Added chart versions:
codefresh/cf-runtime:
- 6.3.57
f5/f5-bigip-ctlr:
- 0.0.32
jenkins/jenkins:
- 5.5.14
ngrok/kubernetes-ingress-controller:
- 0.14.3
pull/1059/head
github-actions[bot]
parent
4cc45d1ffa
commit
75ac980a2d
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
|
@ -0,0 +1,3 @@
|
|||
tests/
|
||||
.ci/
|
||||
test-values/
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
annotations:
|
||||
artifacthub.io/changes: |
|
||||
- kind: fixed
|
||||
description: "engine image upgraded to 1.174.7 to fix fetching a pipeline yaml from subdirectories for Bitbucket Server"
|
||||
artifacthub.io/containsSecurityUpdates: "false"
|
||||
catalog.cattle.io/certified: partner
|
||||
catalog.cattle.io/display-name: Codefresh
|
||||
catalog.cattle.io/kube-version: '>=1.18-0'
|
||||
catalog.cattle.io/release-name: cf-runtime
|
||||
apiVersion: v2
|
||||
dependencies:
|
||||
- name: cf-common
|
||||
repository: file://./charts/cf-common
|
||||
version: 0.16.0
|
||||
description: A Helm chart for Codefresh Runner
|
||||
home: https://codefresh.io/
|
||||
icon: file://assets/icons/cf-runtime.png
|
||||
keywords:
|
||||
- codefresh
|
||||
- runner
|
||||
kubeVersion: '>=1.18-0'
|
||||
maintainers:
|
||||
- name: codefresh
|
||||
url: https://codefresh-io.github.io/
|
||||
name: cf-runtime
|
||||
sources:
|
||||
- https://github.com/codefresh-io/venona
|
||||
version: 6.3.57
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
|
@ -0,0 +1,37 @@
|
|||
#!/bin/bash
|
||||
|
||||
echo "-----"
|
||||
echo "API_HOST: ${API_HOST}"
|
||||
echo "AGENT_NAME: ${AGENT_NAME}"
|
||||
echo "RUNTIME_NAME: ${RUNTIME_NAME}"
|
||||
echo "AGENT: ${AGENT}"
|
||||
echo "AGENT_SECRET_NAME: ${AGENT_SECRET_NAME}"
|
||||
echo "DIND_SECRET_NAME: ${DIND_SECRET_NAME}"
|
||||
echo "-----"
|
||||
|
||||
auth() {
|
||||
codefresh auth create-context --api-key ${API_TOKEN} --url ${API_HOST}
|
||||
}
|
||||
|
||||
remove_runtime() {
|
||||
if [ "$AGENT" == "true" ]; then
|
||||
codefresh delete re ${RUNTIME_NAME} || true
|
||||
else
|
||||
codefresh delete sys-re ${RUNTIME_NAME} || true
|
||||
fi
|
||||
}
|
||||
|
||||
remove_agent() {
|
||||
codefresh delete agent ${AGENT_NAME} || true
|
||||
}
|
||||
|
||||
remove_secrets() {
|
||||
kubectl patch secret $(kubectl get secret -l codefresh.io/internal=true | awk 'NR>1{print $1}' | xargs) -p '{"metadata":{"finalizers":null}}' --type=merge || true
|
||||
kubectl delete secret $AGENT_SECRET_NAME || true
|
||||
kubectl delete secret $DIND_SECRET_NAME || true
|
||||
}
|
||||
|
||||
auth
|
||||
remove_runtime
|
||||
remove_agent
|
||||
remove_secrets
|
||||
|
|
@ -0,0 +1,132 @@
|
|||
#!/usr/bin/env bash
|
||||
#
|
||||
|
||||
#---
|
||||
fatal() {
|
||||
echo "ERROR: $1"
|
||||
exit 1
|
||||
}
|
||||
|
||||
msg() { echo -e "\e[32mINFO ---> $1\e[0m"; }
|
||||
err() { echo -e "\e[31mERR ---> $1\e[0m" ; return 1; }
|
||||
|
||||
exit_trap () {
|
||||
local lc="$BASH_COMMAND" rc=$?
|
||||
if [ $rc != 0 ]; then
|
||||
if [[ -n "$SLEEP_ON_ERROR" ]]; then
|
||||
echo -e "\nSLEEP_ON_ERROR is set - Sleeping to fix error"
|
||||
sleep $SLEEP_ON_ERROR
|
||||
fi
|
||||
fi
|
||||
}
|
||||
trap exit_trap EXIT
|
||||
|
||||
usage() {
|
||||
echo "Usage:
|
||||
$0 [-n | --namespace] [--server-cert-cn] [--server-cert-extra-sans] codefresh-api-host codefresh-api-token
|
||||
|
||||
Example:
|
||||
$0 -n workflow https://g.codefresh.io 21341234.423141234.412431234
|
||||
|
||||
"
|
||||
}
|
||||
|
||||
# Args
|
||||
while [[ $1 =~ ^(-(n|h)|--(namespace|server-cert-cn|server-cert-extra-sans|help)) ]]
|
||||
do
|
||||
key=$1
|
||||
value=$2
|
||||
|
||||
case $key in
|
||||
-h|--help)
|
||||
usage
|
||||
exit
|
||||
;;
|
||||
-n|--namespace)
|
||||
NAMESPACE="$value"
|
||||
shift
|
||||
;;
|
||||
--server-cert-cn)
|
||||
SERVER_CERT_CN="$value"
|
||||
shift
|
||||
;;
|
||||
--server-cert-extra-sans)
|
||||
SERVER_CERT_EXTRA_SANS="$value"
|
||||
shift
|
||||
;;
|
||||
esac
|
||||
shift # past argument or value
|
||||
done
|
||||
|
||||
API_HOST=${1:-"$CF_API_HOST"}
|
||||
API_TOKEN=${2:-"$CF_API_TOKEN"}
|
||||
|
||||
[[ -z "$API_HOST" ]] && usage && fatal "Missing API_HOST"
|
||||
[[ -z "$API_TOKEN" ]] && usage && fatal "Missing token"
|
||||
|
||||
|
||||
API_SIGN_PATH=${API_SIGN_PATH:-"api/custom_clusters/signServerCerts"}
|
||||
|
||||
NAMESPACE=${NAMESPACE:-default}
|
||||
RELEASE=${RELEASE:-cf-runtime}
|
||||
|
||||
DIR=$(dirname $0)
|
||||
TMPDIR=/tmp/codefresh/
|
||||
|
||||
TMP_CERTS_FILE_ZIP=$TMPDIR/cf-certs.zip
|
||||
TMP_CERTS_HEADERS_FILE=$TMPDIR/cf-certs-response-headers.txt
|
||||
CERTS_DIR=$TMPDIR/ssl
|
||||
SRV_TLS_CA_CERT=${CERTS_DIR}/ca.pem
|
||||
SRV_TLS_KEY=${CERTS_DIR}/server-key.pem
|
||||
SRV_TLS_CSR=${CERTS_DIR}/server-cert.csr
|
||||
SRV_TLS_CERT=${CERTS_DIR}/server-cert.pem
|
||||
CF_SRV_TLS_CERT=${CERTS_DIR}/cf-server-cert.pem
|
||||
CF_SRV_TLS_CA_CERT=${CERTS_DIR}/cf-ca.pem
|
||||
mkdir -p $TMPDIR $CERTS_DIR
|
||||
|
||||
K8S_CERT_SECRET_NAME=codefresh-certs-server
|
||||
echo -e "\n------------------\nGenerating server tls certificates ... "
|
||||
|
||||
SERVER_CERT_CN=${SERVER_CERT_CN:-"docker.codefresh.io"}
|
||||
SERVER_CERT_EXTRA_SANS="${SERVER_CERT_EXTRA_SANS}"
|
||||
###
|
||||
|
||||
openssl genrsa -out $SRV_TLS_KEY 4096 || fatal "Failed to generate openssl key "
|
||||
openssl req -subj "/CN=${SERVER_CERT_CN}" -new -key $SRV_TLS_KEY -out $SRV_TLS_CSR || fatal "Failed to generate openssl csr "
|
||||
GENERATE_CERTS=true
|
||||
CSR=$(sed ':a;N;$!ba;s/\n/\\n/g' ${SRV_TLS_CSR})
|
||||
|
||||
SERVER_CERT_SANS="IP:127.0.0.1,DNS:dind,DNS:*.dind.${NAMESPACE},DNS:*.dind.${NAMESPACE}.svc${KUBE_DOMAIN},DNS:*.cf-cd.com,DNS:*.codefresh.io"
|
||||
if [[ -n "${SERVER_CERT_EXTRA_SANS}" ]]; then
|
||||
SERVER_CERT_SANS=${SERVER_CERT_SANS},${SERVER_CERT_EXTRA_SANS}
|
||||
fi
|
||||
echo "{\"reqSubjectAltName\": \"${SERVER_CERT_SANS}\", \"csr\": \"${CSR}\" }" > ${TMPDIR}/sign_req.json
|
||||
|
||||
rm -fv ${TMP_CERTS_HEADERS_FILE} ${TMP_CERTS_FILE_ZIP}
|
||||
|
||||
SIGN_STATUS=$(curl -k -sSL -d @${TMPDIR}/sign_req.json -H "Content-Type: application/json" -H "Authorization: ${API_TOKEN}" -H "Expect: " \
|
||||
-o ${TMP_CERTS_FILE_ZIP} -D ${TMP_CERTS_HEADERS_FILE} -w '%{http_code}' ${API_HOST}/${API_SIGN_PATH} )
|
||||
|
||||
echo "Sign request completed with HTTP_STATUS_CODE=$SIGN_STATUS"
|
||||
if [[ $SIGN_STATUS != 200 ]]; then
|
||||
echo "ERROR: Cannot sign certificates"
|
||||
if [[ -f ${TMP_CERTS_FILE_ZIP} ]]; then
|
||||
mv ${TMP_CERTS_FILE_ZIP} ${TMP_CERTS_FILE_ZIP}.error
|
||||
cat ${TMP_CERTS_FILE_ZIP}.error
|
||||
fi
|
||||
exit 1
|
||||
fi
|
||||
unzip -o -d ${CERTS_DIR}/ ${TMP_CERTS_FILE_ZIP} || fatal "Failed to unzip certificates to ${CERTS_DIR} "
|
||||
cp -v ${CF_SRV_TLS_CA_CERT} $SRV_TLS_CA_CERT || fatal "received ${TMP_CERTS_FILE_ZIP} does not contains ca.pem"
|
||||
cp -v ${CF_SRV_TLS_CERT} $SRV_TLS_CERT || fatal "received ${TMP_CERTS_FILE_ZIP} does not contains cf-server-cert.pem"
|
||||
|
||||
|
||||
echo -e "\n------------------\nCreating certificate secret "
|
||||
|
||||
kubectl -n $NAMESPACE create secret generic $K8S_CERT_SECRET_NAME \
|
||||
--from-file=$SRV_TLS_CA_CERT \
|
||||
--from-file=$SRV_TLS_KEY \
|
||||
--from-file=$SRV_TLS_CERT \
|
||||
--dry-run=client -o yaml | kubectl apply --overwrite -f -
|
||||
kubectl -n $NAMESPACE label --overwrite secret ${K8S_CERT_SECRET_NAME} codefresh.io/internal=true
|
||||
kubectl -n $NAMESPACE patch secret $K8S_CERT_SECRET_NAME -p '{"metadata": {"finalizers": ["kubernetes"]}}'
|
||||
|
|
@ -0,0 +1,80 @@
|
|||
#!/bin/bash
|
||||
|
||||
echo "-----"
|
||||
echo "API_HOST: ${API_HOST}"
|
||||
echo "AGENT_NAME: ${AGENT_NAME}"
|
||||
echo "KUBE_CONTEXT: ${KUBE_CONTEXT}"
|
||||
echo "KUBE_NAMESPACE: ${KUBE_NAMESPACE}"
|
||||
echo "OWNER_NAME: ${OWNER_NAME}"
|
||||
echo "RUNTIME_NAME: ${RUNTIME_NAME}"
|
||||
echo "SECRET_NAME: ${SECRET_NAME}"
|
||||
echo "-----"
|
||||
|
||||
create_agent_secret() {
|
||||
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: ${SECRET_NAME}
|
||||
namespace: ${KUBE_NAMESPACE}
|
||||
labels:
|
||||
codefresh.io/internal: "true"
|
||||
finalizers:
|
||||
- kubernetes
|
||||
ownerReferences:
|
||||
- apiVersion: apps/v1
|
||||
kind: Deploy
|
||||
name: ${OWNER_NAME}
|
||||
uid: ${OWNER_UID}
|
||||
stringData:
|
||||
agent-codefresh-token: ${1}
|
||||
EOF
|
||||
|
||||
}
|
||||
|
||||
OWNER_UID=$(kubectl get deploy ${OWNER_NAME} --namespace ${KUBE_NAMESPACE} -o jsonpath='{.metadata.uid}')
|
||||
echo "got owner uid: ${OWNER_UID}"
|
||||
|
||||
if [ ! -z "${AGENT_CODEFRESH_TOKEN}" ]; then
|
||||
echo "-----"
|
||||
echo "runtime and agent are already initialized"
|
||||
echo "-----"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ ! -z "${EXISTING_AGENT_CODEFRESH_TOKEN}" ]; then
|
||||
echo "using existing agentToken value"
|
||||
create_agent_secret $EXISTING_AGENT_CODEFRESH_TOKEN
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ -z "${USER_CODEFRESH_TOKEN}" ]; then
|
||||
echo "-----"
|
||||
echo "missing codefresh user token. must supply \".global.codefreshToken\" if agent-codefresh-token does not exist"
|
||||
echo "-----"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
codefresh auth create-context --api-key ${USER_CODEFRESH_TOKEN} --url ${API_HOST}
|
||||
|
||||
# AGENT_TOKEN might be empty, in which case it will be returned by the call
|
||||
RES=$(codefresh install agent \
|
||||
--name ${AGENT_NAME} \
|
||||
--kube-context-name ${KUBE_CONTEXT} \
|
||||
--kube-namespace ${KUBE_NAMESPACE} \
|
||||
--agent-kube-namespace ${KUBE_NAMESPACE} \
|
||||
--install-runtime \
|
||||
--runtime-name ${RUNTIME_NAME} \
|
||||
--skip-cluster-creation \
|
||||
--platform-only)
|
||||
|
||||
AGENT_CODEFRESH_TOKEN=$(echo "${RES}" | tail -n 1)
|
||||
echo "generated agent + runtime in platform"
|
||||
|
||||
create_agent_secret $AGENT_CODEFRESH_TOKEN
|
||||
|
||||
echo "-----"
|
||||
echo "done initializing runtime and agent"
|
||||
echo "-----"
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
#!/bin/bash
|
||||
|
||||
echo "-----"
|
||||
echo "API_HOST: ${API_HOST}"
|
||||
echo "KUBE_CONTEXT: ${KUBE_CONTEXT}"
|
||||
echo "KUBE_NAMESPACE: ${KUBE_NAMESPACE}"
|
||||
echo "OWNER_NAME: ${OWNER_NAME}"
|
||||
echo "RUNTIME_NAME: ${RUNTIME_NAME}"
|
||||
echo "CONFIGMAP_NAME: ${CONFIGMAP_NAME}"
|
||||
echo "RECONCILE_INTERVAL: ${RECONCILE_INTERVAL}"
|
||||
echo "-----"
|
||||
|
||||
msg() { echo -e "\e[32mINFO ---> $1\e[0m"; }
|
||||
err() { echo -e "\e[31mERR ---> $1\e[0m" ; return 1; }
|
||||
|
||||
|
||||
if [ -z "${USER_CODEFRESH_TOKEN}" ]; then
|
||||
err "missing codefresh user token. must supply \".global.codefreshToken\" if agent-codefresh-token does not exist"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
codefresh auth create-context --api-key ${USER_CODEFRESH_TOKEN} --url ${API_HOST}
|
||||
|
||||
while true; do
|
||||
msg "Reconciling ${RUNTIME_NAME} runtime"
|
||||
|
||||
sleep $RECONCILE_INTERVAL
|
||||
|
||||
codefresh get re \
|
||||
--name ${RUNTIME_NAME} \
|
||||
-o yaml \
|
||||
| yq 'del(.version, .metadata.changedBy, .metadata.creationTime)' > /tmp/runtime.yaml
|
||||
|
||||
kubectl get cm ${CONFIGMAP_NAME} -n ${KUBE_NAMESPACE} -o yaml \
|
||||
| yq 'del(.metadata.resourceVersion, .metadata.uid)' \
|
||||
| yq eval '.data["runtime.yaml"] = load_str("/tmp/runtime.yaml")' \
|
||||
| kubectl apply -f -
|
||||
done
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
{{- define "app-proxy.resources.deployment" -}}
|
||||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "app-proxy.fullname" . }}
|
||||
labels:
|
||||
{{- include "app-proxy.labels" . | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicasCount }}
|
||||
strategy:
|
||||
type: {{ .Values.updateStrategy.type }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "app-proxy.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "app-proxy.selectorLabels" . | nindent 8 }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
|
||||
serviceAccountName: {{ include "app-proxy.serviceAccountName" . }}
|
||||
{{- if .Values.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: app-proxy
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
|
||||
env:
|
||||
{{- include "app-proxy.environment-variables" . | nindent 8 }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 3000
|
||||
readinessProbe:
|
||||
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
|
||||
successThreshold: {{ .Values.readinessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
|
||||
httpGet:
|
||||
path: /health
|
||||
port: http
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
{{- with .Values.extraVolumeMounts }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- with .Values.extraVolumes }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
{{- define "app-proxy.environment-variables.defaults" }}
|
||||
PORT: 3000
|
||||
{{- end }}
|
||||
|
||||
{{- define "app-proxy.environment-variables.calculated" }}
|
||||
CODEFRESH_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
|
||||
{{- with .Values.ingress.pathPrefix }}
|
||||
API_PATH_PREFIX: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "app-proxy.environment-variables" }}
|
||||
{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- $defaults := (include "app-proxy.environment-variables.defaults" . | fromYaml) }}
|
||||
{{- $calculated := (include "app-proxy.environment-variables.calculated" . | fromYaml) }}
|
||||
{{- $overrides := .Values.env }}
|
||||
{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "app-proxy.name" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.name" .) "app-proxy" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "app-proxy.fullname" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.fullname" .) "app-proxy" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "app-proxy.labels" -}}
|
||||
{{ include "cf-runtime.labels" . }}
|
||||
codefresh.io/application: app-proxy
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "app-proxy.selectorLabels" -}}
|
||||
{{ include "cf-runtime.selectorLabels" . }}
|
||||
codefresh.io/application: app-proxy
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "app-proxy.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
{{- default (include "app-proxy.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else }}
|
||||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
{{- define "app-proxy.resources.ingress" -}}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: {{ include "app-proxy.fullname" . }}
|
||||
labels: {{- include "app-proxy.labels" . | nindent 4 }}
|
||||
{{- with .Values.ingress.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if and .Values.ingress.class (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
|
||||
ingressClassName: {{ .Values.ingress.class }}
|
||||
{{- end }}
|
||||
{{- if .Values.ingress.tlsSecret }}
|
||||
tls:
|
||||
- hosts:
|
||||
- {{ .Values.ingress.host }}
|
||||
secretName: {{ .Values.tlsSecret }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- host: {{ .Values.ingress.host }}
|
||||
http:
|
||||
paths:
|
||||
- path: {{ .Values.ingress.pathPrefix | default "/" }}
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: {{ include "app-proxy.fullname" . }}
|
||||
port:
|
||||
number: 80
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,47 @@
|
|||
{{- define "app-proxy.resources.rbac" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "app-proxy.serviceAccountName" . }}
|
||||
labels:
|
||||
{{- include "app-proxy.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if .Values.rbac.create }}
|
||||
kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "app-proxy.fullname" . }}
|
||||
labels:
|
||||
{{- include "app-proxy.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "secrets" ]
|
||||
verbs: [ "get" ]
|
||||
{{- with .Values.rbac.rules }}
|
||||
{{ toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
|
||||
kind: {{ .Values.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "app-proxy.fullname" . }}
|
||||
labels:
|
||||
{{- include "app-proxy.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "app-proxy.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: {{ include "app-proxy.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{{- define "app-proxy.resources.service" -}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "app-proxy.fullname" . }}
|
||||
labels:
|
||||
{{- include "app-proxy.labels" . | nindent 4 }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
protocol: TCP
|
||||
targetPort: 3000
|
||||
selector:
|
||||
{{- include "app-proxy.selectorLabels" . | nindent 4 }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,62 @@
|
|||
{{- define "event-exporter.resources.deployment" -}}
|
||||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "event-exporter.fullname" . }}
|
||||
labels:
|
||||
{{- include "event-exporter.labels" . | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicasCount }}
|
||||
strategy:
|
||||
type: {{ .Values.updateStrategy.type }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "event-exporter.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "event-exporter.selectorLabels" . | nindent 8 }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
|
||||
serviceAccountName: {{ include "event-exporter.serviceAccountName" . }}
|
||||
{{- if .Values.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: event-exporter
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
|
||||
args: [--running-in-cluster=true]
|
||||
env:
|
||||
{{- include "event-exporter.environment-variables" . | nindent 8 }}
|
||||
ports:
|
||||
- name: metrics
|
||||
containerPort: 9102
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
{{- with .Values.extraVolumeMounts }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- with .Values.extraVolumes }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
{{- define "event-exporter.environment-variables.defaults" }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "event-exporter.environment-variables.calculated" }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "event-exporter.environment-variables" }}
|
||||
{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- $defaults := (include "event-exporter.environment-variables.defaults" . | fromYaml) }}
|
||||
{{- $calculated := (include "event-exporter.environment-variables.calculated" . | fromYaml) }}
|
||||
{{- $overrides := .Values.env }}
|
||||
{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "event-exporter.name" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.name" .) "event-exporter" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "event-exporter.fullname" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.fullname" .) "event-exporter" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "event-exporter.labels" -}}
|
||||
{{ include "cf-runtime.labels" . }}
|
||||
app: event-exporter
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "event-exporter.selectorLabels" -}}
|
||||
{{ include "cf-runtime.selectorLabels" . }}
|
||||
app: event-exporter
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "event-exporter.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
{{- default (include "event-exporter.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else }}
|
||||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,47 @@
|
|||
{{- define "event-exporter.resources.rbac" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "event-exporter.serviceAccountName" . }}
|
||||
labels:
|
||||
{{- include "event-exporter.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if .Values.rbac.create }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "event-exporter.fullname" . }}
|
||||
labels:
|
||||
{{- include "event-exporter.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: [events]
|
||||
verbs: [get, list, watch]
|
||||
{{- with .Values.rbac.rules }}
|
||||
{{ toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "event-exporter.fullname" . }}
|
||||
labels:
|
||||
{{- include "event-exporter.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "event-exporter.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: {{ include "event-exporter.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{{- define "event-exporter.resources.service" -}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "event-exporter.fullname" . }}
|
||||
labels:
|
||||
{{- include "event-exporter.labels" . | nindent 4 }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: metrics
|
||||
port: 9102
|
||||
targetPort: metrics
|
||||
protocol: TCP
|
||||
selector:
|
||||
{{- include "event-exporter.selectorLabels" . | nindent 4 }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
{{- define "event-exporter.resources.serviceMonitor" -}}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ include "event-exporter.fullname" . }}
|
||||
labels:
|
||||
{{- include "event-exporter.labels" . | nindent 4 }}
|
||||
spec:
|
||||
endpoints:
|
||||
- port: metrics
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "event-exporter.selectorLabels" . | nindent 6 }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
{{- define "monitor.resources.deployment" -}}
|
||||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "monitor.fullname" . }}
|
||||
labels:
|
||||
{{- include "monitor.labels" . | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicasCount }}
|
||||
strategy:
|
||||
type: {{ .Values.updateStrategy.type }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "monitor.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "monitor.selectorLabels" . | nindent 8 }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
|
||||
serviceAccountName: {{ include "monitor.serviceAccountName" . }}
|
||||
{{- if .Values.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: monitor
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
|
||||
env:
|
||||
{{- include "monitor.environment-variables" . | nindent 8 }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 9020
