a532e 100644 --- a/charts/datadog/datadog/CHANGELOG.md +++ b/charts/datadog/datadog/CHANGELOG.md @@ -1,5 +1,14 @@ # Datadog changelog +## 3.10.4 + +* Fix documentation for `agents.containers.traceAgent.env` and `agents.containers.securityAgent.env` + +## 3.10.3 + +* Fix default `hostPid` value set to true on Windows. +* Fix auth token path value on Windows. + ## 3.10.1 * Fix: add missing `DAC_READ_SEARCH` capability in agent PSP and SCC (openshift) diff --git a/charts/datadog/datadog/Chart.yaml b/charts/datadog/datadog/Chart.yaml index 47132ee87..79c696704 100644 --- a/charts/datadog/datadog/Chart.yaml +++ b/charts/datadog/datadog/Chart.yaml @@ -19,4 +19,4 @@ name: datadog sources: - https://app.datadoghq.com/account/settings#agent/kubernetes - https://github.com/DataDog/datadog-agent -version: 3.10.1 +version: 3.10.4 diff --git a/charts/datadog/datadog/README.md b/charts/datadog/datadog/README.md index 22cd8ce05..975e02260 100644 --- a/charts/datadog/datadog/README.md +++ b/charts/datadog/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.10.1](https://img.shields.io/badge/Version-3.10.1-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.10.4](https://img.shields.io/badge/Version-3.10.4-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). @@ -153,7 +153,7 @@ See [0.18.1's README](https://github.com/helm/charts/blob/847f737479bb78d89f8fb6 To uninstall/delete the `` deployment: ```bash -helm delete --purge +helm uninstall ``` The command removes all the Kubernetes components associated with the chart and deletes the release. @@ -415,7 +415,7 @@ helm install \ | agents.containers.processAgent.ports | list | `[]` | Allows to specify extra ports (hostPorts for instance) for this container | | agents.containers.processAgent.resources | object | `{}` | Resource requests and limits for the process-agent container | | agents.containers.processAgent.securityContext | object | `{}` | Allows you to overwrite the default container SecurityContext for the process-agent container. | -| agents.containers.securityAgent.env | string | `nil` | Additional environment variables for the security-agent container | +| agents.containers.securityAgent.env | list | `[]` | Additional environment variables for the security-agent container | | agents.containers.securityAgent.envFrom | list | `[]` | Set environment variables specific to security-agent from configMaps and/or secrets | | agents.containers.securityAgent.logLevel | string | `nil` | Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off. If not set, fall back to the value of datadog.logLevel. | | agents.containers.securityAgent.ports | list | `[]` | Allows to specify extra ports (hostPorts for instance) for this container | @@ -426,7 +426,7 @@ helm install \ | agents.containers.systemProbe.ports | list | `[]` | Allows to specify extra ports (hostPorts for instance) for this container | | agents.containers.systemProbe.resources | object | `{}` | Resource requests and limits for the system-probe container | | agents.containers.systemProbe.securityContext | object | `{"capabilities":{"add":["SYS_ADMIN","SYS_RESOURCE","SYS_PTRACE","NET_ADMIN","NET_BROADCAST","NET_RAW","IPC_LOCK","CHOWN","DAC_READ_SEARCH"]},"privileged":false}` | Allows you to overwrite the default container SecurityContext for the system-probe container. | -| agents.containers.traceAgent.env | string | `nil` | Additional environment variables for the trace-agent container | +| agents.containers.traceAgent.env | list | `[]` | Additional environment variables for the trace-agent container | | agents.containers.traceAgent.envFrom | list | `[]` | Set environment variables specific to trace-agent from configMaps and/or secrets | | agents.containers.traceAgent.livenessProbe | object | Every 15s | Override default agent liveness probe settings | | agents.containers.traceAgent.logLevel | string | `nil` | Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off | diff --git a/charts/datadog/datadog/README.md.gotmpl b/charts/datadog/datadog/README.md.gotmpl index dc7c219b4..a9f20b2ba 100644 --- a/charts/datadog/datadog/README.md.gotmpl +++ b/charts/datadog/datadog/README.md.gotmpl @@ -148,7 +148,7 @@ See [0.18.1's README](https://github.com/helm/charts/blob/847f737479bb78d89f8fb6 To uninstall/delete the `` deployment: ```bash -helm delete --purge +helm uninstall ``` The command removes all the Kubernetes components associated with the chart and deletes the release. diff --git a/charts/datadog/datadog/templates/_container-agent.yaml b/charts/datadog/datadog/templates/_container-agent.yaml index 6193e2432..cc92a791e 100644 --- a/charts/datadog/datadog/templates/_container-agent.yaml +++ b/charts/datadog/datadog/templates/_container-agent.yaml @@ -154,8 +154,6 @@ subPath: install_info mountPath: /etc/datadog-agent/install_info readOnly: true - - name: auth-token - mountPath: /etc/datadog-agent/auth - name: logdatadog mountPath: /var/log/datadog - name: tmpdir @@ -165,6 +163,8 @@ {{- end }} - name: config mountPath: {{ template "datadog.confPath" . }} + - name: auth-token + mountPath: {{ template "datadog.confPath" . }}/auth {{- include "container-crisocket-volumemounts" . | nindent 4 }} {{- include "container-cloudinit-volumemounts" . | nindent 