|
||||
readinessProbe:
|
||||
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
|
||||
successThreshold: {{ .Values.readinessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
|
||||
httpGet:
|
||||
path: /api/ping
|
||||
port: 9020
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
{{- with .Values.extraVolumeMounts }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- with .Values.extraVolumes }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
{{- define "monitor.environment-variables.defaults" }}
|
||||
SERVICE_NAME: {{ include "monitor.fullname" . }}
|
||||
PORT: 9020
|
||||
HELM3: true
|
||||
NODE_OPTIONS: "--max_old_space_size=4096"
|
||||
{{- end }}
|
||||
|
||||
{{- define "monitor.environment-variables.calculated" }}
|
||||
API_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }}
|
||||
CLUSTER_ID: {{ include "runtime.runtime-environment-spec.context-name" . }}
|
||||
API_URL: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}/api/k8s-monitor/events
|
||||
ACCOUNT_ID: {{ .Values.global.accountId }}
|
||||
NAMESPACE: {{ .Release.Namespace }}
|
||||
{{- if .Values.rbac.namespaced }}
|
||||
ROLE_BINDING: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "monitor.environment-variables" }}
|
||||
{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- $defaults := (include "monitor.environment-variables.defaults" . | fromYaml) }}
|
||||
{{- $calculated := (include "monitor.environment-variables.calculated" . | fromYaml) }}
|
||||
{{- $overrides := .Values.env }}
|
||||
{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "monitor.name" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.name" .) "monitor" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "monitor.fullname" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.fullname" .) "monitor" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "monitor.labels" -}}
|
||||
{{ include "cf-runtime.labels" . }}
|
||||
codefresh.io/application: monitor
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "monitor.selectorLabels" -}}
|
||||
{{ include "cf-runtime.selectorLabels" . }}
|
||||
codefresh.io/application: monitor
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "monitor.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
{{- default (include "monitor.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else }}
|
||||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,56 @@
|
|||
{{- define "monitor.resources.rbac" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "monitor.serviceAccountName" . }}
|
||||
labels:
|
||||
{{- include "monitor.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if .Values.rbac.create }}
|
||||
kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "monitor.fullname" . }}
|
||||
labels:
|
||||
{{- include "monitor.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "*" ]
|
||||
verbs: [ "get", "list", "watch", "create", "delete" ]
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "pods" ]
|
||||
verbs: [ "get", "list", "watch", "create", "deletecollection" ]
|
||||
- apiGroups: [ "extensions" ]
|
||||
resources: [ "*" ]
|
||||
verbs: [ "get", "list", "watch" ]
|
||||
- apiGroups: [ "apps" ]
|
||||
resources: [ "*" ]
|
||||
verbs: [ "get", "list", "watch" ]
|
||||
{{- with .Values.rbac.rules }}
|
||||
{{ toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
|
||||
kind: {{ .Values.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "monitor.fullname" . }}
|
||||
labels:
|
||||
{{- include "monitor.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "monitor.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
|
||||
name: {{ include "monitor.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{{- define "monitor.resources.service" -}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "monitor.fullname" . }}
|
||||
labels:
|
||||
{{- include "monitor.labels" . | nindent 4 }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
protocol: TCP
|
||||
targetPort: 9020
|
||||
selector:
|
||||
{{- include "monitor.selectorLabels" . | nindent 4 }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,103 @@
|
|||
{{- define "runner.resources.deployment" -}}
|
||||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "runner.fullname" . }}
|
||||
labels:
|
||||
{{- include "runner.labels" . | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicasCount }}
|
||||
strategy:
|
||||
type: {{ .Values.updateStrategy.type }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "runner.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "runner.selectorLabels" . | nindent 8 }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
|
||||
serviceAccountName: {{ include "runner.serviceAccountName" . }}
|
||||
{{- if .Values.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
initContainers:
|
||||
- name: init
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.init.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.init.image.pullPolicy | default "IfNotPresent" }}
|
||||
command:
|
||||
- /bin/bash
|
||||
args:
|
||||
- -ec
|
||||
- | {{ .Files.Get "files/init-runtime.sh" | nindent 10 }}
|
||||
env:
|
||||
{{- include "runner-init.environment-variables" . | nindent 8 }}
|
||||
{{- with .Values.init.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: runner
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | default "IfNotPresent" }}
|
||||
env:
|
||||
{{- include "runner.environment-variables" . | nindent 8 }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 8080
|
||||
readinessProbe:
|
||||
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
|
||||
successThreshold: {{ .Values.readinessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
|
||||
httpGet:
|
||||
path: /health
|
||||
port: http
|
||||
{{- with .Values.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.extraVolumeMounts }}
|
||||
volumeMounts:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.sidecar.enabled }}
|
||||
- name: reconcile-runtime
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.sidecar.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.sidecar.image.pullPolicy | default "IfNotPresent" }}
|
||||
command:
|
||||
- /bin/bash
|
||||
args:
|
||||
- -ec
|
||||
- | {{ .Files.Get "files/reconcile-runtime.sh" | nindent 10 }}
|
||||
env:
|
||||
{{- include "runner-sidecar.environment-variables" . | nindent 8 }}
|
||||
{{- with .Values.sidecar.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- with .Values.extraVolumes }}
|
||||
volumes:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "runner.name" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.name" .) "runner" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "runner.fullname" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.fullname" .) "runner" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "runner.labels" -}}
|
||||
{{ include "cf-runtime.labels" . }}
|
||||
codefresh.io/application: runner
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "runner.selectorLabels" -}}
|
||||
{{ include "cf-runtime.selectorLabels" . }}
|
||||
codefresh.io/application: runner
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "runner.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
{{- default (include "runner.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else }}
|
||||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,53 @@
|
|||
{{- define "runner.resources.rbac" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "runner.serviceAccountName" . }}
|
||||
labels:
|
||||
{{- include "runner.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if .Values.rbac.create }}
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "runner.fullname" . }}
|
||||
labels:
|
||||
{{- include "runner.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "pods", "persistentvolumeclaims" ]
|
||||
verbs: [ "get", "create", "delete", patch ]
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "configmaps", "secrets" ]
|
||||
verbs: [ "get", "create", "update", patch ]
|
||||
- apiGroups: [ "apps" ]
|
||||
resources: [ "deployments" ]
|
||||
verbs: [ "get" ]
|
||||
{{- with .Values.rbac.rules }}
|
||||
{{ toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "runner.fullname" . }}
|
||||
labels:
|
||||
{{- include "runner.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "runner.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: {{ include "runner.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
{{- define "runner-init.environment-variables.defaults" }}
|
||||
HOME: /tmp
|
||||
{{- end }}
|
||||
|
||||
{{- define "runner-init.environment-variables.calculated" }}
|
||||
AGENT_NAME: {{ include "runtime.runtime-environment-spec.agent-name" . }}
|
||||
API_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
|
||||
AGENT_CODEFRESH_TOKEN:
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "runner.fullname" . }}
|
||||
key: agent-codefresh-token
|
||||
optional: true
|
||||
EXISTING_AGENT_CODEFRESH_TOKEN: {{ include "runtime.agent-token-env-var-value" . | nindent 2 }}
|
||||
KUBE_CONTEXT: {{ include "runtime.runtime-environment-spec.context-name" . }}
|
||||
KUBE_NAMESPACE: {{ .Release.Namespace }}
|
||||
OWNER_NAME: {{ include "runner.fullname" . }}
|
||||
RUNTIME_NAME: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
|
||||
SECRET_NAME: {{ include "runner.fullname" . }}
|
||||
USER_CODEFRESH_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "runner-init.environment-variables" }}
|
||||
{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- $defaults := (include "runner-init.environment-variables.defaults" . | fromYaml) }}
|
||||
{{- $calculated := (include "runner-init.environment-variables.calculated" . | fromYaml) }}
|
||||
{{- $overrides := .Values.env }}
|
||||
{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
{{- define "runner.environment-variables.defaults" }}
|
||||
AGENT_MODE: InCluster
|
||||
SELF_DEPLOYMENT_NAME:
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
{{- end }}
|
||||
|
||||
{{- define "runner.environment-variables.calculated" }}
|
||||
AGENT_ID: {{ include "runtime.runtime-environment-spec.agent-name" . }}
|
||||
CODEFRESH_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
|
||||
CODEFRESH_IN_CLUSTER_RUNTIME: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
|
||||
CODEFRESH_TOKEN:
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "runner.fullname" . }}
|
||||
key: agent-codefresh-token
|
||||
DOCKER_REGISTRY: {{ .Values.global.imageRegistry }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "runner.environment-variables" }}
|
||||
{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- $defaults := (include "runner.environment-variables.defaults" . | fromYaml) }}
|
||||
{{- $calculated := (include "runner.environment-variables.calculated" . | fromYaml) }}
|
||||
{{- $overrides := .Values.env }}
|
||||
{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
{{- define "runner-sidecar.environment-variables.defaults" }}
|
||||
HOME: /tmp
|
||||
{{- end }}
|
||||
|
||||
{{- define "runner-sidecar.environment-variables.calculated" }}
|
||||
API_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
|
||||
USER_CODEFRESH_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }}
|
||||
KUBE_CONTEXT: {{ include "runtime.runtime-environment-spec.context-name" . }}
|
||||
KUBE_NAMESPACE: {{ .Release.Namespace }}
|
||||
OWNER_NAME: {{ include "runner.fullname" . }}
|
||||
RUNTIME_NAME: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
|
||||
CONFIGMAP_NAME: {{ printf "%s-%s" (include "runtime.fullname" .) "spec" }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "runner-sidecar.environment-variables" }}
|
||||
{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- $defaults := (include "runner-sidecar.environment-variables.defaults" . | fromYaml) }}
|
||||
{{- $calculated := (include "runner-sidecar.environment-variables.calculated" . | fromYaml) }}
|
||||
{{- $overrides := .Values.sidecar.env }}
|
||||
{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,58 @@
|
|||
{{- define "dind-volume-provisioner.resources.cronjob" -}}
|
||||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- if not (eq .Values.storage.backend "local") }}
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: {{ include "dind-volume-cleanup.fullname" . }}
|
||||
labels:
|
||||
{{- include "dind-volume-cleanup.labels" . | nindent 4 }}
|
||||
spec:
|
||||
concurrencyPolicy: {{ .Values.concurrencyPolicy }}
|
||||
schedule: {{ .Values.schedule | quote }}
|
||||
successfulJobsHistoryLimit: {{ .Values.successfulJobsHistory }}
|
||||
failedJobsHistoryLimit: {{ .Values.failedJobsHistory }}
|
||||
{{- with .Values.suspend }}
|
||||
suspend: {{ . }}
|
||||
{{- end }}
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "dind-volume-cleanup.selectorLabels" . | nindent 12 }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 10 }}
|
||||
serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }}
|
||||
{{- if .Values.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
restartPolicy: {{ .Values.restartPolicy | default "Never" }}
|
||||
containers:
|
||||
- name: dind-volume-cleanup
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
|
||||
env:
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" .Values.env "context" .) | nindent 12 }}
|
||||
- name: PROVISIONED_BY
|
||||
value: {{ include "dind-volume-provisioner.volumeProvisionerName" . }}
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 14 }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,98 @@
|
|||
{{- define "dind-volume-provisioner.resources.daemonset" -}}
|
||||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{ $localVolumeParentDir := .Values.storage.local.volumeParentDir }}
|
||||
{{- if eq .Values.storage.backend "local" }}
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: {{ include "dind-lv-monitor.fullname" . }}
|
||||
labels:
|
||||
{{- include "dind-lv-monitor.labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "dind-lv-monitor.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "dind-lv-monitor.selectorLabels" . | nindent 8 }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
|
||||
serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }}
|
||||
{{- if .Values.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.volumePermissions.enabled }}
|
||||
initContainers:
|
||||
- name: volume-permissions
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.volumePermissions.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | default "Always" }}
|
||||
command:
|
||||
- /bin/sh
|
||||
args:
|
||||
- -ec
|
||||
- |
|
||||
chown -R {{ .Values.podSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ $localVolumeParentDir }}
|
||||
volumeMounts:
|
||||
- mountPath: {{ $localVolumeParentDir }}
|
||||
name: dind-volume-dir
|
||||
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
|
||||
securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 10 }}
|
||||
{{- else }}
|
||||
securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- toYaml .Values.volumePermissions.resources | nindent 10 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: dind-lv-monitor
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
|
||||
{{- if .Values.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /home/dind-volume-utils/bin/local-volumes-agent
|
||||
env:
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" .Values.env "context" .) | nindent 10 }}
|
||||
- name: NODE_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.nodeName
|
||||
- name: VOLUME_PARENT_DIR
|
||||
value: {{ $localVolumeParentDir }}
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 10 }}
|
||||
volumeMounts:
|
||||
- mountPath: {{ $localVolumeParentDir }}
|
||||
readOnly: false
|
||||
name: dind-volume-dir
|
||||
{{- with .Values.extraVolumeMounts }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: dind-volume-dir
|
||||
hostPath:
|
||||
path: {{ $localVolumeParentDir }}
|
||||
{{- with .Values.extraVolumes }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,67 @@
|
|||
{{- define "dind-volume-provisioner.resources.deployment" -}}
|
||||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "dind-volume-provisioner.fullname" . }}
|
||||
labels:
|
||||
{{- include "dind-volume-provisioner.labels" . | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicasCount }}
|
||||
strategy:
|
||||
type: {{ .Values.updateStrategy.type }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "dind-volume-provisioner.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "dind-volume-provisioner.selectorLabels" . | nindent 8 }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
|
||||
serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }}
|
||||
{{- if .Values.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: dind-volume-provisioner
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
|
||||
command:
|
||||
- /usr/local/bin/dind-volume-provisioner
|
||||
- -v=4
|
||||
- --resync-period=50s
|
||||
env:
|
||||
{{- include "dind-volume-provisioner.environment-variables" . | nindent 8 }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 8080
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
{{- include "dind-volume-provisioner.volumeMounts.calculated" . | nindent 8 }}
|
||||
{{- with .Values.extraVolumeMounts }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- include "dind-volume-provisioner.volumes.calculated" . | nindent 6 }}
|
||||
{{- with .Values.extraVolumes }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,88 @@
|
|||
{{- define "dind-volume-provisioner.environment-variables.defaults" }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "dind-volume-provisioner.environment-variables.calculated" }}
|
||||
DOCKER_REGISTRY: {{ .Values.global.imageRegistry }}
|
||||
PROVISIONER_NAME: {{ include "dind-volume-provisioner.volumeProvisionerName" . }}
|
||||
|
||||
{{- if or .Values.storage.ebs.accessKeyId .Values.storage.ebs.accessKeyIdSecretKeyRef }}
|
||||
AWS_ACCESS_KEY_ID:
|
||||
{{- if .Values.storage.ebs.accessKeyId }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "dind-volume-provisioner.fullname" . }}
|
||||
key: aws_access_key_id
|
||||
{{- else if .Values.storage.ebs.accessKeyIdSecretKeyRef }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
{{- .Values.storage.ebs.accessKeyIdSecretKeyRef | toYaml | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if or .Values.storage.ebs.secretAccessKey .Values.storage.ebs.secretAccessKeySecretKeyRef }}
|
||||
AWS_SECRET_ACCESS_KEY:
|
||||
{{- if .Values.storage.ebs.secretAccessKey }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "dind-volume-provisioner.fullname" . }}
|
||||
key: aws_secret_access_key
|
||||
{{- else if .Values.storage.ebs.secretAccessKeySecretKeyRef }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
{{- .Values.storage.ebs.secretAccessKeySecretKeyRef | toYaml | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if or .Values.storage.gcedisk.serviceAccountJson .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
|
||||
GOOGLE_APPLICATION_CREDENTIALS: {{ printf "/etc/dind-volume-provisioner/credentials/%s" (.Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.key | default "google-service-account.json") }}
|
||||
{{- end }}
|
||||
|
||||
{{- if and .Values.storage.mountAzureJson }}
|
||||
AZURE_CREDENTIAL_FILE: /etc/kubernetes/azure.json
|
||||
CLOUDCONFIG_AZURE: /etc/kubernetes/azure.json
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
||||
|
||||
{{- define "dind-volume-provisioner.environment-variables" }}
|
||||
{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- $defaults := (include "dind-volume-provisioner.environment-variables.defaults" . | fromYaml) }}
|
||||
{{- $calculated := (include "dind-volume-provisioner.environment-variables.calculated" . | fromYaml) }}
|
||||
{{- $overrides := .Values.env }}
|
||||
{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{- define "dind-volume-provisioner.volumes.calculated" }}
|
||||
{{- if .Values.storage.gcedisk.serviceAccountJson }}
|
||||
- name: credentials
|
||||
secret:
|
||||
secretName: {{ include "dind-volume-provisioner.fullname" . }}
|
||||
optional: true
|
||||
{{- else if .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
|
||||
- name: credentials
|
||||
secret:
|
||||
secretName: {{ .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.name }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
{{- if .Values.storage.mountAzureJson }}
|
||||
- name: azure-json
|
||||
hostPath:
|
||||
path: /etc/kubernetes/azure.json
|
||||
type: File
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "dind-volume-provisioner.volumeMounts.calculated" }}
|
||||
{{- if or .Values.storage.gcedisk.serviceAccountJson .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
|
||||
- name: credentials
|
||||
readOnly: true
|
||||
mountPath: "/etc/dind-volume-provisioner/credentials"
|
||||
{{- end }}
|
||||
{{- if .Values.storage.mountAzureJson }}
|
||||
- name: azure-json
|
||||
readOnly: true
|
||||
mountPath: "/etc/kubernetes/azure.json"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,93 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "dind-volume-provisioner.name" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.name" .) "volume-provisioner" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "dind-volume-provisioner.fullname" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.fullname" .) "volume-provisioner" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "dind-volume-cleanup.fullname" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.fullname" .) "volume-cleanup" | trunc 52 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "dind-lv-monitor.fullname" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.fullname" .) "lv-monitor" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Provisioner name for storage class
|
||||
*/}}
|
||||
{{- define "dind-volume-provisioner.volumeProvisionerName" }}
|
||||
{{- printf "codefresh.io/dind-volume-provisioner-runner-%s" .Release.Namespace }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels for dind-lv-monitor
|
||||
*/}}
|
||||
{{- define "dind-lv-monitor.labels" -}}
|
||||
{{ include "cf-runtime.labels" . }}
|
||||
codefresh.io/application: lv-monitor
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels for dind-lv-monitor
|
||||
*/}}
|
||||
{{- define "dind-lv-monitor.selectorLabels" -}}
|
||||
{{ include "cf-runtime.selectorLabels" . }}
|
||||
codefresh.io/application: lv-monitor
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels for dind-volume-provisioner
|
||||
*/}}
|
||||
{{- define "dind-volume-provisioner.labels" -}}
|
||||
{{ include "cf-runtime.labels" . }}
|
||||
codefresh.io/application: volume-provisioner
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels for dind-volume-provisioner
|
||||
*/}}
|
||||
{{- define "dind-volume-provisioner.selectorLabels" -}}
|
||||
{{ include "cf-runtime.selectorLabels" . }}
|
||||
codefresh.io/application: volume-provisioner
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels for dind-volume-cleanup
|
||||
*/}}
|
||||
{{- define "dind-volume-cleanup.labels" -}}
|
||||
{{ include "cf-runtime.labels" . }}
|
||||
codefresh.io/application: pv-cleanup
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels for dind-volume-cleanup
|
||||
*/}}
|
||||
{{- define "dind-volume-cleanup.selectorLabels" -}}
|
||||
{{ include "cf-runtime.selectorLabels" . }}
|
||||
codefresh.io/application: pv-cleanup
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "dind-volume-provisioner.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
{{- default (include "dind-volume-provisioner.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else }}
|
||||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "dind-volume-provisioner.storageClassName" }}
|
||||
{{- printf "dind-local-volumes-runner-%s" .Release.Namespace }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,71 @@
|
|||
{{- define "dind-volume-provisioner.resources.rbac" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "dind-volume-provisioner.serviceAccountName" . }}
|
||||
labels:
|
||||
{{- include "dind-volume-provisioner.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if .Values.rbac.create }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "dind-volume-provisioner.fullname" . }}
|
||||
labels:
|
||||
{{- include "dind-volume-provisioner.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "persistentvolumes" ]
|
||||
verbs: [ "get", "list", "watch", "create", "delete", "patch" ]
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "persistentvolumeclaims" ]
|
||||
verbs: [ "get", "list", "watch", "update", "delete" ]
|
||||
- apiGroups: [ "storage.k8s.io" ]
|
||||
resources: [ "storageclasses" ]
|
||||
verbs: [ "get", "list", "watch" ]
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "events" ]
|
||||
verbs: [ "list", "watch", "create", "update", "patch" ]
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "secrets" ]
|
||||
verbs: [ "get", "list" ]
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "nodes" ]
|
||||
verbs: [ "get", "list", "watch" ]
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "pods" ]
|
||||
verbs: [ "get", "list", "watch", "create", "delete", "patch" ]
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "endpoints" ]
|
||||
verbs: [ "get", "list", "watch", "create", "update", "delete" ]
|
||||
- apiGroups: [ "coordination.k8s.io" ]
|
||||
resources: [ "leases" ]
|
||||
verbs: [ "get", "create", "update" ]
|
||||
{{- with .Values.rbac.rules }}
|
||||
{{ toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "dind-volume-provisioner.fullname" . }}
|
||||
labels:
|
||||
{{- include "dind-volume-provisioner.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "dind-volume-provisioner.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: {{ include "dind-volume-provisioner.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
{{- define "dind-volume-provisioner.resources.secret" -}}
|
||||
{{- if or .Values.storage.ebs.accessKeyId .Values.storage.ebs.secretAccessKey .Values.storage.gcedisk.serviceAccountJson }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: {{ include "dind-volume-provisioner.fullname" . }}
|
||||
labels:
|
||||
{{- include "dind-volume-provisioner.labels" . | nindent 4 }}
|
||||
stringData:
|
||||
{{- with .Values.storage.gcedisk.serviceAccountJson }}
|
||||
google-service-account.json: |
|
||||
{{- . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.storage.ebs.accessKeyId }}
|
||||
aws_access_key_id: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.storage.ebs.secretAccessKey }}
|
||||
aws_secret_access_key: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,47 @@
|
|||
{{- define "dind-volume-provisioner.resources.storageclass" -}}
|
||||
kind: StorageClass
|
||||
apiVersion: storage.k8s.io/v1
|
||||
metadata:
|
||||
{{/* has to be exactly that */}}
|
||||
name: {{ include "dind-volume-provisioner.storageClassName" . }}
|
||||
labels:
|
||||
{{- include "dind-volume-provisioner.labels" . | nindent 4 }}
|
||||
provisioner: {{ include "dind-volume-provisioner.volumeProvisionerName" . }}
|
||||
parameters:
|
||||
{{- if eq .Values.storage.backend "local" }}
|
||||
volumeBackend: local
|
||||
volumeParentDir: {{ .Values.storage.local.volumeParentDir }}
|
||||
{{- else if eq .Values.storage.backend "gcedisk" }}
|
||||
volumeBackend: {{ .Values.storage.backend }}
|
||||
type: {{ .Values.storage.gcedisk.volumeType | default "pd-ssd" }}
|
||||
zone: {{ required ".Values.storage.gcedisk.availabilityZone is required" .Values.storage.gcedisk.availabilityZone }}
|
||||
fsType: {{ .Values.storage.fsType | default "ext4" }}
|
||||
{{- else if or (eq .Values.storage.backend "ebs") (eq .Values.storage.backend "ebs-csi")}}
|
||||
volumeBackend: {{ .Values.storage.backend }}
|
||||
VolumeType: {{ .Values.storage.ebs.volumeType | default "gp3" }}
|
||||
AvailabilityZone: {{ required ".Values.storage.ebs.availabilityZone is required" .Values.storage.ebs.availabilityZone }}
|
||||
fsType: {{ .Values.storage.fsType | default "ext4" }}
|
||||
encrypted: {{ .Values.storage.ebs.encrypted | default "false" | quote }}
|
||||
{{- with .Values.storage.ebs.kmsKeyId }}
|
||||
kmsKeyId: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.storage.ebs.iops }}
|
||||
iops: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.storage.ebs.throughput }}
|
||||
throughput: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- else if or (eq .Values.storage.backend "azuredisk") (eq .Values.storage.backend "azuredisk-csi")}}
|
||||
volumeBackend: {{ .Values.storage.backend }}
|
||||
kind: managed
|
||||
skuName: {{ .Values.storage.azuredisk.skuName | default "Premium_LRS" }}
|
||||
fsType: {{ .Values.storage.fsType | default "ext4" }}
|
||||
cachingMode: {{ .Values.storage.azuredisk.cachingMode | default "None" }}
|
||||
{{- with .Values.storage.azuredisk.availabilityZone }}
|
||||
availabilityZone: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.storage.azuredisk.resourceGroup }}
|
||||
resourceGroup: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "cf-runtime.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "cf-runtime.fullname" -}}
|
||||
{{- if .Values.fullnameOverride }}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride }}
|
||||
{{- if contains $name .Release.Name }}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "cf-runtime.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "cf-runtime.labels" -}}
|
||||
helm.sh/chart: {{ include "cf-runtime.chart" . }}
|
||||
{{ include "cf-runtime.selectorLabels" . }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "cf-runtime.selectorLabels" -}}
|
||||
app.kubernetes.io/name: {{ include "cf-runtime.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $appProxyContext := deepCopy . }}
|
||||
{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
|
||||
{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $appProxyContext.Values.enabled }}
|
||||
{{- include "app-proxy.resources.deployment" $appProxyContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $appProxyContext := deepCopy . }}
|
||||
{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
|
||||
{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $appProxyContext.Values.enabled }}
|
||||
{{- include "app-proxy.resources.ingress" $appProxyContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $appProxyContext := deepCopy . }}
|
||||
{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
|
||||
{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $appProxyContext.Values.enabled }}
|
||||
{{- include "app-proxy.resources.rbac" $appProxyContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $appProxyContext := deepCopy . }}
|
||||
{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
|
||||
{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $appProxyContext.Values.enabled }}
|
||||
{{- include "app-proxy.resources.service" $appProxyContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $eventExporterContext := deepCopy . }}
|
||||
{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }}
|
||||
{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if and $eventExporterContext.Values.enabled }}
|
||||
{{- include "event-exporter.resources.deployment" $eventExporterContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $eventExporterContext := deepCopy . }}
|
||||
{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }}
|
||||
{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if and $eventExporterContext.Values.enabled }}
|
||||
{{- include "event-exporter.resources.rbac" $eventExporterContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
{{- $eventExporterContext := deepCopy . }}
|
||||
{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }}
|
||||
{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $eventExporterContext.Values.enabled }}
|
||||
{{- include "event-exporter.resources.service" $eventExporterContext }}
|
||||
---
|
||||
{{- include "event-exporter.resources.serviceMonitor" $eventExporterContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
|
||||
{{- range .Values.extraResources }}
|
||||
---
|
||||
{{ include (printf "%s.tplrender" $cfCommonTplSemver) (dict "Values" . "context" $) }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{ $values := .Values.runtime.engine.runtimeImages }}
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
{{- /* dummy template just to list runtime images */}}
|
||||
name: {{ include "runtime.fullname" . }}-images
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
{{- with $values.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
images: |
|
||||
{{- range $key, $val := $values }}
|
||||
image: {{ $val }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{ $values := .Values.runtime.patch }}
|
||||
{{- if $values.enabled }}
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-spec
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
{{- with $values.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
runtime.yaml: |
|
||||
{{ include "runtime.runtime-environment-spec.template" . | nindent 4 | trim }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,68 @@
|
|||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{ $values := .Values.runtime.gencerts }}
|
||||
{{- if and $values.enabled }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-gencerts-dind
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
helm.sh/hook: post-install,post-upgrade
|
||||
helm.sh/hook-weight: "3"
|
||||
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
|
||||
{{- with $values.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- with $values.ttlSecondsAfterFinished }}
|
||||
ttlSecondsAfterFinished: {{ . }}
|
||||
{{- end }}
|
||||
{{- with $values.backoffLimit }}
|
||||
backoffLimit: {{ . | int }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-gencerts-dind
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 8 }}
|
||||
spec:
|
||||
{{- if $values.rbac.enabled }}
|
||||
serviceAccountName: {{ template "runtime.fullname" . }}-gencerts-dind
|
||||
{{- end }}
|
||||
securityContext:
|
||||
{{- toYaml $values.podSecurityContext | nindent 8 }}
|
||||
containers:
|
||||
- name: gencerts-dind
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
|
||||
imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
|
||||
command:
|
||||
- "/bin/bash"
|
||||
args:
|
||||
- -ec
|
||||
- | {{ .Files.Get "files/configure-dind-certs.sh" | nindent 10 }}
|
||||
env:
|
||||
- name: NAMESPACE
|
||||
value: {{ .Release.Namespace }}
|
||||
- name: RELEASE
|
||||
value: {{ .Release.Name }}
|
||||
- name: CF_API_HOST
|
||||
value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
|
||||
- name: CF_API_TOKEN
|
||||
{{- include "runtime.installation-token-env-var-value" . | indent 10}}
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }}
|
||||
{{- with $values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with $values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with $values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
restartPolicy: OnFailure
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,77 @@
|
|||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{ $values := .Values.runtime.patch }}
|
||||
{{- if $values.enabled }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-patch
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
helm.sh/hook: post-install,post-upgrade
|
||||
helm.sh/hook-weight: "5"
|
||||
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
|
||||
{{- with $values.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- with $values.ttlSecondsAfterFinished }}
|
||||
ttlSecondsAfterFinished: {{ . }}
|
||||
{{- end }}
|
||||
{{- with $values.backoffLimit }}
|
||||
backoffLimit: {{ . | int }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-patch
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 8 }}
|
||||
spec:
|
||||
securityContext:
|
||||
{{- toYaml $values.podSecurityContext | nindent 8 }}
|
||||
containers:
|
||||
- name: patch-runtime
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
|
||||
imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
|
||||
command:
|
||||
- "/bin/bash"
|
||||
args:
|
||||
- -ec
|
||||
- |
|
||||
codefresh auth create-context --api-key $API_KEY --url $API_HOST
|
||||
cat /usr/share/extras/runtime.yaml
|
||||
codefresh get re
|
||||
{{- if .Values.runtime.agent }}
|
||||
codefresh patch re -f /usr/share/extras/runtime.yaml
|
||||
{{- else }}
|
||||
codefresh patch sys-re -f /usr/share/extras/runtime.yaml
|
||||
{{- end }}
|
||||
env:
|
||||
- name: API_KEY
|
||||
{{- include "runtime.installation-token-env-var-value" . | indent 10}}
|
||||
- name: API_HOST
|
||||
value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }}
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /usr/share/extras/runtime.yaml
|
||||
subPath: runtime.yaml
|
||||
{{- with $values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with $values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with $values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
restartPolicy: OnFailure
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ include "runtime.fullname" . }}-spec
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{ $values := .Values.runtime.gencerts }}
|
||||
{{- if and $values.enabled }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-gencerts-dind
|
||||
namespace: {{ .Release.Namespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-gencerts-dind
|
||||
namespace: {{ .Release.Namespace }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
- configmaps
|
||||
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-gencerts-dind
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ include "runtime.fullname" . }}-gencerts-dind
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "runtime.fullname" . }}-gencerts-dind
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{ end }}
|
||||
|
|
@ -0,0 +1,73 @@
|
|||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{ $values := .Values.runtime.patch }}
|
||||
{{- if and $values.enabled }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-cleanup
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
helm.sh/hook: pre-delete
|
||||
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
|
||||
{{- with $values.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- with $values.ttlSecondsAfterFinished }}
|
||||
ttlSecondsAfterFinished: {{ . }}
|
||||
{{- end }}
|
||||
{{- with $values.backoffLimit }}
|
||||
backoffLimit: {{ . | int }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-cleanup
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 8 }}
|
||||
spec:
|
||||
{{- if $values.rbac.enabled }}
|
||||
serviceAccountName: {{ template "runtime.fullname" . }}-cleanup
|
||||
{{- end }}
|
||||
securityContext:
|
||||
{{- toYaml $values.podSecurityContext | nindent 8 }}
|
||||
containers:
|
||||
- name: cleanup
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
|
||||
imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
|
||||
command:
|
||||
- "/bin/bash"
|
||||
args:
|
||||
- -ec
|
||||
- | {{ .Files.Get "files/cleanup-runtime.sh" | nindent 10 }}
|
||||
env:
|
||||
- name: AGENT_NAME
|
||||
value: {{ include "runtime.runtime-environment-spec.agent-name" . }}
|
||||
- name: RUNTIME_NAME
|
||||
value: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
|
||||
- name: API_HOST
|
||||
value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
|
||||
- name: API_TOKEN
|
||||
{{- include "runtime.installation-token-env-var-value" . | indent 10}}
|
||||
- name: AGENT
|
||||
value: {{ .Values.runtime.agent | quote }}
|
||||
- name: AGENT_SECRET_NAME
|
||||
value: {{ include "runner.fullname" . }}
|
||||
- name: DIND_SECRET_NAME
|
||||
value: codefresh-certs-server
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }}
|
||||
{{- with $values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with $values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with $values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
restartPolicy: OnFailure
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{ $values := .Values.runtime.patch }}
|
||||
{{- if and $values.enabled }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-cleanup
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
"helm.sh/hook": pre-delete
|
||||
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-cleanup
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
"helm.sh/hook": pre-delete
|
||||
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "*"
|
||||
resources:
|
||||
- "*"
|
||||
verbs:
|
||||
- "*"
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-cleanup
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
"helm.sh/hook": pre-delete
|
||||
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ include "runtime.fullname" . }}-cleanup
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "runtime.fullname" . }}-cleanup
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{ end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $monitorContext := deepCopy . }}
|
||||
{{- $_ := set $monitorContext "Values" (get .Values "monitor") }}
|
||||
{{- $_ := set $monitorContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $monitorContext.Values.enabled }}
|
||||
{{- include "monitor.resources.deployment" $monitorContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $monitorContext := deepCopy . }}
|
||||
{{- $_ := set $monitorContext "Values" (get .Values "monitor") }}
|
||||
{{- $_ := set $monitorContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $monitorContext.Values.enabled }}
|
||||
{{- include "monitor.resources.rbac" $monitorContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $monitorContext := deepCopy . }}
|
||||
{{- $_ := set $monitorContext "Values" (get .Values "monitor") }}
|
||||
{{- $_ := set $monitorContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $monitorContext.Values.enabled }}
|
||||
{{- include "monitor.resources.service" $monitorContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
{{ $templateName := printf "cf-common-%s.external-secrets" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- include $templateName . -}}
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
{{ $templateName := printf "cf-common-%s.podMonitor" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- include $templateName . -}}
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
{{ $templateName := printf "cf-common-%s.serviceMonitor" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- include $templateName . -}}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $runnerContext := deepCopy . }}
|
||||
{{- $_ := set $runnerContext "Values" (get .Values "runner") }}
|
||||
{{- $_ := set $runnerContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $runnerContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $runnerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if and $runnerContext.Values.enabled .Values.runtime.agent }}
|
||||
{{- include "runner.resources.deployment" $runnerContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $runnerContext := deepCopy . }}
|
||||
{{- $_ := set $runnerContext "Values" (get .Values "runner") }}
|
||||
{{- $_ := set $runnerContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $runnerContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $runnerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if and $runnerContext.Values.enabled .Values.runtime.agent }}
|
||||
{{- include "runner.resources.rbac" $runnerContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,123 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "runtime.name" -}}
|
||||
{{- printf "%s" (include "cf-runtime.name" .) | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "runtime.fullname" -}}
|
||||