4 }} {{- if .Values.agents.useConfigMap }} diff --git a/charts/datadog/datadog/templates/_container-security-agent.yaml b/charts/datadog/datadog/templates/_container-security-agent.yaml index 63d7c98cd..2fc306d05 100644 --- a/charts/datadog/datadog/templates/_container-security-agent.yaml +++ b/charts/datadog/datadog/templates/_container-security-agent.yaml @@ -52,10 +52,10 @@ volumeMounts: - name: config mountPath: {{ template "datadog.confPath" . }} - {{- if eq .Values.targetSystem "linux" }} - name: auth-token - mountPath: /etc/datadog-agent/auth + mountPath: {{ template "datadog.confPath" . }}/auth readOnly: true + {{- if eq .Values.targetSystem "linux" }} - name: logdatadog mountPath: /var/log/datadog - name: tmpdir diff --git a/charts/datadog/datadog/templates/_container-system-probe.yaml b/charts/datadog/datadog/templates/_container-system-probe.yaml index e0ff591b3..2151414b3 100644 --- a/charts/datadog/datadog/templates/_container-system-probe.yaml +++ b/charts/datadog/datadog/templates/_container-system-probe.yaml @@ -30,7 +30,7 @@ {{ toYaml .Values.agents.containers.systemProbe.resources | indent 4 }} volumeMounts: - name: auth-token - mountPath: /etc/datadog-agent/auth + mountPath: {{ template "datadog.confPath" . }}/auth readOnly: true - name: logdatadog mountPath: /var/log/datadog diff --git a/charts/datadog/datadog/templates/_container-trace-agent.yaml b/charts/datadog/datadog/templates/_container-trace-agent.yaml index 98e8c6359..9165e8af9 100644 --- a/charts/datadog/datadog/templates/_container-trace-agent.yaml +++ b/charts/datadog/datadog/templates/_container-trace-agent.yaml @@ -53,6 +53,9 @@ volumeMounts: - name: config mountPath: {{ template "datadog.confPath" . }} + - name: auth-token + mountPath: {{ template "datadog.confPath" . }}/auth + readOnly: true {{- if .Values.agents.useConfigMap }} - name: datadog-yaml mountPath: {{ template "datadog.confPath" . }}/datadog.yaml @@ -69,9 +72,6 @@ mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }} readOnly: true {{- end }} - - name: auth-token - mountPath: /etc/datadog-agent/auth - readOnly: true - name: logdatadog mountPath: /var/log/datadog - name: tmpdir diff --git a/charts/datadog/datadog/templates/_containers-common-env.yaml b/charts/datadog/datadog/templates/_containers-common-env.yaml index 47a599d6b..d27f902fb 100644 --- a/charts/datadog/datadog/templates/_containers-common-env.yaml +++ b/charts/datadog/datadog/templates/_containers-common-env.yaml @@ -10,7 +10,7 @@ name: {{ template "datadog.apiSecretName" . }} key: api-key - name: DD_AUTH_TOKEN_FILE_PATH - value: /etc/datadog-agent/auth/token + value: {{ template "datadog.confPath" . }}/auth/token {{ include "components-common-env" . }} {{- if .Values.datadog.kubelet.host }} - name: DD_KUBERNETES_KUBELET_HOST diff --git a/charts/datadog/datadog/templates/_helpers.tpl b/charts/datadog/datadog/templates/_helpers.tpl index a03bba937..b9be8459d 100644 --- a/charts/datadog/datadog/templates/_helpers.tpl +++ b/charts/datadog/datadog/templates/_helpers.tpl @@ -342,7 +342,9 @@ false Return true if the hostPid features should be enabled for the Agent pod. */}} {{- define "should-enable-host-pid" -}} -{{- if and (not .Values.providers.gke.autopilot) (or (eq (include "should-enable-compliance" .) "true") .Values.datadog.dogstatsd.useHostPID .Values.datadog.useHostPID) -}} +{{- if eq .Values.targetSystem "windows" -}} +false +{{- else if and (not .Values.providers.gke.autopilot) (or (eq (include "should-enable-compliance" .) "true") .Values.datadog.dogstatsd.useHostPID .Values.datadog.useHostPID) -}} true {{- else -}} false diff --git a/charts/datadog/datadog/values.yaml b/charts/datadog/datadog/values.yaml index 07ca4d05a..1df3096bd 100644 --- a/charts/datadog/datadog/values.yaml +++ b/charts/datadog/datadog/values.yaml @@ -1313,7 +1313,7 @@ agents: traceAgent: # agents.containers.traceAgent.env -- Additional environment variables for the trace-agent container - env: + env: [] # agents.containers.traceAgent.envFrom -- Set environment variables specific to trace-agent from configMaps and/or secrets envFrom: [] @@ -1384,7 +1384,7 @@ agents: securityAgent: # agents.containers.securityAgent.env -- Additional environment variables for the security-agent container - env: + env: [] # agents.containers.securityAgent.envFrom -- Set environment variables specific to security-agent from configMaps and/or secrets envFrom: [] diff --git a/charts/haproxy/haproxy/Chart.yaml b/charts/haproxy/haproxy/Chart.yaml index 85a596b51..1cee806ed 100644 --- a/charts/haproxy/haproxy/Chart.yaml +++ b/charts/haproxy/haproxy/Chart.yaml @@ -1,12 +1,12 @@ annotations: artifacthub.io/changes: | - - Additional internal-only service for metrics scraping + - Use Ingress Controller 1.9.1 version for base image catalog.cattle.io/certified: partner catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller catalog.cattle.io/kube-version: '>=1.19.0-0' catalog.cattle.io/release-name: haproxy apiVersion: v2 -appVersion: 1.9.0 +appVersion: 1.9.1 description: A Helm chart for HAProxy Kubernetes Ingress Controller home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png @@ -21,4 +21,4 @@ name: haproxy sources: - https://github.com/haproxytech/kubernetes-ingress type: application -version: 1.27.0 +version: 1.27.1 diff --git a/charts/nats/nats/Chart.yaml b/charts/nats/nats/Chart.yaml index c60e8f324..2ef06d189 100644 --- a/charts/nats/nats/Chart.yaml +++ b/charts/nats/nats/Chart.yaml @@ -24,4 +24,4 @@ maintainers: name: Caleb Lloyd url: https://github.com/caleblloyd name: nats -version: 0.19.5 +version: 0.19.7 diff --git a/charts/nats/nats/README.md b/charts/nats/nats/README.md index 59252866f..5c8aed206 100644 --- a/charts/nats/nats/README.md +++ b/charts/nats/nats/README.md @@ -73,6 +73,15 @@ nats: terminationGracePeriodSeconds: 60 ``` +#### Setting Go Memory Limit (Recommended) + +Since NATS Server v2.9 release, it is possible to use the `GOMEMLIMIT` environment variable to signal memory limits to the Go runtime (which is by default unaware of cgroups memory limits). You should set this to about 90% of the intended available memory resources for the NATS Server container. + +```yaml +nats: + gomemlimit: "4GiB" +``` + ### Logging *Note*: It is not recommended to enable trace or debug in production since enabling it will significantly degrade performance. @@ -699,6 +708,48 @@ natsbox: # key: sys.creds ``` +You can also add volumes to nats-box, for example given a PVC like: + +```yaml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nsc-pvc +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 1Gi +``` + +You can give state to nats-box by using the `extraVolumes` and `extraVolumeMounts` options: + +```yaml +natsbox: + enabled: true + extraVolumes: + - name: nsc + persistentVolumeClaim: + claimName: nsc-pvc + extraVolumeMounts: + - mountPath: /nsc + name: nsc +``` + +example: + +```sh +$ helm install nats-nsc nats/nats -f examples/nats-box-persistent.yaml +$ kubectl exec -it deployment/nats-nsc-box -- /bin/sh + +# cd /nsc +/nsc # curl -fSl https://nats-io.github.io/k8s/setup/nsc-setup.sh | sh +/nsc # source .nsc.env +/nsc # nsc list accounts +``` + ### Configuration Checksum A configuration checksum annotation is enabled by default on StatefulSet Pods in order to force a rollout when the NATS configuration changes. This checksum is only applied by `helm` commands, and will not change if configuration is modified outside of setting `helm` values. diff --git a/charts/nats/nats/templates/configmap.yaml b/charts/nats/nats/templates/configmap.yaml index 4c318c4c4..523675c44 100644 --- a/charts/nats/nats/templates/configmap.yaml +++ b/charts/nats/nats/templates/configmap.yaml @@ -99,6 +99,10 @@ data: {{- if .Values.nats.jetstream.uniqueTag }} unique_tag: {{ .Values.nats.jetstream.uniqueTag }} {{- end }} + + {{- if .Values.nats.jetstream.maxOutstandingCatchup }} + max_outstanding_catchup: {{ .Values.nats.jetstream.maxOutstandingCatchup }} + {{- end }} } {{- end }} {{- if .Values.mqtt.enabled }} diff --git a/charts/nats/nats/templates/statefulset.yaml b/charts/nats/nats/templates/statefulset.yaml index a1b01b207..384611c4d 100644 --- a/charts/nats/nats/templates/statefulset.yaml +++ b/charts/nats/nats/templates/statefulset.yaml @@ -535,6 +535,10 @@ spec: - "-config" - {{ . | quote }} {{- end }} + {{- range .Values.nats.config }} + - "-config" + - "/etc/nats-config/{{ .name }}/{{ .name }}.conf" + {{- end}} volumeMounts: - name: config-volume mountPath: /etc/nats-config @@ -544,6 +548,12 @@ spec: {{- if .Values.additionalVolumeMounts }} {{- toYaml .Values.additionalVolumeMounts | nindent 8 }} {{- end }} + {{- /* User extended config volumes*/}} + {{- range .Values.nats.config }} + # User extended config volumes + - name: {{ .name }} + mountPath: /etc/nats-config/{{ .name }} + {{- end }} {{- end }} ############################## diff --git a/charts/nats/nats/values.yaml b/charts/nats/nats/values.yaml index 4892da4f7..9d400e05b 100644 --- a/charts/nats/nats/values.yaml +++ b/charts/nats/nats/values.yaml @@ -228,6 +228,8 @@ nats: # Jetstream Unique Tag prevent placing a stream in the same availability zone twice. uniqueTag: + max_outstanding_catchup: + ########################## # # # Jetstream Encryption # @@ -490,7 +492,7 @@ gateway: bootconfig: image: repository: natsio/nats-boot-config - tag: 0.8.0 + tag: 0.9.2 pullPolicy: IfNotPresent # registry: docker.io @@ -504,7 +506,7 @@ natsbox: enabled: true image: repository: natsio/nats-box - tag: 0.13.3 + tag: 0.13.4 pullPolicy: IfNotPresent # registry: docker.io @@ -566,7 +568,7 @@ reloader: enabled: true image: repository: natsio/nats-server-config-reloader - tag: 0.8.0 + tag: 0.9.2 pullPolicy: IfNotPresent # registry: docker.io diff --git a/charts/avesha/kubeslice-worker/charts/jaeger/.helmignore b/charts/percona/psmdb-operator/.helmignore similarity index 100% rename from charts/avesha/kubeslice-worker/charts/jaeger/.helmignore rename to charts/percona/psmdb-operator/.helmignore diff --git a/charts/percona/psmdb-operator/Chart.yaml b/charts/percona/psmdb-operator/Chart.yaml index d71f4b259..0b72188c4 100644 --- a/charts/percona/psmdb-operator/Chart.yaml +++ b/charts/percona/psmdb-operator/Chart.yaml @@ -16,4 +16,4 @@ maintainers: - email: sergey.pronin@percona.com name: spron-in name: psmdb-operator -version: 1.13.2 +version: 1.13.3 diff --git a/charts/percona/psmdb-operator/README.md b/charts/percona/psmdb-operator/README.md