{{- printf "%s" (include "cf-runtime.fullname" .) | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "runtime.labels" -}}
|
||||
{{ include "cf-runtime.labels" . }}
|
||||
codefresh.io/application: runtime
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "runtime.selectorLabels" -}}
|
||||
{{ include "cf-runtime.selectorLabels" . }}
|
||||
codefresh.io/application: runtime
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Return runtime image (classic runtime) with private registry prefix
|
||||
*/}}
|
||||
{{- define "runtime.runtimeImageName" -}}
|
||||
{{- if .registry -}}
|
||||
{{- $imageName := (trimPrefix "quay.io/" .imageFullName) -}}
|
||||
{{- printf "%s/%s" .registry $imageName -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s" .imageFullName -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Environment variable value of Codefresh installation token
|
||||
*/}}
|
||||
{{- define "runtime.installation-token-env-var-value" -}}
|
||||
{{- if .Values.global.codefreshToken }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "runtime.installation-token-secret-name" . }}
|
||||
key: codefresh-api-token
|
||||
{{- else if .Values.global.codefreshTokenSecretKeyRef }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
{{- .Values.global.codefreshTokenSecretKeyRef | toYaml | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Environment variable value of Codefresh agent token
|
||||
*/}}
|
||||
{{- define "runtime.agent-token-env-var-value" -}}
|
||||
{{- if .Values.global.agentToken }}
|
||||
{{- printf "%s" .Values.global.agentToken | toYaml }}
|
||||
{{- else if .Values.global.agentTokenSecretKeyRef }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
{{- .Values.global.agentTokenSecretKeyRef | toYaml | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Print Codefresh API token secret name
|
||||
*/}}
|
||||
{{- define "runtime.installation-token-secret-name" }}
|
||||
{{- print "codefresh-user-token" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Print Codefresh host
|
||||
*/}}
|
||||
{{- define "runtime.runtime-environment-spec.codefresh-host" }}
|
||||
{{- if and (not .Values.global.codefreshHost) }}
|
||||
{{- fail "ERROR: .global.codefreshHost is required" }}
|
||||
{{- else }}
|
||||
{{- printf "%s" (trimSuffix "/" .Values.global.codefreshHost) }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Print runtime-environment name
|
||||
*/}}
|
||||
{{- define "runtime.runtime-environment-spec.runtime-name" }}
|
||||
{{- if and (not .Values.global.runtimeName) }}
|
||||
{{- printf "%s/%s" .Values.global.context .Release.Namespace }}
|
||||
{{- else }}
|
||||
{{- printf "%s" .Values.global.runtimeName }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Print agent name
|
||||
*/}}
|
||||
{{- define "runtime.runtime-environment-spec.agent-name" }}
|
||||
{{- if and (not .Values.global.agentName) }}
|
||||
{{- printf "%s_%s" .Values.global.context .Release.Namespace }}
|
||||
{{- else }}
|
||||
{{- printf "%s" .Values.global.agentName }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Print context
|
||||
*/}}
|
||||
{{- define "runtime.runtime-environment-spec.context-name" }}
|
||||
{{- if and (not .Values.global.context) }}
|
||||
{{- fail "ERROR: .global.context is required" }}
|
||||
{{- else }}
|
||||
{{- printf "%s" .Values.global.context }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
{{- /* has to be a constant */}}
|
||||
name: codefresh-dind-config
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 4 }}
|
||||
data:
|
||||
daemon.json: |
|
||||
{{ coalesce .Values.re.dindDaemon .Values.runtime.dindDaemon | toPrettyJson | indent 4 }}
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
{{ $values := .Values.runtime }}
|
||||
---
|
||||
{{- if or $values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
{{- /* has to be a constant */}}
|
||||
name: codefresh-engine
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 4 }}
|
||||
{{- with $values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if $values.rbac.create }}
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: codefresh-engine
|
||||
labels:
|
||||
{{- include "runner.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "secrets" ]
|
||||
verbs: [ "get" ]
|
||||
{{- with $values.rbac.rules }}
|
||||
{{ toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if and $values.serviceAccount.create $values.rbac.create }}
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: codefresh-engine
|
||||
labels:
|
||||
{{- include "runner.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: codefresh-engine
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: codefresh-engine
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end }}
|
||||
|
||||
|
|
@ -0,0 +1,211 @@
|
|||
{{- define "runtime.runtime-environment-spec.template" }}
|
||||
{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version -}}
|
||||
{{- $kubeconfigFilePath := (include "runtime.runtime-environment-spec.runtime-name" .) -}}
|
||||
{{- $name := (include "runtime.runtime-environment-spec.runtime-name" .) -}}
|
||||
{{- $engineContext := .Values.runtime.engine -}}
|
||||
{{- $dindContext := .Values.runtime.dind -}}
|
||||
{{- $imageRegistry := .Values.global.imageRegistry -}}
|
||||
metadata:
|
||||
name: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
|
||||
agent: {{ .Values.runtime.agent }}
|
||||
runtimeScheduler:
|
||||
type: KubernetesPod
|
||||
{{- if $engineContext.image }}
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $engineContext.image "context" .) | squote }}
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ $engineContext.image.pullPolicy }}
|
||||
{{- with $engineContext.command }}
|
||||
command: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
envVars:
|
||||
{{- with $engineContext.env }}
|
||||
{{- range $key, $val := . }}
|
||||
{{- if or (kindIs "bool" $val) (kindIs "int" $val) (kindIs "float64" $val) }}
|
||||
{{ $key }}: {{ $val | squote }}
|
||||
{{- else }}
|
||||
{{ $key }}: {{ $val }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
COMPOSE_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.COMPOSE_IMAGE) | squote }}
|
||||
CONTAINER_LOGGER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.CONTAINER_LOGGER_IMAGE) | squote }}
|
||||
DOCKER_BUILDER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_BUILDER_IMAGE) | squote }}
|
||||
DOCKER_PULLER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_PULLER_IMAGE) | squote }}
|
||||
DOCKER_PUSHER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_PUSHER_IMAGE) | squote }}
|
||||
DOCKER_TAG_PUSHER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) | squote }}
|
||||
FS_OPS_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.FS_OPS_IMAGE) | squote }}
|
||||
GIT_CLONE_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.GIT_CLONE_IMAGE) | squote }}
|
||||
KUBE_DEPLOY: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.KUBE_DEPLOY) | squote }}
|
||||
PIPELINE_DEBUGGER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.PIPELINE_DEBUGGER_IMAGE) | squote }}
|
||||
TEMPLATE_ENGINE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.TEMPLATE_ENGINE) | squote }}
|
||||
CR_6177_FIXER: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.CR_6177_FIXER) | squote }}
|
||||
GC_BUILDER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.GC_BUILDER_IMAGE) | squote }}
|
||||
COSIGN_IMAGE_SIGNER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.COSIGN_IMAGE_SIGNER_IMAGE) | squote }}
|
||||
{{- with $engineContext.userEnvVars }}
|
||||
userEnvVars: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with $engineContext.workflowLimits }}
|
||||
workflowLimits: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
cluster:
|
||||
namespace: {{ .Release.Namespace }}
|
||||
serviceAccount: {{ $engineContext.serviceAccount }}
|
||||
{{- if .Values.runtime.agent }}
|
||||
clusterProvider:
|
||||
accountId: {{ .Values.global.accountId }}
|
||||
selector: {{ include "runtime.runtime-environment-spec.context-name" . }}
|
||||
{{- else }}
|
||||
{{- if .Values.runtime.inCluster }}
|
||||
inCluster: true
|
||||
kubeconfigFilePath: null
|
||||
{{- else }}
|
||||
name: {{ $name }}
|
||||
kubeconfigFilePath: {{ printf "/etc/kubeconfig/%s" $kubeconfigFilePath }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with $engineContext.nodeSelector }}
|
||||
nodeSelector: {{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- with $engineContext.affinity }}
|
||||
affinity: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with $engineContext.tolerations }}
|
||||
tolerations: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with $engineContext.podAnnotations }}
|
||||
annotations:
|
||||
{{- range $key, $val := . }}
|
||||
{{ $key }}: {{ $val | squote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with $engineContext.podLabels }}
|
||||
labels: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $engineContext.schedulerName }}
|
||||
schedulerName: {{ $engineContext.schedulerName }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- if $engineContext.resources}}
|
||||
{{- toYaml $engineContext.resources | nindent 4 }}
|
||||
{{- end }}
|
||||
dockerDaemonScheduler:
|
||||
type: DindKubernetesPod
|
||||
{{- if $dindContext.image }}
|
||||
dindImage: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $dindContext.image "context" .) | squote }}
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ $dindContext.image.pullPolicy }}
|
||||
{{- with $dindContext.userAccess }}
|
||||
userAccess: {{ . }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.env }}
|
||||
envVars:
|
||||
{{- range $key, $val := . }}
|
||||
{{- if or (kindIs "bool" $val) (kindIs "int" $val) (kindIs "float64" $val) }}
|
||||
{{ $key }}: {{ $val | squote }}
|
||||
{{- else }}
|
||||
{{ $key }}: {{ $val }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
cluster:
|
||||
namespace: {{ .Release.Namespace }}
|
||||
serviceAccount: {{ $dindContext.serviceAccount }}
|
||||
{{- if .Values.runtime.agent }}
|
||||
clusterProvider:
|
||||
accountId: {{ .Values.global.accountId }}
|
||||
selector: {{ include "runtime.runtime-environment-spec.context-name" . }}
|
||||
{{- else }}
|
||||
{{- if .Values.runtime.inCluster }}
|
||||
inCluster: true
|
||||
kubeconfigFilePath: null
|
||||
{{- else }}
|
||||
name: {{ $name }}
|
||||
kubeconfigFilePath: {{ printf "/etc/kubeconfig/%s" $kubeconfigFilePath }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.nodeSelector }}
|
||||
nodeSelector: {{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.affinity }}
|
||||
affinity: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.tolerations }}
|
||||
tolerations: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.podAnnotations }}
|
||||
annotations:
|
||||
{{- range $key, $val := . }}
|
||||
{{ $key }}: {{ $val | squote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.podLabels }}
|
||||
labels: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $dindContext.schedulerName }}
|
||||
schedulerName: {{ $dindContext.schedulerName }}
|
||||
{{- end }}
|
||||
{{- if $dindContext.pvcs }}
|
||||
pvcs:
|
||||
{{- range $index, $pvc := $dindContext.pvcs }}
|
||||
- name: {{ $pvc.name }}
|
||||
reuseVolumeSelector: {{ $pvc.reuseVolumeSelector | squote }}
|
||||
reuseVolumeSortOrder: {{ $pvc.reuseVolumeSortOrder }}
|
||||
storageClassName: {{ include (printf "%v.tplrender" $cfCommonTplSemver) (dict "Values" $pvc.storageClassName "context" $) }}
|
||||
volumeSize: {{ $pvc.volumeSize }}
|
||||
{{- with $pvc.annotations }}
|
||||
annotations: {{ . | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
defaultDindResources:
|
||||
{{- with $dindContext.resources }}
|
||||
{{- if not .requests }}
|
||||
limits: {{- toYaml .limits | nindent 6 }}
|
||||
requests: null
|
||||
{{- else }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.terminationGracePeriodSeconds }}
|
||||
terminationGracePeriodSeconds: {{ . }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.userVolumeMounts }}
|
||||
userVolumeMounts: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.userVolumes }}
|
||||
userVolumes: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if and (not .Values.runtime.agent) }}
|
||||
clientCertPath: /etc/ssl/cf/
|
||||
volumeMounts:
|
||||
codefresh-certs-server:
|
||||
name: codefresh-certs-server
|
||||
mountPath: /etc/ssl/cf
|
||||
readOnly: false
|
||||
volumes:
|
||||
codefresh-certs-server:
|
||||
name: codefresh-certs-server
|
||||
secret:
|
||||
secretName: codefresh-certs-server
|
||||
{{- end }}
|
||||
extends: {{- toYaml .Values.runtime.runtimeExtends | nindent 2 }}
|
||||
{{- if .Values.runtime.description }}
|
||||
description: {{ .Values.runtime.description }}
|
||||
{{- else }}
|
||||
description: null
|
||||
{{- end }}
|
||||
{{- if .Values.global.accountId }}
|
||||
accountId: {{ .Values.global.accountId }}
|
||||
{{- end }}
|
||||
{{- if not .Values.runtime.agent }}
|
||||
accounts: {{- toYaml .Values.runtime.accounts | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- if .Values.appProxy.enabled }}
|
||||
appProxy:
|
||||
externalIP: >-
|
||||
{{ printf "https://%s%s" .Values.appProxy.ingress.host (.Values.appProxy.ingress.pathPrefix | default "/") }}
|
||||
{{- end }}
|
||||
{{- if not .Values.runtime.agent }}
|
||||
systemHybrid: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
{{- if and .Values.global.codefreshToken }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: {{ include "runtime.installation-token-secret-name" . }}
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 4 }}
|
||||
stringData:
|
||||
codefresh-api-token: {{ .Values.global.codefreshToken }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 4 }}
|
||||
app: dind
|
||||
{{/* has to be a constant */}}
|
||||
name: dind
|
||||
spec:
|
||||
ports:
|
||||
- name: "dind-port"
|
||||
port: 1300
|
||||
protocol: TCP
|
||||
clusterIP: None
|
||||
selector:
|
||||
app: dind
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
{{- $volumeProvisionerContext := deepCopy . }}
|
||||
{{- $_ := set $volumeProvisionerContext "Values" (get .Values.volumeProvisioner "dind-volume-cleanup") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "serviceAccount" (get .Values.volumeProvisioner "serviceAccount") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if and $volumeProvisionerContext.Values.enabled .Values.volumeProvisioner.enabled }}
|
||||
{{- include "dind-volume-provisioner.resources.cronjob" $volumeProvisionerContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
{{- $volumeProvisionerContext := deepCopy . }}
|
||||
{{- $_ := set $volumeProvisionerContext "Values" (get .Values.volumeProvisioner "dind-lv-monitor") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "serviceAccount" (get .Values.volumeProvisioner "serviceAccount") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if and $volumeProvisionerContext.Values.enabled .Values.volumeProvisioner.enabled }}
|
||||
{{- include "dind-volume-provisioner.resources.daemonset" $volumeProvisionerContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
{{- $volumeProvisionerContext := deepCopy . }}
|
||||
{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $volumeProvisionerContext.Values.enabled }}
|
||||
{{- include "dind-volume-provisioner.resources.deployment" $volumeProvisionerContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $volumeProvisionerContext := deepCopy . }}
|
||||
{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $volumeProvisionerContext.Values.enabled }}
|
||||
{{- include "dind-volume-provisioner.resources.rbac" $volumeProvisionerContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
{{- $volumeProvisionerContext := deepCopy . }}
|
||||
{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $volumeProvisionerContext.Values.enabled }}
|
||||
{{- include "dind-volume-provisioner.resources.secret" $volumeProvisionerContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
{{- $volumeProvisionerContext := deepCopy . }}
|
||||
{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $volumeProvisionerContext.Values.enabled }}
|
||||
{{- include "dind-volume-provisioner.resources.storageclass" $volumeProvisionerContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,947 @@
|
|||
# -- String to partially override cf-runtime.fullname template (will maintain the release name)
|
||||
nameOverride: ""
|
||||
# -- String to fully override cf-runtime.fullname template
|
||||
fullnameOverride: ""
|
||||
|
||||
# -- Global parameters
|
||||
# @default -- See below
|
||||
global:
|
||||
# -- Global Docker image registry
|
||||
imageRegistry: ""
|
||||
# -- Global Docker registry secret names as array
|
||||
imagePullSecrets: []
|
||||
|
||||
# -- URL of Codefresh Platform (required!)
|
||||
codefreshHost: "https://g.codefresh.io"
|
||||
# -- User token in plain text (required if `global.codefreshTokenSecretKeyRef` is omitted!)
|
||||
# Ref: https://g.codefresh.io/user/settings (see API Keys)
|
||||
# Minimal API key scopes: Runner-Installation(read+write), Agent(read+write), Agents(read+write)
|
||||
codefreshToken: ""
|
||||
# -- User token that references an existing secret containing API key (required if `global.codefreshToken` is omitted!)
|
||||
codefreshTokenSecretKeyRef: {}
|
||||
|
||||
# E.g.
|
||||
# codefreshTokenSecretKeyRef:
|
||||
# name: my-codefresh-api-token
|
||||
# key: codefresh-api-token
|
||||
|
||||
# -- Account ID (required!)
|
||||
# Can be obtained here https://g.codefresh.io/2.0/account-settings/account-information
|
||||
accountId: ""
|
||||
|
||||
# -- K8s context name (required!)
|
||||
context: ""
|
||||
# E.g.
|
||||
# context: prod-ue1-runtime-1
|
||||
|
||||
# -- Agent Name (optional!)
|
||||
# If omitted, the following format will be used `{{ .Values.global.context }}_{{ .Release.Namespace }}`
|
||||
agentName: ""
|
||||
# E.g.
|
||||
# agentName: prod-ue1-runtime-1
|
||||
|
||||
# -- Runtime name (optional!)
|
||||
# If omitted, the following format will be used `{{ .Values.global.context }}/{{ .Release.Namespace }}`
|
||||
runtimeName: ""
|
||||
# E.g.
|
||||
# runtimeName: prod-ue1-runtime-1/namespace
|
||||
|
||||
# -- DEPRECATED Agent token in plain text.
|
||||
# !!! MUST BE provided if migrating from < 6.x chart version
|
||||
agentToken: ""
|
||||
# -- DEPRECATED Agent token that references an existing secret containing API key.
|
||||
# !!! MUST BE provided if migrating from < 6.x chart version
|
||||
agentTokenSecretKeyRef: {}
|
||||
# E.g.
|
||||
# agentTokenSecretKeyRef:
|
||||
# name: my-codefresh-agent-secret
|
||||
# key: codefresh-agent-token
|
||||
|
||||
# DEPRECATED -- Use `.Values.global.imageRegistry` instead
|
||||
dockerRegistry: ""
|
||||
|
||||
# DEPRECATED -- Use `.Values.runtime` instead
|
||||
re: {}
|
||||
|
||||
# -- Runner parameters
|
||||
# @default -- See below
|
||||
runner:
|
||||
# -- Enable the runner
|
||||
enabled: true
|
||||
# -- Set number of pods
|
||||
replicasCount: 1
|
||||
# -- Upgrade strategy
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
# -- Set pod annotations
|
||||
podAnnotations: {}
|
||||
|
||||
# -- Set image
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/venona
|
||||
tag: 1.10.2
|
||||
|
||||
# -- Init container
|
||||
init:
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/cli
|
||||
tag: 0.85.0-rootless
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: 512Mi
|
||||
cpu: '1'
|
||||
requests:
|
||||
memory: 256Mi
|
||||
cpu: '0.2'
|
||||
|
||||
# -- Sidecar container
|
||||
# Reconciles runtime spec from Codefresh API for drift detection
|
||||
sidecar:
|
||||
enabled: false
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/codefresh-shell
|
||||
tag: 0.0.2
|
||||
env:
|
||||
RECONCILE_INTERVAL: 300
|
||||
resources: {}
|
||||
|
||||
# -- Add additional env vars
|
||||
env: {}
|
||||
# E.g.
|
||||
# env:
|
||||
# WORKFLOW_CONCURRENCY: 50 # The number of workflow creation and termination tasks the Runner can handle in parallel. Defaults to 50
|
||||
|
||||
# -- Service Account parameters
|
||||
serviceAccount:
|
||||
# -- Create service account
|
||||
create: true
|
||||
# -- Override service account name
|
||||
name: ""
|
||||
# -- Additional service account annotations
|
||||
annotations: {}
|
||||
|
||||
# -- RBAC parameters
|
||||
rbac:
|
||||
# -- Create RBAC resources
|
||||
create: true
|
||||
# -- Add custom rule to the role
|
||||
rules: []
|
||||
|
||||
# -- Set security context for the pod
|
||||
# @default -- See below
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
runAsUser: 10001
|
||||
runAsGroup: 10001
|
||||
fsGroup: 10001
|
||||
|
||||
# -- Readiness probe configuration
|
||||
# @default -- See below
|
||||
readinessProbe:
|
||||
failureThreshold: 5
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 5
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
|
||||
# -- Set requests and limits
|
||||
resources: {}
|
||||
# -- Set node selector
|
||||
nodeSelector: {}
|
||||
# -- Set tolerations
|
||||
tolerations: []
|
||||
# -- Set affinity
|
||||
affinity: {}
|
||||
|
||||
# -- Volume Provisioner parameters
|
||||
# @default -- See below
|
||||
volumeProvisioner:
|
||||
# -- Enable volume-provisioner
|
||||
enabled: true
|
||||
# -- Set number of pods
|
||||
replicasCount: 1
|
||||
# -- Upgrade strategy
|
||||
updateStrategy:
|
||||
type: Recreate
|
||||
# -- Set pod annotations
|
||||
podAnnotations: {}
|
||||
|
||||
# -- Set image
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/dind-volume-provisioner
|
||||
tag: 1.35.0
|
||||
# -- Add additional env vars
|
||||
env: {}
|
||||
# E.g.
|
||||
# env:
|
||||
# THREADINESS: 4 # The number of PVC requests the dind-volume-provisioner can process in parallel. Defaults to 4
|
||||
|
||||
# -- Service Account parameters
|
||||
serviceAccount:
|
||||
# -- Create service account
|
||||
create: true
|
||||
# -- Override service account name
|
||||
name: ""
|
||||
# -- Additional service account annotations
|
||||
annotations: {}
|
||||
# E.g.
|
||||
# serviceAccount:
|
||||
# annotations:
|
||||
# eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
|
||||
|
||||
# -- RBAC parameters
|
||||
rbac:
|
||||
# -- Create RBAC resources
|
||||
create: true
|
||||
# -- Add custom rule to the role
|
||||
rules: []
|
||||
|
||||
# -- Set security context for the pod
|
||||
# @default -- See below
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
runAsUser: 3000
|
||||
runAsGroup: 3000
|
||||
fsGroup: 3000
|
||||
|
||||
# -- Set node selector
|
||||
nodeSelector: {}
|
||||
# -- Set resources
|
||||
resources: {}
|
||||
# -- Set tolerations
|
||||
tolerations: []
|
||||
# -- Set affinity
|
||||
affinity: {}
|
||||
|
||||
# -- `dind-lv-monitor` DaemonSet parameters
|
||||
# (local volumes cleaner)
|
||||
# @default -- See below
|
||||
dind-lv-monitor:
|
||||
enabled: true
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/dind-volume-utils
|
||||
tag: 1.29.4
|
||||
podAnnotations: {}
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
fsGroup: 1000
|
||||
containerSecurityContext: {}
|
||||
env: {}
|
||||
resources: {}
|
||||
nodeSelector: {}
|
||||
tolerations:
|
||||
- key: 'codefresh/dind'
|
||||
operator: 'Exists'
|
||||
effect: 'NoSchedule'
|
||||
volumePermissions:
|
||||
enabled: true
|
||||
image:
|
||||
registry: docker.io
|
||||
repository: alpine
|
||||
tag: 3.18
|
||||
resources: {}
|
||||
securityContext:
|
||||
runAsUser: 0 # auto
|
||||
|
||||
# `dind-volume-cleanup` CronJob parameters
|
||||
# (external volumes cleaner)
|
||||
# @default -- See below
|
||||
dind-volume-cleanup:
|
||||
enabled: true
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/dind-volume-cleanup
|
||||
tag: 1.2.0
|
||||
env: {}
|
||||
concurrencyPolicy: Forbid
|
||||
schedule: "*/10 * * * *"
|
||||
successfulJobsHistory: 3
|
||||
failedJobsHistory: 1
|
||||
suspend: false
|
||||
podAnnotations: {}
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 3000
|
||||
runAsGroup: 3000
|
||||
runAsUser: 3000
|
||||
nodeSelector: {}
|
||||
affinity: {}
|
||||
tolerations: []
|
||||
|
||||
# Storage parameters for volume-provisioner
|
||||
# @default -- See below
|
||||
storage:
|
||||
# -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
|
||||
backend: local
|
||||
# -- Set filesystem type (`ext4`/`xfs`)
|
||||
fsType: "ext4"
|
||||
|
||||
# Storage parametrs example for local volumes on the K8S nodes filesystem (i.e. `storage.backend=local`)
|
||||
# https://kubernetes.io/docs/concepts/storage/volumes/#local
|
||||
# @default -- See below
|
||||
local:
|
||||
# -- Set volume path on the host filesystem
|
||||
volumeParentDir: /var/lib/codefresh/dind-volumes
|
||||
|
||||
# Storage parameters example for aws ebs disks (i.e. `storage.backend=ebs`/`storage.backend=ebs-csi`)
|
||||
# https://aws.amazon.com/ebs/
|
||||
# https://codefresh.io/docs/docs/installation/codefresh-runner/#aws-backend-volume-configuration
|
||||
# @default -- See below
|
||||
ebs:
|
||||
# -- Set EBS volume type (`gp2`/`gp3`/`io1`) (required)
|
||||
volumeType: "gp2"
|
||||
# -- Set EBS volumes availability zone (required)
|
||||
availabilityZone: "us-east-1a"
|
||||
# -- Enable encryption (optional)
|
||||
encrypted: "false"
|
||||
# -- Set KMS encryption key ID (optional)
|
||||
kmsKeyId: ""
|
||||
|
||||
# -- Set AWS_ACCESS_KEY_ID for volume-provisioner (optional)
|
||||
# Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions
|
||||
accessKeyId: ""
|
||||
# -- Existing secret containing AWS_ACCESS_KEY_ID.
|
||||
accessKeyIdSecretKeyRef: {}
|
||||
# E.g.
|
||||
# accessKeyIdSecretKeyRef:
|
||||
# name:
|
||||
# key:
|
||||
|
||||
# -- Set AWS_SECRET_ACCESS_KEY for volume-provisioner (optional)
|
||||
# Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions
|
||||
secretAccessKey: ""
|
||||
# -- Existing secret containing AWS_SECRET_ACCESS_KEY
|
||||
secretAccessKeySecretKeyRef: {}
|
||||
# E.g.
|
||||
# secretAccessKeySecretKeyRef:
|
||||
# name:
|
||||
# key:
|
||||
|
||||
# E.g.
|
||||
# ebs:
|
||||
# volumeType: gp3
|
||||
# availabilityZone: us-east-1c
|
||||
# encrypted: false
|
||||
# iops: "5000"
|
||||
# # I/O operations per second. Only effetive when gp3 volume type is specified.
|
||||
# # Default value - 3000.
|
||||
# # Max - 16,000
|
||||
# throughput: "500"
|
||||
# # Throughput in MiB/s. Only effective when gp3 volume type is specified.
|
||||
# # Default value - 125.
|
||||
# # Max - 1000.
|
||||
# ebs:
|
||||
# volumeType: gp2
|
||||
# availabilityZone: us-east-1c
|
||||
# encrypted: true
|
||||
# kmsKeyId: "1234abcd-12ab-34cd-56ef-1234567890ab"
|
||||
# accessKeyId: "MYKEYID"
|
||||
# secretAccessKey: "MYACCESSKEY"
|
||||
|
||||
# Storage parameters example for gce disks
|
||||
# https://cloud.google.com/compute/docs/disks#pdspecs
|
||||
# https://codefresh.io/docs/docs/installation/codefresh-runner/#gke-google-kubernetes-engine-backend-volume-configuration
|
||||
# @default -- See below
|
||||
gcedisk:
|
||||
# -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
|
||||
volumeType: "pd-ssd"
|
||||
# -- Set GCP volume availability zone
|
||||
availabilityZone: "us-west1-a"
|
||||
# -- Set Google SA JSON key for volume-provisioner (optional)
|
||||
serviceAccountJson: ""
|
||||
# -- Existing secret containing containing Google SA JSON key for volume-provisioner (optional)
|
||||
serviceAccountJsonSecretKeyRef: {}
|
||||
# E.g.
|
||||
# gcedisk:
|
||||
# volumeType: pd-ssd
|
||||
# availabilityZone: us-central1-c
|
||||
# serviceAccountJson: |-
|
||||
# {
|
||||
# "type": "service_account",
|
||||
# "project_id": "...",
|
||||
# "private_key_id": "...",
|
||||
# "private_key": "...",
|
||||
# "client_email": "...",
|
||||
# "client_id": "...",
|
||||
# "auth_uri": "...",
|
||||
# "token_uri": "...",
|
||||
# "auth_provider_x509_cert_url": "...",
|
||||
# "client_x509_cert_url": "..."
|
||||
# }
|
||||
|
||||
# Storage parameters example for Azure Disks
|
||||
# https://codefresh.io/docs/docs/installation/codefresh-runner/#install-codefresh-runner-on-azure-kubernetes-service-aks
|
||||
# @default -- See below
|
||||
azuredisk:
|
||||
# -- Set storage type (`Premium_LRS`)
|
||||
skuName: Premium_LRS
|
||||
cachingMode: None
|
||||
# availabilityZone: northeurope-1
|
||||
# resourceGroup:
|
||||
# DiskIOPSReadWrite: 500
|
||||
# DiskMBpsReadWrite: 100
|
||||
|
||||
mountAzureJson: false
|
||||
|
||||
# -- Set runtime parameters
|
||||
# @default -- See below
|
||||
|
||||
runtime:
|
||||
# -- Set annotation on engine Service Account
|
||||
# Ref: https://codefresh.io/docs/docs/administration/codefresh-runner/#injecting-aws-arn-roles-into-the-cluster
|
||||
serviceAccount:
|
||||
create: true
|
||||
annotations: {}
|
||||
# E.g.
|
||||
# serviceAccount:
|
||||
# annotations:
|
||||
# eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
|
||||
|
||||
# -- Set parent runtime to inherit.
|
||||
# Should not be changes. Parent runtime is controlled from Codefresh side.
|
||||
runtimeExtends:
|
||||
- system/default/hybrid/k8s_low_limits
|
||||
# -- Runtime description
|
||||
description: ""
|
||||
|
||||
# -- RBAC parameters
|
||||
rbac:
|
||||
# -- Create RBAC resources
|
||||
create: true
|
||||
# -- Add custom rule to the engine role
|
||||
rules: []
|
||||
|
||||
# -- (for On-Premise only) Enable agent
|
||||
agent: true
|
||||
# -- (for On-Premise only) Set inCluster runtime
|
||||
inCluster: true
|
||||
# -- (for On-Premise only) Assign accounts to runtime (list of account ids)
|
||||
accounts: []
|
||||
|
||||
# -- Parameters for DinD (docker-in-docker) pod (aka "runtime" pod).
|
||||
dind:
|
||||
# -- Set dind image.
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/dind
|
||||
tag: 26.1.4-1.28.7 # use `latest-rootless/rootless/26.1.4-1.28.7-rootless` tags for rootless-dind
|
||||
pullPolicy: IfNotPresent
|
||||
# -- Set dind resources.
|
||||
resources:
|
||||
requests: null
|
||||
limits:
|
||||
cpu: 400m
|
||||
memory: 800Mi
|
||||
# -- PV claim spec parametes.
|
||||
pvcs:
|
||||
# -- Default dind PVC parameters
|
||||
dind:
|
||||
# -- PVC name prefix.
|
||||
# Keep `dind` as default! Don't change!
|
||||
name: dind
|
||||
# -- PVC storage class name.
|
||||
# Change ONLY if you need to use storage class NOT from Codefresh volume-provisioner
|
||||
storageClassName: '{{ include "dind-volume-provisioner.storageClassName" . }}'
|
||||
# -- PVC size.
|
||||
volumeSize: 16Gi
|
||||
# -- PV reuse selector.
|
||||
# Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#volume-reuse-policy
|
||||
reuseVolumeSelector: codefresh-app,io.codefresh.accountName
|
||||
reuseVolumeSortOrder: pipeline_id
|
||||
# -- PV annotations.
|
||||
annotations: {}
|
||||
# E.g.:
|
||||
# annotations:
|
||||
# codefresh.io/volume-retention: 7d
|
||||
# -- Set additional env vars.
|
||||
env:
|
||||
DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE: true
|
||||
# -- Set pod annotations.
|
||||
podAnnotations: {}
|
||||
# -- Set pod labels.
|
||||
podLabels: {}
|
||||
# -- Set node selector.
|
||||
nodeSelector: {}
|
||||
# -- Set affinity
|
||||
affinity: {}
|
||||
# -- Set tolerations.
|
||||
tolerations: []
|
||||
# -- Set scheduler name.
|
||||
schedulerName: ""
|
||||
# -- Set service account for pod.
|
||||
serviceAccount: codefresh-engine
|
||||
# -- Keep `true` as default!
|
||||
userAccess: true
|
||||
# -- Add extra volumes
|
||||
userVolumes: {}
|
||||
# E.g.:
|
||||
# userVolumes:
|
||||
# regctl-docker-registry:
|
||||
# name: regctl-docker-registry
|
||||
# secret:
|
||||
# items:
|
||||
# - key: .dockerconfigjson
|
||||
# path: config.json
|
||||
# secretName: regctl-docker-registry
|
||||
# optional: true
|
||||
# -- Add extra volume mounts
|
||||
userVolumeMounts: {}
|
||||
# E.g.:
|
||||
# userVolumeMounts:
|
||||
# regctl-docker-registry:
|
||||
# name: regctl-docker-registry
|
||||
# mountPath: /home/appuser/.docker/
|
||||
# readOnly: true
|
||||
|
||||
# -- Parameters for Engine pod (aka "pipeline" orchestrator).
|
||||
engine:
|
||||
# -- Set image.
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/engine
|
||||
tag: 1.174.7
|
||||
pullPolicy: IfNotPresent
|
||||
# -- Set container command.
|
||||
command:
|
||||
- npm
|
||||
- run
|
||||
- start
|
||||
# -- Set resources.
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 1000m
|
||||
memory: 2048Mi
|
||||
# -- Set system(base) runtime images.
|
||||
# @default -- See below.
|
||||
runtimeImages:
|
||||
COMPOSE_IMAGE: quay.io/codefresh/compose:v2.28.1-1.5.0
|
||||
CONTAINER_LOGGER_IMAGE: quay.io/codefresh/cf-container-logger:1.11.6
|
||||
DOCKER_BUILDER_IMAGE: quay.io/codefresh/cf-docker-builder:1.3.13
|
||||
DOCKER_PULLER_IMAGE: quay.io/codefresh/cf-docker-puller:8.0.17
|
||||
DOCKER_PUSHER_IMAGE: quay.io/codefresh/cf-docker-pusher:6.0.16
|
||||
DOCKER_TAG_PUSHER_IMAGE: quay.io/codefresh/cf-docker-tag-pusher:1.3.14
|
||||
FS_OPS_IMAGE: quay.io/codefresh/fs-ops:1.2.3
|
||||
GIT_CLONE_IMAGE: quay.io/codefresh/cf-git-cloner:10.1.28
|
||||
KUBE_DEPLOY: quay.io/codefresh/cf-deploy-kubernetes:16.1.11
|
||||
PIPELINE_DEBUGGER_IMAGE: quay.io/codefresh/cf-debugger:1.3.0
|
||||
TEMPLATE_ENGINE: quay.io/codefresh/pikolo:0.14.1
|
||||
CR_6177_FIXER: 'quay.io/codefresh/alpine:edge'
|
||||
GC_BUILDER_IMAGE: 'quay.io/codefresh/cf-gc-builder:0.5.3'
|
||||
COSIGN_IMAGE_SIGNER_IMAGE: 'quay.io/codefresh/cf-cosign-image-signer:2.4.0-cf.1'
|
||||
# -- Set additional env vars.
|
||||
env:
|
||||
# -- Interval to check the exec status in the container-logger
|
||||
CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS: 1000
|
||||
# -- Timeout while doing requests to the Docker daemon
|
||||
DOCKER_REQUEST_TIMEOUT_MS: 30000
|
||||
# -- If "true", composition images will be pulled sequentially
|
||||
FORCE_COMPOSE_SERIAL_PULL: false
|
||||
# -- Level of logging for engine
|
||||
LOGGER_LEVEL: debug
|
||||
# -- Enable debug-level logging of outgoing HTTP/HTTPS requests
|
||||
LOG_OUTGOING_HTTP_REQUESTS: false
|
||||
# -- Enable emitting metrics from engine
|
||||
METRICS_PROMETHEUS_ENABLED: true
|
||||
# -- Enable legacy metrics
|
||||
METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS: false
|
||||
# -- Enable collecting process metrics
|
||||
METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS: false
|
||||
# -- Host for Prometheus metrics server
|
||||
METRICS_PROMETHEUS_HOST: '0.0.0.0'
|
||||
# -- Port for Prometheus metrics server
|
||||
METRICS_PROMETHEUS_PORT: 9100
|
||||
# -- Set workflow limits.
|
||||
workflowLimits:
|
||||
# -- Maximum time allowed to the engine to wait for the pre-steps (aka "Initializing Process") to succeed; seconds.
|
||||
MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS: 600
|
||||
# -- Maximum time for workflow execution; seconds.
|
||||
MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION: 86400
|
||||
# -- Maximum time allowed to workflow to spend in "elected" state; seconds.
|
||||
MAXIMUM_ELECTED_STATE_AGE_ALLOWED: 900
|
||||
# -- Maximum retry attempts allowed for workflow.
|
||||
MAXIMUM_RETRY_ATTEMPTS_ALLOWED: 20
|
||||
# -- Maximum time allowed to workflow to spend in "terminating" state until force terminated; seconds.
|
||||
MAXIMUM_TERMINATING_STATE_AGE_ALLOWED: 900
|
||||
# -- Maximum time allowed to workflow to spend in "terminating" state without logs activity until force terminated; seconds.
|
||||
MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE: 300
|
||||
# -- Time since the last health check report after which workflow is terminated; seconds.
|
||||
TIME_ENGINE_INACTIVE_UNTIL_TERMINATION: 300
|
||||
# -- Time since the last health check report after which the engine is considered unhealthy; seconds.
|
||||
TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY: 60
|
||||
# -- Time since the last workflow logs activity after which workflow is terminated; seconds.
|
||||
TIME_INACTIVE_UNTIL_TERMINATION: 2700
|
||||
# -- Set pod annotations.
|
||||
podAnnotations: {}
|
||||
# -- Set pod labels.
|
||||
podLabels: {}
|
||||
# -- Set node selector.
|
||||
nodeSelector: {}
|
||||
# -- Set affinity
|
||||
affinity: {}
|
||||
# -- Set tolerations.
|
||||
tolerations: []
|
||||
# -- Set scheduler name.
|
||||
schedulerName: ""
|
||||
# -- Set service account for pod.
|
||||
serviceAccount: codefresh-engine
|
||||
# -- Set extra env vars
|
||||
userEnvVars: []
|
||||
# E.g.
|
||||
# userEnvVars:
|
||||
# - name: GITHUB_TOKEN
|
||||
# valueFrom:
|
||||
# secretKeyRef:
|
||||
# name: github-token
|
||||
# key: token
|
||||
|
||||
# -- Parameters for `runtime-patch` post-upgrade/install hook
|
||||
# @default -- See below
|
||||
patch:
|
||||
enabled: true
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/cli
|
||||
tag: 0.85.0-rootless
|
||||
rbac:
|
||||
enabled: true
|
||||
annotations: {}
|
||||
affinity: {}
|
||||
nodeSelector: {}
|
||||
podSecurityContext: {}
|
||||
resources: {}
|
||||
tolerations: []
|
||||
ttlSecondsAfterFinished: 180
|
||||
env:
|
||||
HOME: /tmp
|
||||
|
||||
# -- Parameters for `gencerts-dind` post-upgrade/install hook
|
||||
# @default -- See below
|
||||
gencerts:
|
||||
enabled: true
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/kubectl
|
||||
tag: 1.28.4
|
||||
rbac:
|
||||
enabled: true
|
||||
annotations: {}
|
||||
affinity: {}
|
||||
nodeSelector: {}
|
||||
podSecurityContext: {}
|
||||
resources: {}
|
||||
tolerations: []
|
||||
ttlSecondsAfterFinished: 180
|
||||
|
||||
# -- DinD pod daemon config
|
||||
# @default -- See below
|
||||
dindDaemon:
|
||||
hosts:
|
||||
- unix:///var/run/docker.sock
|
||||
- tcp://0.0.0.0:1300
|
||||
tlsverify: true
|
||||
tls: true
|
||||
tlscacert: /etc/ssl/cf-client/ca.pem
|
||||
tlscert: /etc/ssl/cf/server-cert.pem
|
||||
tlskey: /etc/ssl/cf/server-key.pem
|
||||
insecure-registries:
|
||||
- 192.168.99.100:5000
|
||||
metrics-addr: 0.0.0.0:9323
|
||||
experimental: true
|
||||
|
||||
# App-Proxy parameters
|
||||
# Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#app-proxy-installation
|
||||
# @default -- See below
|
||||
appProxy:
|
||||
# -- Enable app-proxy
|
||||
enabled: false
|
||||
# -- Set number of pods
|
||||
replicasCount: 1
|
||||
# -- Upgrade strategy
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
# -- Set pod annotations
|
||||
podAnnotations: {}
|
||||
|
||||
# -- Set image
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/cf-app-proxy
|
||||
tag: 0.0.47
|
||||
# -- Add additional env vars
|
||||
env: {}
|
||||
|
||||
# Set app-proxy ingress parameters
|
||||
# @default -- See below
|
||||
ingress:
|
||||
# -- Set path prefix for ingress (keep empty for default `/` path)
|
||||
pathPrefix: ""
|
||||
# -- Set ingress class
|
||||
class: ""
|
||||
# -- Set DNS hostname the ingress will use
|
||||
host: ""
|
||||
# -- Set k8s tls secret for the ingress object
|
||||
tlsSecret: ""