index a96f91e4b..f54183f56 100644 --- a/charts/percona/psmdb-operator/README.md +++ b/charts/percona/psmdb-operator/README.md @@ -35,6 +35,8 @@ The chart can be customized using the following configurable parameters: | `resources` | Resource requests and limits | `{}` | | `nodeSelector` | Labels for Pod assignment | `{}` | | `watchNamespace` | Set when a different from default namespace is needed to watch | `""` | +| `rbac.create` | If false RBAC will not be created. RBAC resources will need to be created manually | `true` | +| `serviceAccount.create` | If false the ServiceAccounts will not be created. The ServiceAccounts must be created manually | `true` | Specify parameters using `--set key=value[,key=value]` argument to `helm install` diff --git a/charts/percona/psmdb-operator/templates/role-binding.yaml b/charts/percona/psmdb-operator/templates/role-binding.yaml index 84195d3f3..599694984 100644 --- a/charts/percona/psmdb-operator/templates/role-binding.yaml +++ b/charts/percona/psmdb-operator/templates/role-binding.yaml @@ -1,8 +1,11 @@ +{{- if .Values.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "psmdb-operator.fullname" . }} --- +{{- end }} +{{- if .Values.rbac.create }} {{- if or .Values.watchNamespace .Values.watchAllNamespaces }} kind: ClusterRoleBinding {{- else }} @@ -30,3 +33,4 @@ roleRef: {{- end }} name: {{ include "psmdb-operator.fullname" . }} apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/percona/psmdb-operator/templates/role.yaml b/charts/percona/psmdb-operator/templates/role.yaml index 35b0b390e..5e99400f8 100644 --- a/charts/percona/psmdb-operator/templates/role.yaml +++ b/charts/percona/psmdb-operator/templates/role.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.create }} {{- if or .Values.watchNamespace .Values.watchAllNamespaces }} kind: ClusterRole {{- else }} @@ -144,3 +145,4 @@ rules: - patch - delete - deletecollection +{{- end }} diff --git a/charts/percona/psmdb-operator/values.yaml b/charts/percona/psmdb-operator/values.yaml index 53fc0bf5e..bfc0d5fc2 100644 --- a/charts/percona/psmdb-operator/values.yaml +++ b/charts/percona/psmdb-operator/values.yaml @@ -16,6 +16,16 @@ image: # set if operator should be deployed in cluster wide mode. defaults to false watchAllNamespaces: false +# rbac: settings for deployer RBAC creation +rbac: + # rbac.create: if false RBAC resources should be in place + create: true + +# serviceAccount: settings for Service Accounts used by the deployer +serviceAccount: + # serviceAccount.create: Whether to create the Service Accounts or not + create: true + # set if you want to use a different operator name # defaults to `percona-server-mongodb-operator` # operatorName: diff --git a/charts/redpanda/redpanda/Chart.yaml b/charts/redpanda/redpanda/Chart.yaml index 9faccc350..fcc0f0eec 100644 --- a/charts/redpanda/redpanda/Chart.yaml +++ b/charts/redpanda/redpanda/Chart.yaml @@ -26,4 +26,4 @@ name: redpanda sources: - https://github.com/redpanda-data/helm-charts type: application -version: 2.6.3 +version: 2.6.4 diff --git a/charts/redpanda/redpanda/templates/NOTES.txt b/charts/redpanda/redpanda/templates/NOTES.txt index 5983ae16c..aa3d82c77 100644 --- a/charts/redpanda/redpanda/templates/NOTES.txt +++ b/charts/redpanda/redpanda/templates/NOTES.txt @@ -16,8 +16,23 @@ limitations under the License. */}} {{/* -Any rpk command that's given to the user in in this file must be defined in _example-commands.tpl and tested in a test. + Add warnings to the warnings template */}} +{{ $warnings := (fromJson (include "warnings" .)).result }} +{{- if $warnings }} +--- +{{ range $warning := $warnings }} +{{ $warning }} +{{- end }} + +--- +{{- end }} + +{{- +/* +Any rpk command that's given to the user in in this file must be defined in _example-commands.tpl and tested in a test. +*/ +-}} {{- $anySASL := (include "sasl-enabled" . | fromJson).bool }} {{- $rpk := deepCopy . }} diff --git a/charts/redpanda/redpanda/templates/_helpers.tpl b/charts/redpanda/redpanda/templates/_helpers.tpl index cf7ad2256..644580a5a 100644 --- a/charts/redpanda/redpanda/templates/_helpers.tpl +++ b/charts/redpanda/redpanda/templates/_helpers.tpl @@ -283,8 +283,8 @@ Generate configuration needed for rpk {{- if eq $result 0 -}} {{- "unable to get memory value" | fail -}} {{- end -}} - {{- if lt $result 2000 -}} - {{- printf "\n%d is below the minimum recommended value for Redpanda" $result | fail -}} + {{- if lt $result 256 -}} + {{- printf "\n%d is below the minimum value for Redpanda" $result | fail -}} {{- end -}} {{- if gt (add $result (include "redpanda-reserve-memory" .)) (include "container-memory" . | int64) -}} {{- printf "\nNot enough container memory for Redpanda memory values\nredpanda: %d, reserve: %d, container: %d" $result (include "redpanda-reserve-memory" . | int64) (include "container-memory" . | int64) | fail -}} @@ -366,22 +366,22 @@ Generate configuration needed for rpk {{- end -}} {{- define "tunable" -}} -{{- $tunable := dig "tunable" dict .Values.config }} -{{- if (include "redpanda-atleast-22-3-0" . | fromJson).bool }} -{{- toYaml $tunable | nindent 4 }} -{{- else if (include "redpanda-atleast-22-2-0" . | fromJson).bool }} -{{- $tunable = unset $tunable "log_segment_size_min" }} -{{- $tunable = unset $tunable "log_segment_size_max" }} -{{- $tunable = unset $tunable "kafka_batch_max_bytes" }} -{{- toYaml $tunable | nindent 4 }} -{{- else if (include "redpanda-atleast-22-1-1" . | fromJson).bool }} -{{- $tunable = unset $tunable "log_segment_size_min" }} -{{- $tunable = unset $tunable "log_segment_size_max" }} -{{- $tunable = unset $tunable "kafka_batch_max_bytes" }} -{{- $tunable = unset $tunable "topic_partitions_per_shard" }} -{{- toYaml $tunable | nindent 4 }} -{{- end }} -{{- end }} +{{- $tunable := dig "tunable" dict .Values.config -}} +{{- if (include "redpanda-atleast-22-3-0" . | fromJson).bool -}} +{{- toYaml $tunable | nindent 4 -}} +{{- else if (include "redpanda-atleast-22-2-0" . | fromJson).bool -}} +{{- $tunable = unset $tunable "log_segment_size_min" -}} +{{- $tunable = unset $tunable "log_segment_size_max" -}} +{{- $tunable = unset $tunable "kafka_batch_max_bytes" -}} +{{- toYaml $tunable | nindent 4 -}} +{{- else if (include "redpanda-atleast-22-1-1" . | fromJson).bool -}} +{{- $tunable = unset $tunable "log_segment_size_min" -}} +{{- $tunable = unset $tunable "log_segment_size_max" -}} +{{- $tunable = unset $tunable "kafka_batch_max_bytes" -}} +{{- $tunable = unset $tunable "topic_partitions_per_shard" -}} +{{- toYaml $tunable | nindent 4 -}} +{{- end -}} +{{- end -}} {{- define "redpanda-atleast-22-1-1" -}} {{- toJson (dict "bool" (or (not (eq .Values.image.repository "vectorized/redpanda")) (include "redpanda.semver" . | semverCompare ">=22.1.1"))) -}} @@ -475,3 +475,29 @@ Set default path for tiered storage cache or use one provided {{- .Values.storage.tieredConfig.cloud_storage_cache_directory }} {{- end }} {{- end }} + +{{/* +"warnings" is an aggregate that returns a list of warnings to be shown in NOTES.txt +*/}} +{{- define "warnings" -}} + {{- $result := list -}} + {{- $warnings := list "redpanda-memory-warning" -}} + {{- range $t := $warnings -}} + {{- $warning := printf "**Warning**: %s" (include $t $) -}} + {{- if $warning -}} + {{- $result = append $result $warning -}} + {{- end -}} + {{- end -}} + {{/* fromJson cannot decode list */}} + {{- toJson (dict "result" $result) -}} +{{- end -}} + +{{/* +return a warning if the chart is configured with insufficient memory +*/}} +{{- define "redpanda-memory-warning" -}} + {{- $result := (include "redpanda-memory" .) | int -}} + {{- if lt $result 2000 -}} + {{- printf "%d is below the minimum recommended value for Redpanda" $result -}} + {{- end -}} +{{- end -}} diff --git a/charts/speedscale/speedscale-operator/Chart.yaml b/charts/speedscale/speedscale-operator/Chart.yaml index b2e64d92b..85f1edda8 100644 --- a/charts/speedscale/speedscale-operator/Chart.yaml +++ b/charts/speedscale/speedscale-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.17.0-0' catalog.cattle.io/release-name: speedscale-operator apiVersion: v1 -appVersion: 1.2.267 +appVersion: 1.2.282 description: Stress test your APIs with real world scenarios. Collect and replay traffic without scripting. home: https://speedscale.com @@ -24,4 +24,4 @@ maintainers: - email: support@speedscale.com name: Speedscale Support name: speedscale-operator -version: 1.2.18 +version: 1.2.19 diff --git a/charts/speedscale/speedscale-operator/README.md b/charts/speedscale/speedscale-operator/README.md index 4768e57ba..1bf25f87a 100644 --- a/charts/speedscale/speedscale-operator/README.md +++ b/charts/speedscale/speedscale-operator/README.md @@ -101,10 +101,10 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions. -### Upgrade to 1.2.18 +### Upgrade to 1.2.19 ```bash -kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/1.2.18/templates/crds/trafficreplays.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/1.2.19/templates/crds/trafficreplays.yaml ``` ### Upgrade to 1.1.0 diff --git a/charts/speedscale/speedscale-operator/app-readme.md b/charts/speedscale/speedscale-operator/app-readme.md index 4768e57ba..1bf25f87a 100644 --- a/charts/speedscale/speedscale-operator/app-readme.md +++ b/charts/speedscale/speedscale-operator/app-readme.md @@ -101,10 +101,10 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions. -### Upgrade to 1.2.18 +### Upgrade to 1.2.19 ```bash -kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/1.2.18/templates/crds/trafficreplays.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/1.2.19/templates/crds/trafficreplays.yaml ``` ### Upgrade to 1.1.0 diff --git a/charts/speedscale/speedscale-operator/values.yaml b/charts/speedscale/speedscale-operator/values.yaml index bdf3ac4ab..49cbfd22d 100644 --- a/charts/speedscale/speedscale-operator/values.yaml +++ b/charts/speedscale/speedscale-operator/values.yaml @@ -20,7 +20,7 @@ clusterName: "my-cluster" # Speedscale components image settings. image: registry: gcr.io/speedscale - tag: v1.2.267 + tag: v1.2.282 pullPolicy: Always # Log level for Speedscale components. diff --git a/index.yaml b/index.yaml index f6dec6f2f..c5cda5ce0 100644 --- a/index.yaml +++ b/index.yaml @@ -80,6 +80,51 @@ entries: - assets/datawiza/access-broker-0.1.1.tgz version: 0.1.1 airflow: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Airflow + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: airflow + category: WorkFlow + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 2.5.1 + created: "2023-02-02T16:55:17.244407806Z" + dependencies: + - condition: redis.enabled + name: redis + repository: file://./charts/redis + version: 17.x.x + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 12.