|
||||
# -- Set extra annotations for ingress object
|
||||
annotations: {}
|
||||
# E.g.
|
||||
# ingress:
|
||||
# pathPrefix: "/cf-app-proxy"
|
||||
# class: "nginx"
|
||||
# host: "mydomain.com"
|
||||
# tlsSecret: "tls-cert-app-proxy"
|
||||
# annotations:
|
||||
# nginx.ingress.kubernetes.io/whitelist-source-range: 123.123.123.123/130
|
||||
|
||||
# -- Service Account parameters
|
||||
serviceAccount:
|
||||
# -- Create service account
|
||||
create: true
|
||||
# -- Override service account name
|
||||
name: ""
|
||||
# -- Use Role(true)/ClusterRole(true)
|
||||
namespaced: true
|
||||
# -- Additional service account annotations
|
||||
annotations: {}
|
||||
|
||||
# -- RBAC parameters
|
||||
rbac:
|
||||
# -- Create RBAC resources
|
||||
create: true
|
||||
# -- Use Role(true)/ClusterRole(true)
|
||||
namespaced: true
|
||||
# -- Add custom rule to the role
|
||||
rules: []
|
||||
|
||||
# -- Set security context for the pod
|
||||
podSecurityContext: {}
|
||||
|
||||
# -- Readiness probe configuration
|
||||
# @default -- See below
|
||||
readinessProbe:
|
||||
failureThreshold: 5
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 5
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
|
||||
# -- Set requests and limits
|
||||
resources: {}
|
||||
# -- Set node selector
|
||||
nodeSelector: {}
|
||||
# -- Set tolerations
|
||||
tolerations: []
|
||||
# -- Set affinity
|
||||
affinity: {}
|
||||
|
||||
# Monitor parameters
|
||||
# @default -- See below
|
||||
monitor:
|
||||
# -- Enable monitor
|
||||
# Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#install-monitoring-component
|
||||
enabled: false
|
||||
|
||||
# -- Set number of pods
|
||||
replicasCount: 1
|
||||
# -- Upgrade strategy
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
# -- Set pod annotations
|
||||
podAnnotations: {}
|
||||
|
||||
# -- Set image
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/cf-k8s-agent
|
||||
tag: 1.3.17
|
||||
# -- Add additional env vars
|
||||
env: {}
|
||||
|
||||
# -- Service Account parameters
|
||||
serviceAccount:
|
||||
# -- Create service account
|
||||
create: true
|
||||
# -- Override service account name
|
||||
name: ""
|
||||
# -- Additional service account annotations
|
||||
annotations: {}
|
||||
|
||||
# -- RBAC parameters
|
||||
rbac:
|
||||
# -- Create RBAC resources
|
||||
create: true
|
||||
# -- Use Role(true)/ClusterRole(true)
|
||||
namespaced: true
|
||||
# -- Add custom rule to the role
|
||||
rules: []
|
||||
|
||||
# -- Readiness probe configuration
|
||||
# @default -- See below
|
||||
readinessProbe:
|
||||
failureThreshold: 5
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 5
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
|
||||
podSecurityContext: {}
|
||||
|
||||
# -- Set node selector
|
||||
nodeSelector: {}
|
||||
# -- Set resources
|
||||
resources: {}
|
||||
# -- Set tolerations
|
||||
tolerations: []
|
||||
# -- Set affinity
|
||||
affinity: {}
|
||||
|
||||
# -- Add serviceMonitor
|
||||
# @default -- See below
|
||||
serviceMonitor:
|
||||
main:
|
||||
# -- Enable service monitor for dind pods
|
||||
enabled: false
|
||||
nameOverride: dind
|
||||
selector:
|
||||
matchLabels:
|
||||
app: dind
|
||||
endpoints:
|
||||
- path: /metrics
|
||||
targetPort: 9100
|
||||
relabelings:
|
||||
- action: labelmap
|
||||
regex: __meta_kubernetes_pod_label_(.+)
|
||||
|
||||
# -- Add podMonitor (for engine pods)
|
||||
# @default -- See below
|
||||
podMonitor:
|
||||
main:
|
||||
# -- Enable pod monitor for engine pods
|
||||
enabled: false
|
||||
nameOverride: engine
|
||||
selector:
|
||||
matchLabels:
|
||||
app: runtime
|
||||
podMetricsEndpoints:
|
||||
- path: /metrics
|
||||
targetPort: 9100
|
||||
|
||||
runner:
|
||||
# -- Enable pod monitor for runner pod
|
||||
enabled: false
|
||||
nameOverride: runner
|
||||
selector:
|
||||
matchLabels:
|
||||
codefresh.io/application: runner
|
||||
podMetricsEndpoints:
|
||||
- path: /metrics
|
||||
targetPort: 8080
|
||||
|
||||
volume-provisioner:
|
||||
# -- Enable pod monitor for volumeProvisioner pod
|
||||
enabled: false
|
||||
nameOverride: volume-provisioner
|
||||
selector:
|
||||
matchLabels:
|
||||
codefresh.io/application: volume-provisioner
|
||||
podMetricsEndpoints:
|
||||
- path: /metrics
|
||||
targetPort: 8080
|
||||
|
||||
# -- Event exporter parameters
|
||||
# @default -- See below
|
||||
event-exporter:
|
||||
# -- Enable event-exporter
|
||||
enabled: false
|
||||
# -- Set number of pods
|
||||
replicasCount: 1
|
||||
# -- Upgrade strategy
|
||||
updateStrategy:
|
||||
type: Recreate
|
||||
# -- Set pod annotations
|
||||
podAnnotations: {}
|
||||
|
||||
# -- Set image
|
||||
image:
|
||||
registry: docker.io
|
||||
repository: codefresh/k8s-event-exporter
|
||||
tag: latest
|
||||
# -- Add additional env vars
|
||||
env: {}
|
||||
|
||||
# -- Service Account parameters
|
||||
serviceAccount:
|
||||
# -- Create service account
|
||||
create: true
|
||||
# -- Override service account name
|
||||
name: ""
|
||||
# -- Additional service account annotations
|
||||
annotations: {}
|
||||
|
||||
# -- RBAC parameters
|
||||
rbac:
|
||||
# -- Create RBAC resources
|
||||
create: true
|
||||
# -- Add custom rule to the role
|
||||
rules: []
|
||||
|
||||
# -- Set security context for the pod
|
||||
# @default -- See below
|
||||
podSecurityContext:
|
||||
enabled: false
|
||||
|
||||
# -- Set node selector
|
||||
nodeSelector: {}
|
||||
# -- Set resources
|
||||
resources: {}
|
||||
# -- Set tolerations
|
||||
tolerations: []
|
||||
# -- Set affinity
|
||||
affinity: {}
|
||||
|
||||
# -- Array of extra objects to deploy with the release
|
||||
extraResources: []
|
||||
# E.g.
|
||||
# extraResources:
|
||||
# - apiVersion: rbac.authorization.k8s.io/v1
|
||||
# kind: ClusterRole
|
||||
# metadata:
|
||||
# name: codefresh-role
|
||||
# rules:
|
||||
# - apiGroups: [ "*"]
|
||||
# resources: ["*"]
|
||||
# verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||||
# - apiVersion: v1
|
||||
# kind: ServiceAccount
|
||||
# metadata:
|
||||
# name: codefresh-user
|
||||
# namespace: "{{ .Release.Namespace }}"
|
||||
# - apiVersion: rbac.authorization.k8s.io/v1
|
||||
# kind: ClusterRoleBinding
|
||||
# metadata:
|
||||
# name: codefresh-user
|
||||
# roleRef:
|
||||
# apiGroup: rbac.authorization.k8s.io
|
||||
# kind: ClusterRole
|
||||
# name: codefresh-role
|
||||
# subjects:
|
||||
# - kind: ServiceAccount
|
||||
# name: codefresh-user
|
||||
# namespace: "{{ .Release.Namespace }}"
|
||||
# - apiVersion: v1
|
||||
# kind: Secret
|
||||
# type: kubernetes.io/service-account-token
|
||||
# metadata:
|
||||
# name: codefresh-user-token
|
||||
# namespace: "{{ .Release.Namespace }}"
|
||||
# annotations:
|
||||
# kubernetes.io/service-account.name: "codefresh-user"
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
annotations:
|
||||
catalog.cattle.io/certified: partner
|
||||
catalog.cattle.io/display-name: F5 Container Ingress Services for Kubernetes and
|
||||
OpenShift
|
||||
catalog.cattle.io/kube-version: '>=1.20-0'
|
||||
catalog.cattle.io/release-name: f5-bigip-ctlr
|
||||
apiVersion: v1
|
||||
description: Deploy the F5 Networks BIG-IP Controller for Kubernetes and OpenShift
|
||||
(k8s-bigip-ctlr).
|
||||
home: https://www.f5.com/products/automation-and-orchestration/container-ingress-services
|
||||
icon: file://assets/icons/f5-bigip-ctlr.png
|
||||
keywords:
|
||||
- F5
|
||||
- BIG-IP
|
||||
- Containers
|
||||
- Kubernetes
|
||||
- OpenShift
|
||||
kubeVersion: '>=1.20-0'
|
||||
maintainers:
|
||||
- email: f5_cis_operators@f5.com
|
||||
name: F5CISSupport
|
||||
name: f5-bigip-ctlr
|
||||
sources:
|
||||
- https://github.com/F5Networks/k8s-bigip-ctlr
|
||||
- https://github.com/F5Networks/charts
|
||||
version: 0.0.3201
|
||||
|
|
@ -0,0 +1,93 @@
|
|||
# Helm Chart for the F5 Container Ingress Services
|
||||
|
||||
This chart simplifies repeatable, versioned deployment of the [Container Ingress Services](https://clouddocs.f5.com/containers/latest/).
|
||||
|
||||
### Prerequisites
|
||||
- Refer to [CIS Prerequisites](https://clouddocs.f5.com/containers/latest/userguide/cis-helm.html#prerequisites) to install Container Ingress Services on Kubernetes or Openshift
|
||||
- [Helm 3](https://helm.sh/docs/intro/) should be installed.
|
||||
|
||||
|
||||
## Installing CIS Using Helm Charts
|
||||
|
||||
This is the simplest way to install the CIS on OpenShift/Kubernetes cluster. Helm is a package manager for Kubernetes. Helm is Kubernetes version of yum or apt. Helm deploys something called charts, which you can think of as a packaged application. It is a collection of all your versioned, pre-configured application resources which can be deployed as one unit. This chart creates a Deployment for one Pod containing the [k8s-bigip-ctlr](https://clouddocs.f5.com/containers/latest/), it's supporting RBAC, Service Account and Custom Resources Definition installations.
|
||||
|
||||
## Installing the Chart
|
||||
|
||||
- (Optional) Add BIG-IP credentials as K8S secrets.
|
||||
|
||||
For Kubernetes, use the following command:
|
||||
|
||||
```kubectl create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=<password>```
|
||||
|
||||
For OpenShift, use the following command:
|
||||
|
||||
```oc create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=<password>```
|
||||
|
||||
- Add the CIS chart repository in Helm using following command:
|
||||
|
||||
```helm repo add f5-stable https://f5networks.github.io/charts/stable```
|
||||
|
||||
- Create values.yaml as shown in [examples](https://github.com/F5Networks/charts/tree/master/example_values/f5-bigip-ctlr):
|
||||
|
||||
- Install the Helm chart if BIGIP credential secrets created manually using the following command:
|
||||
|
||||
```helm install -f values.yaml <new-chart-name> f5-stable/f5-bigip-ctlr```
|
||||
|
||||
- Install the Helm chart with skip crds if BIGIP credential secrets created manually (without custom resource definitions installations)
|
||||
|
||||
```helm install --skip-crds -f values.yaml <new-chart-name> f5-stable/f5-bigip-ctlr```
|
||||
|
||||
- If you want to create the BIGIP credential secret with helm charts use the following command:
|
||||
|
||||
```helm install --set bigip_secret.create="true" --set bigip_secret.username=$BIGIP_USERNAME --set bigip_secret.password=$BIGIP_PASSWORD -f values.yaml <new-chart-name> f5-stable/f5-bigip-ctlr```
|
||||
|
||||
## Chart parameters:
|
||||
|
||||
Parameter | Required | Description | Default
|
||||
----------|-------------|-------------|--------
|
||||
bigip_login_secret | Optional | Secret that contains BIG-IP login credentials | f5-bigip-ctlr-login
|
||||
args.bigip_url | Required | The management IP for your BIG-IP device | **Required**, no default
|
||||
args.bigip_partition | Required | BIG-IP partition the CIS Controller will manage | f5-bigip-ctlr
|
||||
args.namespaces | Optional | List of Kubernetes namespaces which CIS will monitor | empty
|
||||
bigip_secret.create | Optional | Create kubernetes secret using username and password | false
|
||||
bigip_secret.username | Optional | bigip username to create the kubernetes secret | empty
|
||||
bigip_secret.password | Optional | bigip password to create the kubernetes secret | empty
|
||||
rbac.create | Optional | Create ClusterRole and ClusterRoleBinding | true
|
||||
serviceAccount.name | Optional | name of the ServiceAccount for CIS controller | f5-bigip-ctlr-serviceaccount
|
||||
serviceAccount.create | Optional | Create service account for the CIS controller | true
|
||||
namespace | Optional | name of namespace CIS will use to create deployment and other resources | kube-system
|
||||
image.user | Optional | CIS Controller image repository username | f5networks
|
||||
image.repo | Optional | CIS Controller image repository name | k8s-bigip-ctlr
|
||||
image.pullPolicy | Optional | CIS Controller image pull policy | Always
|
||||
image.pullSecrets | Optional | List of secrets of container registry to pull image | empty
|
||||
version | Optional | CIS Controller image tag | latest
|
||||
nodeSelector | Optional | dictionary of Node selector labels | empty
|
||||
tolerations | Optional | Array of labels | empty
|
||||
limits_cpu | Optional | CPU limits for the pod | 100m
|
||||
limits_memory | Optional | Memory limits for the pod | 512Mi
|
||||
requests_cpu | Optional | CPU request for the pod | 100m
|
||||
requests_memory | Optional | Memory request for the pod | 512Mi
|
||||
affinity | Optional | Dictionary of affinity | empty
|
||||
securityContext | Optional | Dictionary of deployment securityContext | empty
|
||||
podSecurityContext | Optional | Dictionary of pod securityContext | empty
|
||||
ingressClass.ingressClassName | Optional | Name of ingress class | f5
|
||||
ingressClass.isDefaultIngressController | Optional | CIS will monitor all the ingresses resource if set true | false
|
||||
ingressClass.create | Optional | Create ingress class | true
|
||||
|
||||
Note: bigip_login_secret and bigip_secret are mutually exclusive, if both are defined in values.yaml file bigip_secret will be given priority.
|
||||
|
||||
|
||||
See the CIS documentation for a full list of args supported for CIS [CIS Configuration Options](https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html)
|
||||
|
||||
> **Note:** Helm value names cannot include the character `-` which is commonly used in the names of parameters passed to the controller. To accomodate Helm, the parameter names in `values.yaml` use `_` and then replace them with `-` when rendering.
|
||||
> e.g. `args.bigip_url` is rendered as `bigip-url` as required by the CIS Controller.
|
||||
|
||||
|
||||
If you have a specific use case for F5 products in the Kubernetes environment that would benefit from a curated chart, please [open an issue](https://github.com/F5Networks/charts/issues) describing your use case and providing example resources.
|
||||
|
||||
## Uninstalling Helm Chart
|
||||
|
||||
Run the following command to uninstall the chart.
|
||||
|
||||
```helm uninstall <new-chart-name>```
|
||||
|
||||
|
|
@ -0,0 +1,87 @@
|
|||
# Helm Chart for the F5 Container Ingress Services
|
||||
|
||||
This chart simplifies repeatable, versioned deployment of the [Container Ingress Services](https://clouddocs.f5.com/containers/latest/).
|
||||
|
||||
### Prerequisites
|
||||
- Refer to [CIS Prerequisites](https://clouddocs.f5.com/containers/latest/userguide/cis-helm.html#prerequisites) to install Container Ingress Services on Kubernetes or Openshift
|
||||
- [Helm 3](https://helm.sh/docs/intro/) should be installed.
|
||||
|
||||
|
||||
## Installing CIS Using Helm Charts
|
||||
|
||||
This is the simplest way to install the CIS on OpenShift/Kubernetes cluster. Helm is a package manager for Kubernetes. Helm is Kubernetes version of yum or apt. Helm deploys something called charts, which you can think of as a packaged application. It is a collection of all your versioned, pre-configured application resources which can be deployed as one unit. This chart creates a Deployment for one Pod containing the [k8s-bigip-ctlr](https://clouddocs.f5.com/containers/latest/), it's supporting RBAC, Service Account and Custom Resources Definition installations.
|
||||
|
||||
## Installing the Chart
|
||||
|
||||
- Add BIG-IP credentials as K8S secrets.
|
||||
|
||||
For Kubernetes, use the following command:
|
||||
|
||||
```kubectl create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=<password>```
|
||||
|
||||
For OpenShift, use the following command:
|
||||
|
||||
```oc create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=<password>```
|
||||
|
||||
- Add the CIS chart repository in Helm using following command:
|
||||
|
||||
```helm repo add f5-stable https://f5networks.github.io/charts/stable```
|
||||
|
||||
- Create values.yaml as shown in [examples](https://github.com/F5Networks/charts/tree/master/example_values/f5-bigip-ctlr):
|
||||
|
||||
- Install the Helm chart using the following command:
|
||||
|
||||
```helm install -f values.yaml <new-chart-name> f5-stable/f5-bigip-ctlr```
|
||||
|
||||
- Install the Helm chart with skip crds (without custom resource definitions installations)
|
||||
|
||||
```helm install --skip-crds -f values.yaml <new-chart-name> f5-stable/f5-bigip-ctlr```
|
||||
|
||||
## Chart parameters:
|
||||
|
||||
Parameter | Required | Description | Default
|
||||
----------|-------------|-------------|--------
|
||||
bigip_login_secret | Required | Secret that contains BIG-IP login credentials | f5-bigip-ctlr-login
|
||||
args.bigip_url | Required | The management IP for your BIG-IP device | **Required**, no default
|
||||
args.bigip_partition | Required | BIG-IP partition the CIS Controller will manage | f5-bigip-ctlr
|
||||
args.namespaces | Optional | List of Kubernetes namespaces which CIS will monitor | empty
|
||||
rbac.create | Optional | Create ClusterRole and ClusterRoleBinding | true
|
||||
serviceAccount.name | Optional | name of the ServiceAccount for CIS controller | f5-bigip-ctlr-serviceaccount
|
||||
serviceAccount.create | Optional | Create service account for the CIS controller | true
|
||||
namespace | Optional | name of namespace CIS will use to create deployment and other resources | kube-system
|
||||
image.user | Optional | CIS Controller image repository username | f5networks
|
||||
image.repo | Optional | CIS Controller image repository name | k8s-bigip-ctlr
|
||||
image.pullPolicy | Optional | CIS Controller image pull policy | Always
|
||||
image.pullSecrets | Optional | List of secrets of container registry to pull image | empty
|
||||
version | Optional | CIS Controller image tag | latest
|
||||
nodeSelector | Optional | dictionary of Node selector labels | empty
|
||||
tolerations | Optional | Array of labels | empty
|
||||
limits_cpu | Optional | CPU limits for the pod | 100m
|
||||
limits_memory | Optional | Memory limits for the pod | 512Mi
|
||||
requests_cpu | Optional | CPU request for the pod | 100m
|
||||
requests_memory | Optional | Memory request for the pod | 512Mi
|
||||
affinity | Optional | Dictionary of affinity | empty
|
||||
securityContext | Optional | Dictionary of securityContext | empty
|
||||
ingressClass.ingressClassName | Optional | Name of ingress class | f5
|
||||
ingressClass.defaultIngressController | Optional | CIS will monitor all the ingresses resource if set true | false
|
||||
ingressClass.create | Optional | Create ingress class | true
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
See the CIS documentation for a full list of args supported for CIS [CIS Configuration Options](https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html)
|
||||
|
||||
> **Note:** Helm value names cannot include the character `-` which is commonly used in the names of parameters passed to the controller. To accomodate Helm, the parameter names in `values.yaml` use `_` and then replace them with `-` when rendering.
|
||||
> e.g. `args.bigip_url` is rendered as `bigip-url` as required by the CIS Controller.
|
||||
|
||||
|
||||
If you have a specific use case for F5 products in the Kubernetes environment that would benefit from a curated chart, please [open an issue](https://github.com/F5Networks/charts/issues) describing your use case and providing example resources.
|
||||
|
||||
## Uninstalling Helm Chart
|
||||
|
||||
Run the following command to uninstall the chart.
|
||||
|
||||
```helm uninstall <new-chart-name>```
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
|
|
@ -0,0 +1,75 @@
|
|||
questions:
|
||||
- variable: bigip_login_secret
|
||||
required: true
|
||||
type: string
|
||||
label: "Name of the k8s secret object with BIG-IP login credentials."
|
||||
- variable: args.bigip_url
|
||||
required: true
|
||||
type: string
|
||||
label: "BIG-IP Management IP/URL"
|
||||
- variable: args.bigip_partition
|
||||
required: true
|
||||
type: string
|
||||
label: "BIG-IP Partition"
|
||||
- variable: image.user
|
||||
type: string
|
||||
label: "Image Repository where CIS image is hosted"
|
||||
- variable: image.repo
|
||||
type: string
|
||||
label: "CIS image name"
|
||||
- variable: version
|
||||
type: string
|
||||
label: "CIS version tag."
|
||||
default: "latest"
|
||||
- variable: args.pool_member_type
|
||||
type: string
|
||||
label: "Type of BIG-IP Pool members to create."
|
||||
default: "nodeport"
|
||||
- variable: args.node_poll_interval
|
||||
type: string
|
||||
label: "In seconds, the interval at which the CIS polls the cluster to find all node members."
|
||||
default: "30"
|
||||
- variable: args.verify_interval
|
||||
type: string
|
||||
label: "In seconds, the interval at which the CIS verifies that the BIG-IP configuration matches the state of the orchestration system."
|
||||
default: "30"
|
||||
- variable: args.agent
|
||||
type: string
|
||||
label: "Specify the agent for CIS to communicate with BIG-IP. CCCL or AS3"
|
||||
default: "as3"
|
||||
- variable: args.custom_resource_mode
|
||||
type: string
|
||||
label: "Set 'true' to process CRD resources. Supported in AS3 agent. When true ConfigMaps, Routes, and Ingress are not processed by CIS."
|
||||
default: "false"
|
||||
- variable: args.ipam
|
||||
type: string
|
||||
label: "Specify if CIS provides the ability to interface with F5 IPAM Controller (FIC). Valid with agent AS3."
|
||||
default: "false"
|
||||
- variable: args.disable_teems
|
||||
type: string
|
||||
label: "If true, analytics data is not sent to F5."
|
||||
default: "false"
|
||||
- variable: args.hubmode
|
||||
type: string
|
||||
label: "When `true`, ConfigMaps with Services in same and different namespace are processed. CIS >= 2.5.0+. Valid with agent AS3."
|
||||
default: "false"
|
||||
- variable: args.default_route_domain
|
||||
type: string
|
||||
label: "Set default Route Domain for Custom resources. Valid with agent AS3."
|
||||
default: "0"
|
||||
- variable: args.filter_tenants
|
||||
type: string
|
||||
label: "Specify to use tenant filtering API for AS3 declaration. This allows CIS to process each AS3 Tenant separately. Compatible with ConfigMap only. Valid with agent AS3. CIS >= 2.7"
|
||||
default: "false"
|
||||
- variable: args.enable_ipv6
|
||||
type: string
|
||||
label: "When set to true, it enables IPv6 network support. CIS >= 2.7."
|
||||
default: "false"
|
||||
- variable: args.log_level
|
||||
type: string
|
||||
label: "Configured the log level. INFO, DEBUG, CRITICAL, WARNING, ERROR."
|
||||
default: "INFO"
|
||||
- variable: args.log_as3_response
|
||||
type: string
|
||||
label: "When set to true, adds the body of AS3 API response in Controller logs."
|
||||
default: "false"
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
Container Ingress Services controller: {{ .Release.Name }}
|
||||
|
||||
Controller Documentation:
|
||||
- Kubernetes: https://clouddocs.f5.com/containers/latest/userguide/kubernetes/
|
||||
- OpenShift: https://clouddocs.f5.com/containers/latest/userguide/openshift/
|
||||
|
||||
|
|
@ -0,0 +1,64 @@
|
|||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "f5-bigip-ctlr.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for deployment.
|
||||
*/}}
|
||||
{{- define "deployment.apiVersion" -}}
|
||||
{{- if semverCompare ">=1.9-0" .Capabilities.KubeVersion.GitVersion -}}
|
||||
{{- print "apps/v1" -}}
|
||||
{{- else -}}
|
||||
{{- print "extensions/v1beta1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Check for user given namespace or give kube-system
|
||||
*/}}
|
||||
{{- define "f5-bigip-ctlr.namespace" -}}
|
||||
{{- if hasKey .Values "namespace" -}}
|
||||
{{- .Values.namespace -}}
|
||||
{{- else -}}
|
||||
{{- print "kube-system" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "f5-bigip-ctlr.fullname" -}}
|
||||
{{- if .Values.fullnameOverride -}}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "f5-bigip-ctlr.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "f5-bigip-ctlr.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create -}}
|
||||
{{ default (include "f5-bigip-ctlr.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,111 @@
|
|||
{{- if .Values.rbac.create -}}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "f5-bigip-ctlr.fullname" . }}
|
||||
labels:
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }}
|
||||
app: {{ template "f5-bigip-ctlr.name" . }}
|
||||
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ''
|
||||
- extensions
|
||||
- networking.k8s.io
|
||||
- route.openshift.io
|
||||
resources:
|
||||
- nodes
|
||||
- services
|
||||
- endpoints
|
||||
- namespaces
|
||||
- ingresses
|
||||
- pods
|
||||
- ingressclasses
|
||||
- policies
|
||||
- routes
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ''
|
||||
- extensions
|
||||
- networking.k8s.io
|
||||
- route.openshift.io
|
||||
resources:
|
||||
- configmaps
|
||||
- events
|
||||
- ingresses/status
|
||||
- services/status
|
||||
- routes/status
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- update
|
||||
- create
|
||||
- patch
|
||||
- apiGroups:
|
||||
- cis.f5.com
|
||||
resources:
|
||||
- virtualservers
|
||||
- virtualservers/status
|
||||
- tlsprofiles
|
||||
- transportservers
|
||||
- transportservers/status
|
||||
- ingresslinks
|
||||
- ingresslinks/status
|
||||
- externaldnses
|
||||
- policies
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- update
|
||||
- patch
|
||||
- apiGroups:
|
||||
- ''
|
||||
- extensions
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- config.openshift.io/v1
|
||||
resources:
|
||||
- network
|
||||
verbs:
|
||||
- list
|
||||
{{- if .Values.args.ipam }}
|
||||
- apiGroups:
|
||||
- fic.f5.com
|
||||
resources:
|
||||
- ipams
|
||||
- ipams/status
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- update
|
||||
- create
|
||||
- patch
|
||||
- delete
|
||||
- apiGroups:
|
||||
- apiextensions.k8s.io
|
||||
resources:
|
||||
- customresourcedefinitions
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- update
|
||||
- create
|
||||
- patch
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
{{- if .Values.rbac.create -}}
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "f5-bigip-ctlr.fullname" . }}
|
||||
namespace: {{ template "f5-bigip-ctlr.namespace" . }}
|
||||
labels:
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }}
|
||||
app: {{ template "f5-bigip-ctlr.name" . }}
|
||||
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "f5-bigip-ctlr.fullname" . }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "f5-bigip-ctlr.serviceAccountName" . }}
|
||||
namespace: {{ template "f5-bigip-ctlr.namespace" . }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,138 @@
|
|||
{{- if or (not .Values.args.bigip_url) (not .Values.args.bigip_partition) }}
|
||||
{{/*
|
||||
Generate errors for missing required values.
|
||||
*/}}
|
||||
# {{required "BIG-IP url not specified - add to Values or pass with `--set` " .Values.args.bigip_url }}
|
||||
# {{required "BIG-IP partition not specified - add to Values or pass with `--set` " .Values.args.bigip_partition }}
|
||||
{{- else -}}
|
||||
apiVersion: {{ template "deployment.apiVersion" . }}
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ template "f5-bigip-ctlr.fullname" . }}
|
||||
namespace: {{ template "f5-bigip-ctlr.namespace" . }}
|
||||
labels:
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }}
|
||||
app: {{ template "f5-bigip-ctlr.name" . }}
|
||||
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "-" }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: {{ template "f5-bigip-ctlr.name" . }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }}
|
||||
app: {{ template "f5-bigip-ctlr.name" . }}
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
{{- if .Values.affinity }}
|
||||
affinity:
|
||||
{{ toYaml .Values.affinity | indent 8 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ template "f5-bigip-ctlr.serviceAccountName" . }}
|
||||
{{- if .Values.image.pullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range $pullSecret := .Values.image.pullSecrets }}
|
||||
- name: {{ $pullSecret }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
{{- $securityContext := .Values.securityContext | default dict }}
|
||||
{{- if $securityContext.runAsUser }}
|
||||
runAsUser: {{ $securityContext.runAsUser }}
|
||||
{{- else }}
|
||||
runAsUser: 1000
|
||||
{{- end }}
|
||||
{{- $securityContext := .Values.securityContext | default dict }}
|
||||
{{- if $securityContext.runAsGroup }}
|
||||
runAsGroup: {{ $securityContext.runAsGroup }}
|
||||
{{- else }}
|
||||
runAsGroup: 1000
|
||||
{{- end }}
|
||||
{{- $securityContext := .Values.securityContext | default dict }}
|
||||
{{- if $securityContext.fsGroup }}
|
||||
fsGroup: {{ $securityContext.fsGroup }}
|
||||
{{- else }}
|
||||
fsGroup: 1000
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ template "f5-bigip-ctlr.name" . }}
|
||||
image: "{{ .Values.image.user }}/{{ .Values.image.repo }}:{{ .Values.version }}"
|
||||
{{- if .Values.podSecurityContext }}
|
||||
securityContext:
|
||||
{{ toYaml .Values.podSecurityContext | indent 12 }}
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
failureThreshold: 3
|
||||
httpGet:
|
||||
path: /health
|
||||
port: 8080
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 15
|
||||
periodSeconds: 15
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 15
|
||||
readinessProbe:
|
||||
failureThreshold: 3
|
||||
httpGet:
|
||||
path: /health
|
||||
port: 8080
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 30
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 15
|
||||
volumeMounts:
|
||||
- name: bigip-creds
|
||||
mountPath: "/tmp/creds"
|
||||
readOnly: true
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
command:
|
||||
- /app/bin/k8s-bigip-ctlr
|
||||
args:
|
||||
{{- if .Values.ingressClass.ingressClassName }}
|
||||
- --ingress-class={{ .Values.ingressClass.ingressClassName | default "f5" }}
|
||||
{{- end }}
|
||||
- --credentials-directory
|
||||
- /tmp/creds
|
||||
{{- $ns := .Values.args.namespaces }}
|
||||
{{- range $key, $value := .Values.args }}
|
||||
{{- if eq $key "namespaces" }}
|
||||
{{- range $ns}}
|
||||
- --namespace={{ . }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
- --{{ $key | replace "_" "-"}}={{ $value }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
resources:
|
||||
limits:
|
||||
cpu: {{ .Values.limits_cpu | default "100m" }}
|
||||
memory: {{ .Values.limits_memory | default "512Mi" }}
|
||||
requests:
|
||||
cpu: {{ .Values.requests_cpu | default "100m" }}
|
||||
memory: {{ .Values.requests_memory | default "512Mi" }}
|
||||
{{- if .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml .Values.nodeSelector | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml .Values.tolerations | indent 6}}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: bigip-creds
|
||||
secret:
|
||||
{{- if .Values.bigip_secret.create }}
|
||||
secretName: f5-bigip-ctlr-login
|
||||
{{- else }}
|
||||
secretName: {{ .Values.bigip_login_secret }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
{{- if .Values.ingressClass.create -}}
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: IngressClass
|
||||
metadata:
|
||||
name: {{ .Values.ingressClass.ingressClassName | default "f5" }}
|
||||
annotations:
|
||||
ingressclass.kubernetes.io/is-default-class: "{{ .Values.ingressClass.isDefaultIngressController | default false }}"
|
||||
spec:
|
||||
controller: f5.com/cntr-ingress-svcs
|
||||
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
{{- if .Values.bigip_secret.create -}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: f5-bigip-ctlr-login
|
||||
namespace: {{ template "f5-bigip-ctlr.namespace" . }}
|
||||
labels:
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }}
|
||||
app: {{ template "f5-bigip-ctlr.name" . }}
|
||||
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
type: Opaque
|
||||
data:
|
||||
username: {{ .Values.bigip_secret.username | b64enc | quote }}
|
||||
password: {{ .Values.bigip_secret.password | b64enc | quote }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{{- if .Values.rbac.create -}}
|
||||
{{- if .Values.serviceAccount.create -}}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ template "f5-bigip-ctlr.serviceAccountName" . }}
|
||||
namespace: {{ template "f5-bigip-ctlr.namespace" . }}
|
||||
labels:
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }}
|
||||
app: {{ template "f5-bigip-ctlr.name" . }}
|
||||
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,90 @@
|
|||
# For additional information on installing the k8-bigip-ctlr please see:
|
||||
# Kubernetes: https://clouddocs.f5.com/containers/latest/userguide/kubernetes/#cis-installation
|
||||
# OpenShift: https://clouddocs.f5.com/containers/latest/userguide/openshift/#cis-installation
|
||||
#
|
||||
# access / permissions / RBAC
|
||||
# To create a secret using kubectl see
|
||||
# https://clouddocs.f5.com/containers/latest/userguide/kubernetes/#installing-cis-manually
|
||||
bigip_login_secret: f5-bigip-ctlr-login
|
||||
|
||||
bigip_secret:
|
||||
create: false
|
||||
username:
|
||||
password:
|
||||
|
||||
rbac:
|
||||
create: true
|
||||
serviceAccount:
|
||||
# Specifies whether a service account should be created
|
||||
create: true
|
||||
# The name of the service account to use.
|
||||
# If not set and create is true, a name is generated using the fullname template
|
||||
name: f5-bigip-ctlr-serviceaccount
|
||||
# This namespace is where the Controller lives;
|
||||
namespace: kube-system
|
||||
|
||||
ingressClass:
|
||||
create: true
|
||||
ingressClassName: f5
|
||||
isDefaultIngressController: true
|
||||
args:
|
||||
# See https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html
|
||||
# NOTE: helm has difficulty with values using `-`; `_` are used for naming
|
||||
# and are replaced with `-` during rendering.
|
||||
# REQUIRED Params
|
||||
bigip_url: ~
|
||||
bigip_partition: f5-bigip-ctlr
|
||||
# OPTIONAL PARAMS -- uncomment and provide values for those you wish to use.
|
||||
# verify_interval:
|
||||
# node-poll_interval:
|
||||
# log_level:
|
||||
# python_basedir: ~
|
||||
# VXLAN
|
||||
# openshift_sdn_name:
|
||||
# flannel_name:
|
||||
# KUBERNETES
|
||||
# default_ingress_ip:
|
||||
# kubeconfig:
|
||||
# namespaces: ["foo", "bar"]
|
||||
# namespace_label:
|
||||
# node_label_selector:
|
||||
# pool_member_type:
|
||||
# resolve_ingress_names:
|
||||
# running_in_cluster:
|
||||
# use_node_internal:
|
||||
# use_secrets:
|
||||
# insecure: true
|
||||
# custom-resource-mode: true
|
||||
# log-as3-response: true
|
||||
# gtm-bigip-password
|
||||
# gtm-bigip-url
|
||||
# gtm-bigip-username
|
||||
# ipam : true
|
||||
|
||||
image:
|
||||
# Use the tag to target a specific version of the Controller
|
||||
user: f5networks
|
||||
repo: k8s-bigip-ctlr
|
||||
pullPolicy: Always
|
||||
version: latest
|
||||
# affinity:
|
||||
# nodeAffinity:
|
||||
# requiredDuringSchedulingIgnoredDuringExecution:
|
||||
# nodeSelectorTerms:
|
||||
# - matchExpressions:
|
||||
# - key: kubernetes.io/arch
|
||||
# operator: Exists
|
||||
# securityContext:
|
||||
# runAsUser: 1000
|
||||
# runAsGroup: 3000
|
||||
# fsGroup: 2000
|
||||
# If you want to specify resources, uncomment the following
|
||||
# limits_cpu: 100m
|
||||
# limits_memory: 512Mi
|
||||
# requests_cpu: 100m
|
||||
# requests_memory: 512Mi
|
||||
# Set podSecurityContext for Pod Security Admission and Pod Security Standards
|
||||
# podSecurityContext:
|
||||
# runAsUser: 1000
|
||||
# runAsGroup: 1000
|
||||
# privileged: true
|
||||
File diff suppressed because it is too large
Load Diff
|
|
@ -0,0 +1,54 @@
|
|||
annotations:
|
||||
artifacthub.io/category: integration-delivery
|
||||
artifacthub.io/changes: |
|
||||
- Update `jenkins/jenkins` to version `2.462.2-jdk17`
|
||||
artifacthub.io/images: |
|
||||
- name: jenkins
|
||||
image: docker.io/jenkins/jenkins:2.462.2-jdk17
|
||||
- name: k8s-sidecar
|
||||
image: docker.io/kiwigrid/k8s-sidecar:1.27.6
|
||||
- name: inbound-agent
|
||||
image: jenkins/inbound-agent:3261.v9c670a_4748a_9-1
|
||||
artifacthub.io/license: Apache-2.0
|
||||
artifacthub.io/links: |
|
||||
- name: Chart Source
|
||||
url: https://github.com/jenkinsci/helm-charts/tree/main/charts/jenkins
|
||||
- name: Jenkins
|
||||
url: https://www.jenkins.io/
|
||||
- name: support
|
||||
url: https://github.com/jenkinsci/helm-charts/issues
|
||||
catalog.cattle.io/certified: partner
|
||||
catalog.cattle.io/display-name: Jenkins
|
||||
catalog.cattle.io/kube-version: '>=1.14-0'
|
||||
catalog.cattle.io/release-name: jenkins
|
||||
apiVersion: v2
|
||||
appVersion: 2.462.2
|
||||
description: 'Jenkins - Build great things at any scale! As the leading open source
|
||||
automation server, Jenkins provides over 1800 plugins to support building, deploying
|
||||
and automating any project. '
|
||||
home: https://www.jenkins.io/
|
||||
icon: file://assets/icons/jenkins.svg
|
||||
keywords:
|
||||
- jenkins
|
||||
- ci
|
||||
- devops
|
||||
kubeVersion: '>=1.14-0'
|
||||
maintainers:
|
||||
- email: maor.friedman@redhat.com
|
||||
name: maorfr
|
||||
- email: mail@torstenwalter.de
|
||||
name: torstenwalter
|
||||
- email: garridomota@gmail.com
|
||||
name: mogaal
|
||||
- email: wmcdona89@gmail.com
|
||||
name: wmcdona89
|
||||
- email: timjacomb1@gmail.com
|
||||
name: timja
|
||||
name: jenkins
|
||||
sources:
|
||||
- https://github.com/jenkinsci/jenkins
|
||||
- https://github.com/jenkinsci/docker-inbound-agent
|
||||
- https://github.com/maorfr/kube-tasks
|
||||
- https://github.com/jenkinsci/configuration-as-code-plugin
|
||||
type: application
|
||||
version: 5.5.14
|
||||
|
|
@ -0,0 +1,706 @@
|
|||
# Jenkins
|
||||
|
||||
[](https://artifacthub.io/packages/helm/jenkinsci/jenkins)
|
||||
[](https://opensource.org/licenses/Apache-2.0)
|
||||
[](https://github.com/jenkinsci/helm-charts/releases)
|
||||
[](https://app.gitter.im/#/room/#jenkins-ci:matrix.org)
|
||||
|
||||
[Jenkins](https://www.jenkins.io/) is the leading open source automation server, Jenkins provides over 1800 plugins to support building, deploying and automating any project.
|
||||
|
||||
This chart installs a Jenkins server which spawns agents on [Kubernetes](http://kubernetes.io) utilizing the [Jenkins Kubernetes plugin](https://plugins.jenkins.io/kubernetes/).
|
||||
|
||||
Inspired by the awesome work of [Carlos Sanchez](https://github.com/carlossg).
|
||||
|
||||
## Get Repository Info
|
||||
|
||||
```console
|
||||
helm repo add jenkins https://charts.jenkins.io
|
||||
helm repo update
|
||||
```
|
||||
|
||||
_See [`helm repo`](https://helm.sh/docs/helm/helm_repo/) for command documentation._
|
||||
|
||||
## Install Chart
|
||||
|
||||
```console
|
||||
# Helm 3
|
||||
$ helm install [RELEASE_NAME] jenkins/jenkins [flags]
|
||||
```
|
||||
|
||||
_See [configuration](#configuration) below._
|
||||
|
||||
_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
|
||||
|
||||
## Uninstall Chart
|
||||
|
||||
```console
|
||||
# Helm 3
|
||||
$ helm uninstall [RELEASE_NAME]
|
||||
```
|
||||
|
||||
This removes all the Kubernetes components associated with the chart and deletes the release.
|
||||
|
||||
_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._
|
||||
|
||||
## Upgrade Chart
|
||||
|
||||
```console
|
||||
# Helm 3
|
||||
$ helm upgrade [RELEASE_NAME] jenkins/jenkins [flags]
|
||||
```
|
||||
|
||||
_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
|
||||
|
||||
Visit the chart's [CHANGELOG](https://github.com/jenkinsci/helm-charts/blob/main/charts/jenkins/CHANGELOG.md) to view the chart's release history.
|
||||
For migration between major version check [migration guide](#migration-guide).
|
||||
|
||||
## Building weekly releases
|
||||
|
||||
The default charts target Long-Term-Support (LTS) releases of Jenkins.
|
||||
To use other versions the easiest way is to update the image tag to the version you want.
|
||||
You can also rebuild the chart if you want the `appVersion` field to match.
|
||||
|
||||
## Configuration
|
||||
|
||||
See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
|
||||
To see all configurable options with detailed comments, visit the chart's [values.yaml](https://github.com/jenkinsci/helm-charts/blob/main/charts/jenkins/values.yaml), or run these configuration commands:
|
||||
|
||||
```console
|
||||
# Helm 3
|
||||
$ helm show values jenkins/jenkins
|
||||
```
|
||||
|
||||
For a summary of all configurable options, see [VALUES_SUMMARY.md](https://github.com/jenkinsci/helm-charts/blob/main/charts/jenkins/VALUES_SUMMARY.md).
|
||||
|
||||
### Configure Security Realm and Authorization Strategy
|
||||
|
||||
This chart configured a `securityRealm` and `authorizationStrategy` as shown below:
|
||||
|
||||
```yaml
|
||||
controller:
|
||||
JCasC:
|
||||
securityRealm: |-
|
||||
local:
|
||||
allowsSignup: false
|
||||
enableCaptcha: false
|
||||
users:
|
||||
- id: "${chart-admin-username}"
|
||||
name: "Jenkins Admin"
|
||||
password: "${chart-admin-password}"
|
||||
authorizationStrategy: |-
|
||||
loggedInUsersCanDoAnything:
|
||||
allowAnonymousRead: false
|
||||
```
|
||||
|
||||
With the configuration above there is only a single user.
|
||||
This is fine for getting started quickly, but it needs to be adjusted for any serious environment.
|
||||
|
||||
So you should adjust this to suite your needs.
|
||||
That could be using LDAP / OIDC / .. as authorization strategy and use globalMatrix as authorization strategy to configure more fine-grained permissions.
|
||||
|
||||
### Consider using a custom image
|
||||
|
||||
This chart allows the user to specify plugins which should be installed. However, for production use cases one should consider to build a custom Jenkins image which has all required plugins pre-installed.