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Airflow is a tool to express and execute workflows as directed + acyclic graphs (DAGs). It includes utilities to schedule tasks, monitor task + progress and handle task dependencies. + digest: 7f934a1cc35596ffa6c354a0b87377d42f84d87e2439615bbfbcc422759eeba8 + home: https://github.com/bitnami/charts/tree/main/bitnami/airflow + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/airflow-1.svg + keywords: + - apache + - airflow + - workflow + - dag + maintainers: + - name: Bitnami + url: https://github.com/bitnami/charts + name: airflow + sources: + - https://github.com/bitnami/containers/tree/main/bitnami/airflow + - https://airflow.apache.org/ + urls: + - assets/bitnami/airflow-14.0.11.tgz + version: 14.0.11 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Airflow @@ -3509,6 +3554,42 @@ entries: - assets/aws-event-sources/aws-event-sources-0.1.901.tgz version: 0.1.901 cassandra: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Cassandra + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: cassandra + category: Database + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 4.1.0 + created: "2023-02-02T16:55:17.405865076Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Cassandra is an open source distributed database management + system designed to handle large amounts of data across many servers, providing + high availability with no single point of failure. + digest: 2c6f99a41a0063e8e5a9b8c348df352dedc968d3faf1459468a1b1fd90467506 + home: https://github.com/bitnami/charts/tree/main/bitnami/cassandra + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/cassandra-4.svg + keywords: + - cassandra + - database + - nosql + maintainers: + - name: Bitnami + url: https://github.com/bitnami/charts + name: cassandra + sources: + - https://github.com/bitnami/containers/tree/main/bitnami/cassandra + - http://cassandra.apache.org + urls: + - assets/bitnami/cassandra-10.0.2.tgz + version: 10.0.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Cassandra @@ -5611,6 +5692,43 @@ entries: - assets/weka/csi-wekafsplugin-0.6.400.tgz version: 0.6.400 datadog: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Datadog + catalog.cattle.io/kube-version: '>=1.10-0' + catalog.cattle.io/release-name: datadog + apiVersion: v1 + appVersion: "7" + created: "2023-02-02T16:55:18.414355067Z" + dependencies: + - condition: clusterAgent.metricsProvider.useDatadogMetrics + name: datadog-crds + repository: https://helm.datadoghq.com + tags: + - install-crds + version: 0.4.7 + - condition: datadog.kubeStateMetricsEnabled + name: kube-state-metrics + repository: https://prometheus-community.github.io/helm-charts + version: 2.13.2 + description: Datadog Agent + digest: 91275b56ff706bf49d29c3f2ecdb1c9640c63a91c26b37987519da766201c22b + home: https://www.datadoghq.com + icon: https://datadog-live.imgix.net/img/dd_logo_70x75.png + keywords: + - monitoring + - alerting + - metric + maintainers: + - email: support@datadoghq.com + name: Datadog + name: datadog + sources: + - https://app.datadoghq.com/account/settings#agent/kubernetes + - https://github.com/DataDog/datadog-agent + urls: + - assets/datadog/datadog-3.10.4.tgz + version: 3.10.4 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Datadog @@ -8900,6 +9018,34 @@ entries: - assets/gopaddle/gopaddle-4.2.5.tgz version: 4.2.5 haproxy: + - annotations: + artifacthub.io/changes: | + - Use Ingress Controller 1.9.1 version for base image + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.19.0-0' + catalog.cattle.io/release-name: haproxy + apiVersion: v2 + appVersion: 1.9.1 + created: "2023-02-02T16:55:19.573127265Z" + description: A Helm chart for HAProxy Kubernetes Ingress Controller + digest: 9d79decc450cfb57ac4bc337939695e9ea3908c61869bd4f271893758aa2967e + home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png + keywords: + - ingress + - haproxy + kubeVersion: '>=1.19.0-0' + maintainers: + - email: dkorunic@haproxy.com + name: Dinko Korunic + name: haproxy + sources: + - https://github.com/haproxytech/kubernetes-ingress + type: application + urls: + - assets/haproxy/haproxy-1.27.1.tgz + version: 1.27.1 - annotations: artifacthub.io/changes: | - Additional internal-only service for metrics scraping @@ -12389,6 +12535,49 @@ entries: - assets/kong/kong-2.3.1.tgz version: 2.3.1 kubeslice-controller: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Avesha Kubeslice Controller + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/namespace: kubeslice-controller + catalog.cattle.io/release-name: kubeslice-controller + apiVersion: v2 + appVersion: 0.5.0 + created: "2023-02-02T16:55:17.154512801Z" + description: Multi cloud networking (MCN), multi cluster, hybrid cloud networking + tool for efficient, secure, policy-enforced connectivity and true multi-tenancy + capabilities. KubeSlice enables enterprise platform teams to reduce infrastructure + costs, cluster/namespace sprawl, avoid complex firewall and gateway configurations + and more. + digest: 8b6cfd723cbb1d15ce54a93b9fe6a7e18c852cacd89b18799fc954926b8b9166 + icon: https://kubeslice.io/documentation/open-source/img/kubeslice-logo.svg + keywords: + - multicloud + - multi cloud + - multitenant + - multitenancy + - multi tenant + - multi tenancy + - federated mesh + - federated clusters + - federated k8s + - federated kubernetes + - cluster sprawl + - sprawl + - namespace sprawl + - network policy + - overlay network + - mesh network + - security + - networking + - infrastructure + - application + kubeVersion: '>= 1.19.0-0' + name: kubeslice-controller + type: application + urls: + - assets/avesha/kubeslice-controller-0.5.0.tgz + version: 0.5.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Avesha Kubeslice Controller @@ -12511,6 +12700,49 @@ entries: - assets/avesha/kubeslice-controller-0.4.2.tgz version: 0.4.2 kubeslice-worker: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Avesha Kubeslice Worker + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/namespace: kubeslice-system + catalog.cattle.io/release-name: kubeslice-worker + apiVersion: v2 + appVersion: 0.5.0 + created: "2023-02-02T16:55:17.163800371Z" + description: Multi cloud networking (MCN), multi cluster, hybrid cloud networking + tool for efficient, secure, policy-enforced connectivity and true multi-tenancy + capabilities. KubeSlice enables enterprise platform teams to reduce infrastructure + costs, cluster/namespace sprawl, avoid complex firewall and gateway configurations + and more. + digest: 4820d1bbb3d17cecd15188c1d69ac627a52d964882f70fe531bed30914614452 + icon: https://kubeslice.io/documentation/open-source/img/kubeslice-logo.svg + keywords: + - multicloud + - multi cloud + - multitenant + - multitenancy + - multi tenant + - multi tenancy + - federated mesh + - federated clusters + - federated k8s + - federated kubernetes + - cluster sprawl + - sprawl + - namespace sprawl + - network policy + - overlay network + - mesh network + - security + - networking + - infrastructure + - application + kubeVersion: '>= 1.19.0-0' + name: kubeslice-worker + type: application + urls: + - assets/avesha/kubeslice-worker-0.5.0.tgz + version: 0.5.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Avesha Kubeslice Worker @@ -13637,6 +13869,37 @@ entries: - assets/bitnami/mysql-9.4.1.tgz version: 9.4.1 nats: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NATS Server + catalog.cattle.io/kube-version: '>=1.16-0' + catalog.cattle.io/release-name: nats + apiVersion: v2 + appVersion: 2.9.11-alpine + created: "2023-02-02T16:55:20.727833277Z" + description: A Helm chart for the NATS.io High Speed Cloud Native Distributed + Communications Technology. + digest: 88b9fd9831e380f8fccdafe165a95b347f501932fd1ffb94f5c31a9130777712 + home: http://github.com/nats-io/k8s + icon: https://nats.io/img/nats-icon-color.png + keywords: + - nats + - messaging + - cncf + maintainers: + - email: wally@nats.io + name: Waldemar Quevedo + url: https://github.com/wallyqs + - email: colin@nats.io + name: Colin Sullivan + url: https://github.com/ColinSullivan1 + - email: caleb@nats.io + name: Caleb Lloyd + url: https://github.com/caleblloyd + name: nats + urls: + - assets/nats/nats-0.19.7.tgz + version: 0.19.7 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: NATS Server @@ -15891,6 +16154,45 @@ entries: - assets/portworx/portworx-essentials-2.9.100.tgz version: 2.9.100 postgresql: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: PostgreSQL + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: postgresql + category: Database + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 15.1.0 + created: "2023-02-02T16:55:17.707636586Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: PostgreSQL (Postgres) is an open source object-relational database + known for reliability and data integrity. ACID-compliant, it supports foreign + keys, joins, views, triggers and stored procedures. + digest: e6f992b4ede3e2371c06482f80227da4fa33c0c9692d416a17b1266cb980b193 + home: https://github.com/bitnami/charts/tree/main/bitnami/postgresql + icon: https://wiki.postgresql.org/images/a/a4/PostgreSQL_logo.3colors.svg + keywords: + - postgresql + - postgres + - database + - sql + - replication + - cluster + maintainers: + - name: Bitnami + url: https://github.com/bitnami/charts + name: postgresql + sources: + - https://github.com/bitnami/containers/tree/main/bitnami/postgresql + - https://www.postgresql.org/ + urls: + - assets/bitnami/postgresql-12.1.14.tgz + version: 12.1.14 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: PostgreSQL @@ -16411,6 +16713,29 @@ entries: - assets/percona/psmdb-db-1.13.0.tgz version: 1.13.0 psmdb-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Percona Operator for MongoDB + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: psmdb-operator + apiVersion: v2 + appVersion: 1.13.0 + created: "2023-02-02T16:55:20.956973725Z" + description: A Helm chart for deploying the Percona Operator for MongoDB + digest: 27a0b34b88e0995e410f196357d802640f8d27db81c136e52e189150aa5c53cd + home: https://docs.percona.com/percona-operator-for-mongodb/ + icon: https://raw.githubusercontent.com/percona/percona-server-mongodb-operator/main/operator.png + maintainers: + - email: ivan.pylypenko@percona.com + name: cap1984 + - email: tomislav.plavcic@percona.com + name: tplavcic + - email: sergey.pronin@percona.com + name: spron-in + name: psmdb-operator + urls: + - assets/percona/psmdb-operator-1.13.3.tgz + version: 1.13.3 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Percona Operator for MongoDB @@ -17122,6 +17447,39 @@ entries: - assets/bitnami/redis-17.3.7.tgz version: 17.3.7 redpanda: + - annotations: + artifacthub.io/images: | + - name: redpanda + image: vectorized/redpanda:v22.3.10 + - name: busybox + image: busybox:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.6.0)" + url: https://helm.sh/docs/intro/install/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redpanda + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: redpanda + apiVersion: v2 + appVersion: v22.3.10 + created: "2023-02-02T16:55:21.096764666Z" + description: Redpanda is the real-time engine for modern apps. + digest: d405f2b6009cb633b3ea1bf276f8f61f33a3a86bd9bfba151df5ab9d1bddcbe2 + icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg + kubeVersion: '>=1.21-0' + maintainers: + - name: redpanda-data + url: https://github.com/orgs/redpanda-data/people + name: redpanda + sources: + - https://github.com/redpanda-data/helm-charts + type: application + urls: + - assets/redpanda/redpanda-2.6.4.tgz + version: 2.6.4 - annotations: artifacthub.io/images: | - name: redpanda @@ -18642,6 +19000,37 @@ entries: - assets/bitnami/spark-6.3.8.tgz version: 6.3.8 speedscale-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Speedscale Operator + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: speedscale-operator + apiVersion: v1 + appVersion: 1.2.282 + created: "2023-02-02T16:55:21.172061119Z" + description: Stress test your APIs with real world scenarios. Collect and replay + traffic without scripting. + digest: 14fd0c6dc6809aaaebe2dc5e15d2094c5145ebad87de1b22a829ff3d83cd8c0a + home: https://speedscale.com + icon: https://raw.githubusercontent.com/speedscale/assets/main/logo/gold_logo_only.png + keywords: + - speedscale + - test + - testing + - regression + - reliability + - load + - replay + - network + - traffic + kubeVersion: '>= 1.17.0-0' + maintainers: + - email: support@speedscale.com + name: Speedscale Support + name: speedscale-operator + urls: + - assets/speedscale/speedscale-operator-1.2.19.tgz + version: 1.2.19 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Speedscale Operator @@ -19628,6 +20017,45 @@ entries: - assets/intel/tcs-issuer-0.1.0.tgz version: 0.1.0 tomcat: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Tomcat + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: tomcat + category: ApplicationServer + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 10.1.5 + created: "2023-02-02T16:55:17.912982713Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Tomcat is an open-source web server designed to host and run + Java-based web applications. It is a lightweight server with a good performance + for applications running in production environments. + digest: 59691f9d85a32eba4994f7c43c7ca161b42bcf2850454491cea06dcc261b2974 + home: https://github.com/bitnami/charts/tree/main/bitnami/tomcat + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/tomcat.svg + keywords: + - tomcat + - java + - http + - web + - application server + - jsp + maintainers: + - name: Bitnami + url: https://github.com/bitnami/charts + name: tomcat + sources: + - https://github.com/bitnami/containers/tree/main/bitnami/tomcat + - http://tomcat.apache.org + urls: + - assets/bitnami/tomcat-10.5.13.tgz + version: 10.5.13 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Tomcat @@ -20989,6 +21417,54 @@ entries: - assets/hashicorp/vault-0.22.0.tgz version: 0.22.0 wordpress: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: WordPress + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: wordpress + category: CMS + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 6.1.1 + created: "2023-02-02T16:55:18.157808509Z" + dependencies: + - condition: memcached.enabled + name: memcached + repository: file://./charts/memcached + version: 6.x.x + - condition: mariadb.enabled + name: mariadb + repository: file://./charts/mariadb + version: 11.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: WordPress is the world's most popular blogging and content management + platform. Powerful yet simple, everyone from students to global corporations + use it to build beautiful, functional websites. + digest: 1b321dd2fcf03e9c1699cc142e6b5c240d252f2bf52a523980883e8cc64c58a0 + home: https://github.com/bitnami/charts/tree/main/bitnami/wordpress + icon: https://s.w.org/style/images/about/WordPress-logotype-simplified.png + keywords: + - application + - blog + - cms + - http + - php + - web + - wordpress + maintainers: + - name: Bitnami + url: https://github.com/bitnami/charts + name: wordpress + sources: + - https://github.com/bitnami/containers/tree/main/bitnami/wordpress + - https://wordpress.org/ + urls: + - assets/bitnami/wordpress-15.2.37.tgz + version: 15.2.37 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: WordPress