|
||||
This way you can be sure which plugins Jenkins is using when starting up and you avoid trouble in case of connectivity issues to the Jenkins update site.
|
||||
|
||||
The [docker repository](https://github.com/jenkinsci/docker) for the Jenkins image contains [documentation](https://github.com/jenkinsci/docker#preinstalling-plugins) how to do it.
|
||||
|
||||
Here is an example how that can be done:
|
||||
|
||||
```Dockerfile
|
||||
FROM jenkins/jenkins:lts
|
||||
RUN jenkins-plugin-cli --plugins kubernetes workflow-aggregator git configuration-as-code
|
||||
```
|
||||
|
||||
NOTE: If you want a reproducible build then you should specify a non-floating tag for the image `jenkins/jenkins:2.249.3` and specify plugin versions.
|
||||
|
||||
Once you built the image and pushed it to your registry you can specify it in your values file like this:
|
||||
|
||||
```yaml
|
||||
controller:
|
||||
image: "registry/my-jenkins"
|
||||
tag: "v1.2.3"
|
||||
installPlugins: false
|
||||
```
|
||||
|
||||
Notice: `installPlugins` is set to false to disable plugin download. In this case, the image `registry/my-jenkins:v1.2.3` must have the plugins specified as default value for [the `controller.installPlugins` directive](https://github.com/jenkinsci/helm-charts/blob/main/charts/jenkins/VALUES_SUMMARY.md#jenkins-plugins) to ensure that the configuration side-car system works as expected.
|
||||
|
||||
In case you are using a private registry you can use 'imagePullSecretName' to specify the name of the secret to use when pulling the image:
|
||||
|
||||
```yaml
|
||||
controller:
|
||||
image: "registry/my-jenkins"
|
||||
tag: "v1.2.3"
|
||||
imagePullSecretName: registry-secret
|
||||
installPlugins: false
|
||||
```
|
||||
|
||||
### External URL Configuration
|
||||
|
||||
If you are using the ingress definitions provided by this chart via the `controller.ingress` block the configured hostname will be the ingress hostname starting with `https://` or `http://` depending on the `tls` configuration.
|
||||
The Protocol can be overwritten by specifying `controller.jenkinsUrlProtocol`.
|
||||
|
||||
If you are not using the provided ingress you can specify `controller.jenkinsUrl` to change the URL definition.
|
||||
|
||||
### Configuration as Code
|
||||
|
||||
Jenkins Configuration as Code (JCasC) is now a standard component in the Jenkins project.
|
||||
To allow JCasC's configuration from the helm values, the plugin [`configuration-as-code`](https://plugins.jenkins.io/configuration-as-code/) must be installed in the Jenkins Controller's Docker image (which is the case by default as specified by the [default value of the directive `controller.installPlugins`](https://github.com/jenkinsci/helm-charts/blob/main/charts/jenkins/VALUES_SUMMARY.md#jenkins-plugins)).
|
||||
|
||||
JCasc configuration is passed through Helm values under the key `controller.JCasC`.
|
||||
The section ["Jenkins Configuration as Code (JCasC)" of the page "VALUES_SUMMARY.md"](https://github.com/jenkinsci/helm-charts/blob/main/charts/jenkins/VALUES_SUMMARY.md#jenkins-configuration-as-code-jcasc) lists all the possible directives.
|
||||
|
||||
In particular, you may specify custom JCasC scripts by adding sub-key under the `controller.JCasC.configScripts` for each configuration area where each corresponds to a plugin or section of the UI.
|
||||
|
||||
The sub-keys (prior to `|` character) are only labels used to give the section a meaningful name.
|
||||
The only restriction is they must conform to RFC 1123 definition of a DNS label, so they may only contain lowercase letters, numbers, and hyphens.
|
||||
|
||||
Each key will become the name of a configuration yaml file on the controller in `/var/jenkins_home/casc_configs` (by default) and will be processed by the Configuration as Code Plugin during Jenkins startup.
|
||||
|
||||
The lines after each `|` become the content of the configuration yaml file.
|
||||
|
||||
The first line after this is a JCasC root element, e.g. jenkins, credentials, etc.
|
||||
|
||||
Best reference is the Documentation link here: `https://<jenkins_url>/configuration-as-code`.
|
||||
|
||||
The example below sets custom systemMessage:
|
||||
|
||||
```yaml
|
||||
controller:
|
||||
JCasC:
|
||||
configScripts:
|
||||
welcome-message: |
|
||||
jenkins:
|
||||
systemMessage: Welcome to our CI\CD server.
|
||||
```
|
||||
|
||||
More complex example that creates ldap settings:
|
||||
|
||||
```yaml
|
||||
controller:
|
||||
JCasC:
|
||||
configScripts:
|
||||
ldap-settings: |
|
||||
jenkins:
|
||||
securityRealm:
|
||||
ldap:
|
||||
configurations:
|
||||
- server: ldap.acme.com
|
||||
rootDN: dc=acme,dc=uk
|
||||
managerPasswordSecret: ${LDAP_PASSWORD}
|
||||
groupMembershipStrategy:
|
||||
fromUserRecord:
|
||||
attributeName: "memberOf"
|
||||
```
|
||||
|
||||
Keep in mind that default configuration file already contains some values that you won't be able to override under configScripts section.
|
||||
|
||||
For example, you can not configure Jenkins URL and System Admin email address like this because of conflicting configuration error.
|
||||
|
||||
Incorrect:
|
||||
|
||||
```yaml
|
||||
controller:
|
||||
JCasC:
|
||||
configScripts:
|
||||
jenkins-url: |
|
||||
unclassified:
|
||||
location:
|
||||
url: https://example.com/jenkins
|
||||
adminAddress: example@mail.com
|
||||
```
|
||||
|
||||
Correct:
|
||||
|
||||
```yaml
|
||||
controller:
|
||||
jenkinsUrl: https://example.com/jenkins
|
||||
jenkinsAdminEmail: example@mail.com
|
||||
```
|
||||
|
||||
Further JCasC examples can be found [here](https://github.com/jenkinsci/configuration-as-code-plugin/tree/master/demos).
|
||||
|
||||
#### Breaking out large Config as Code scripts
|
||||
|
||||
Jenkins Config as Code scripts can become quite large, and maintaining all of your scripts within one yaml file can be difficult. The Config as Code plugin itself suggests updating the `CASC_JENKINS_CONFIG` environment variable to be a comma separated list of paths for the plugin to traverse, picking up the yaml files as needed.
|
||||
However, under the Jenkins helm chart, this `CASC_JENKINS_CONFIG` value is maintained through the templates. A better solution is to split your `controller.JCasC.configScripts` into separate values files, and provide each file during the helm install.
|
||||
|
||||
For example, you can have a values file (e.g values_main.yaml) that defines the values described in the `VALUES_SUMMARY.md` for your Jenkins configuration:
|
||||
|
||||
```yaml
|
||||
jenkins:
|
||||
controller:
|
||||
jenkinsUrlProtocol: https
|
||||
installPlugins: false
|
||||
...
|
||||
```
|
||||
|
||||
In a second file (e.g values_jenkins_casc.yaml), you can define a section of your config scripts:
|
||||
|
||||
```yaml
|
||||
jenkins:
|
||||
controller:
|
||||
JCasC:
|
||||
configScripts:
|
||||
jenkinsCasc: |
|
||||
jenkins:
|
||||
disableRememberMe: false
|
||||
mode: NORMAL
|
||||
...
|
||||
```
|
||||
|
||||
And keep extending your config scripts by creating more files (so not all config scripts are located in one yaml file for better maintenance):
|
||||
|
||||
values_jenkins_unclassified.yaml
|
||||
|
||||
```yaml
|
||||
jenkins:
|
||||
controller:
|
||||
JCasC:
|
||||
configScripts:
|
||||
unclassifiedCasc: |
|
||||
unclassified:
|
||||
...
|
||||
```
|
||||
|
||||
When installing, you provide all relevant yaml files (e.g `helm install -f values_main.yaml -f values_jenkins_casc.yaml -f values_jenkins_unclassified.yaml ...`). Instead of updating the `CASC_JENKINS_CONFIG` environment variable to include multiple paths, multiple CasC yaml files will be created in the same path `var/jenkins_home/casc_configs`.
|
||||
|
||||
#### Config as Code With or Without Auto-Reload
|
||||
|
||||
Config as Code changes (to `controller.JCasC.configScripts`) can either force a new pod to be created and only be applied at next startup, or can be auto-reloaded on-the-fly.
|
||||
If you set `controller.sidecars.configAutoReload.enabled` to `true`, a second, auxiliary container will be installed into the Jenkins controller pod, known as a "sidecar".
|
||||
This watches for changes to configScripts, copies the content onto the Jenkins file-system and issues a POST to `http://<jenkins_url>/reload-configuration-as-code` with a pre-shared key.
|
||||
You can monitor this sidecar's logs using command `kubectl logs <controller_pod> -c config-reload -f`.
|
||||
If you want to enable auto-reload then you also need to configure rbac as the container which triggers the reload needs to watch the config maps:
|
||||
|
||||
```yaml
|
||||
controller:
|
||||
sidecars:
|
||||
configAutoReload:
|
||||
enabled: true
|
||||
rbac:
|
||||
create: true
|
||||
```
|
||||
|
||||
### Allow Limited HTML Markup in User-Submitted Text
|
||||
|
||||
Some third-party systems (e.g. GitHub) use HTML-formatted data in their payload sent to a Jenkins webhook (e.g. URL of a pull-request being built).
|
||||
To display such data as processed HTML instead of raw text set `controller.enableRawHtmlMarkupFormatter` to true.
|
||||
This option requires installation of the [OWASP Markup Formatter Plugin (antisamy-markup-formatter)](https://plugins.jenkins.io/antisamy-markup-formatter/).
|
||||
This plugin is **not** installed by default but may be added to `controller.additionalPlugins`.
|
||||
|
||||
### Change max connections to Kubernetes API
|
||||
When using agents with containers other than JNLP, The kubernetes plugin will communicate with those containers using the Kubernetes API. this changes the maximum concurrent connections
|
||||
```yaml
|
||||
agent:
|
||||
maxRequestsPerHostStr: "32"
|
||||
```
|
||||
This will change the configuration of the kubernetes "cloud" (as called by jenkins) that is created automatically as part of this helm chart.
|
||||
|
||||
### Change container cleanup timeout API
|
||||
For tasks that use very large images, this timeout can be increased to avoid early termination of the task while the Kubernetes pod is still deploying.
|
||||
```yaml
|
||||
agent:
|
||||
retentionTimeout: "32"
|
||||
```
|
||||
This will change the configuration of the kubernetes "cloud" (as called by jenkins) that is created automatically as part of this helm chart.
|
||||
|
||||
### Change seconds to wait for pod to be running
|
||||
This will change how long Jenkins will wait (seconds) for pod to be in running state.
|
||||
```yaml
|
||||
agent:
|
||||
waitForPodSec: "32"
|
||||
```
|
||||
This will change the configuration of the kubernetes "cloud" (as called by jenkins) that is created automatically as part of this helm chart.
|
||||
|
||||
### Mounting Volumes into Agent Pods
|
||||
|
||||
Your Jenkins Agents will run as pods, and it's possible to inject volumes where needed:
|
||||
|
||||
```yaml
|
||||
agent:
|
||||
volumes:
|
||||
- type: Secret
|
||||
secretName: jenkins-mysecrets
|
||||
mountPath: /var/run/secrets/jenkins-mysecrets
|
||||
```
|
||||
|
||||
The supported volume types are: `ConfigMap`, `EmptyDir`, `HostPath`, `Nfs`, `PVC`, `Secret`.
|
||||
Each type supports a different set of configurable attributes, defined by [the corresponding Java class](https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes).
|
||||
|
||||
### NetworkPolicy
|
||||
|
||||
To make use of the NetworkPolicy resources created by default, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin).
|
||||
|
||||
[Install](#install-chart) helm chart with network policy enabled by setting `networkPolicy.enabled` to `true`.
|
||||
|
||||
You can use `controller.networkPolicy.internalAgents` and `controller.networkPolicy.externalAgents` stanzas for fine-grained controls over where internal/external agents can connect from.
|
||||
Internal ones are allowed based on pod labels and (optionally) namespaces, and external ones are allowed based on IP ranges.
|
||||
|
||||
### Script approval list
|
||||
|
||||
`controller.scriptApproval` allows to pass function signatures that will be allowed in pipelines.
|
||||
Example:
|
||||
|
||||
```yaml
|
||||
controller:
|
||||
scriptApproval:
|
||||
- "method java.util.Base64$Decoder decode java.lang.String"
|
||||
- "new java.lang.String byte[]"
|
||||
- "staticMethod java.util.Base64 getDecoder"
|
||||
```
|
||||
|
||||
### Custom Labels
|
||||
|
||||
`controller.serviceLabels` can be used to add custom labels in `jenkins-controller-svc.yaml`.
|
||||
For example:
|
||||
|
||||
```yaml
|
||||
ServiceLabels:
|
||||
expose: true
|
||||
```
|
||||
|
||||
### Persistence
|
||||
|
||||
The Jenkins image stores persistence under `/var/jenkins_home` path of the container.
|
||||
A dynamically managed Persistent Volume Claim is used to keep the data across deployments, by default.
|
||||
This is known to work in GCE, AWS, and minikube. Alternatively, a previously configured Persistent Volume Claim can be used.
|
||||
|
||||
It is possible to mount several volumes using `persistence.volumes` and `persistence.mounts` parameters.
|
||||
See additional `persistence` values using [configuration commands](#configuration).
|
||||
|
||||
#### Existing PersistentVolumeClaim
|
||||
|
||||
1. Create the PersistentVolume
|
||||
2. Create the PersistentVolumeClaim
|
||||
3. [Install](#install-chart) the chart, setting `persistence.existingClaim` to `PVC_NAME`
|
||||
|
||||
#### Long Volume Attach/Mount Times
|
||||
|
||||
Certain volume type and filesystem format combinations may experience long
|
||||
attach/mount times, [10 or more minutes][K8S_VOLUME_TIMEOUT], when using
|
||||
`fsGroup`. This issue may result in the following entries in the pod's event
|
||||
history:
|
||||
|
||||
```console
|
||||
Warning FailedMount 38m kubelet, aks-default-41587790-2 Unable to attach or mount volumes: unmounted volumes=[jenkins-home], unattached volumes=[plugins plugin-dir jenkins-token-rmq2g sc-config-volume tmp jenkins-home jenkins-config secrets-dir]: timed out waiting for the condition
|
||||
```
|
||||
|
||||
In these cases, experiment with replacing `fsGroup` with
|
||||
`supplementalGroups` in the pod's `securityContext`. This can be achieved by
|
||||
setting the `controller.podSecurityContextOverride` Helm chart value to
|
||||
something like:
|
||||
|
||||
```yaml
|
||||
controller:
|
||||
podSecurityContextOverride:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
supplementalGroups: [1000]
|
||||
```
|
||||
|
||||
This issue has been reported on [azureDisk with ext4][K8S_VOLUME_TIMEOUT] and
|
||||
on [Alibaba cloud][K8S_VOLUME_TIMEOUT_ALIBABA].
|
||||
|
||||
[K8S_VOLUME_TIMEOUT]: https://github.com/kubernetes/kubernetes/issues/67014
|
||||
[K8S_VOLUME_TIMEOUT_ALIBABA]: https://github.com/kubernetes/kubernetes/issues/67014#issuecomment-698770511
|
||||
|
||||
#### Storage Class
|
||||
|
||||
It is possible to define which storage class to use, by setting `persistence.storageClass` to `[customStorageClass]`.
|
||||
If set to a dash (`-`), dynamic provisioning is disabled.
|
||||
If the storage class is set to null or left undefined (`""`), the default provisioner is used (gp2 on AWS, standard on GKE, AWS & OpenStack).
|
||||
|
||||
### Additional Secrets
|
||||
|
||||
Additional secrets and Additional Existing Secrets,
|
||||
can be mounted into the Jenkins controller through the chart or created using `controller.additionalSecrets` or `controller.additionalExistingSecrets`.
|
||||
A common use case might be identity provider credentials if using an external LDAP or OIDC-based identity provider.
|
||||
The secret may then be referenced in JCasC configuration (see [JCasC configuration](#configuration-as-code)).
|
||||
|
||||
`values.yaml` controller section, referencing mounted secrets:
|
||||
```yaml
|
||||
controller:
|
||||
# the 'name' and 'keyName' are concatenated with a '-' in between, so for example:
|
||||
# an existing secret "secret-credentials" and a key inside it named "github-password" should be used in Jcasc as ${secret-credentials-github-password}
|
||||
# 'name' and 'keyName' must be lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-',
|
||||
# and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc')
|
||||
# existingSecret existing secret "secret-credentials" and a key inside it named "github-username" should be used in Jcasc as ${github-username}
|
||||
# When using existingSecret no need to specify the keyName under additionalExistingSecrets.
|
||||
existingSecret: secret-credentials
|
||||
|
||||
additionalExistingSecrets:
|
||||
- name: secret-credentials
|
||||
keyName: github-username
|
||||
- name: secret-credentials
|
||||
keyName: github-password
|
||||
- name: secret-credentials
|
||||
keyName: token
|
||||
|
||||
additionalSecrets:
|
||||
- name: client_id
|
||||
value: abc123
|
||||
- name: client_secret
|
||||
value: xyz999
|
||||
JCasC:
|
||||
securityRealm: |
|
||||
oic:
|
||||
clientId: ${client_id}
|
||||
clientSecret: ${client_secret}
|
||||
...
|
||||
configScripts:
|
||||
jenkins-casc-configs: |
|
||||
credentials:
|
||||
system:
|
||||
domainCredentials:
|
||||
- credentials:
|
||||
- string:
|
||||
description: "github access token"
|
||||
id: "github_app_token"
|
||||
scope: GLOBAL
|
||||
secret: ${secret-credentials-token}
|
||||
- usernamePassword:
|
||||
description: "github access username password"
|
||||
id: "github_username_pass"
|
||||
password: ${secret-credentials-github-password}
|
||||
scope: GLOBAL
|
||||
username: ${secret-credentials-github-username}
|
||||
```
|
||||
|
||||
For more information, see [JCasC documentation](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets).
|
||||
|
||||
### Secret Claims from HashiCorp Vault
|
||||
|
||||
It's possible for this chart to generate `SecretClaim` resources in order to automatically create and maintain Kubernetes `Secrets` from HashiCorp [Vault](https://www.vaultproject.io/) via [`kube-vault-controller`](https://github.com/roboll/kube-vault-controller)
|
||||
|
||||
These `Secrets` can then be referenced in the same manner as Additional Secrets above.
|
||||
|
||||
This can be achieved by defining required Secret Claims within `controller.secretClaims`, as follows:
|
||||
```yaml
|
||||
controller:
|
||||
secretClaims:
|
||||
- name: jenkins-secret
|
||||
path: secret/path
|
||||
- name: jenkins-short-ttl
|
||||
path: secret/short-ttl-path
|
||||
renew: 60
|
||||
```
|
||||
|
||||
### RBAC
|
||||
|
||||
RBAC is enabled by default. If you want to disable it you will need to set `rbac.create` to `false`.
|
||||
|
||||
### Adding Custom Pod Templates
|
||||
|
||||
It is possible to add custom pod templates for the default configured kubernetes cloud.
|
||||
Add a key under `agent.podTemplates` for each pod template. Each key (prior to `|` character) is just a label, and can be any value.
|
||||
Keys are only used to give the pod template a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label characters: lowercase letters, numbers, and hyphens. Each pod template can contain multiple containers.
|
||||
There's no need to add the _jnlp_ container since the kubernetes plugin will automatically inject it into the pod.
|
||||
For this pod templates configuration to be loaded the following values must be set:
|
||||
|
||||
```yaml
|
||||
controller.JCasC.defaultConfig: true
|
||||
```
|
||||
|
||||
The example below creates a python pod template in the kubernetes cloud:
|
||||
|
||||
```yaml
|
||||
agent:
|
||||
podTemplates:
|
||||
python: |
|
||||
- name: python
|
||||
label: jenkins-python
|
||||
serviceAccount: jenkins
|
||||
containers:
|
||||
- name: python
|
||||
image: python:3
|
||||
command: "/bin/sh -c"
|
||||
args: "cat"
|
||||
ttyEnabled: true
|
||||
privileged: true
|
||||
resourceRequestCpu: "400m"
|
||||
resourceRequestMemory: "512Mi"
|
||||
resourceLimitCpu: "1"
|
||||
resourceLimitMemory: "1024Mi"
|
||||
```
|
||||
|
||||
Best reference is `https://<jenkins_url>/configuration-as-code/reference#Cloud-kubernetes`.
|
||||
|
||||
### Adding Pod Templates Using additionalAgents
|
||||
|
||||
`additionalAgents` may be used to configure additional kubernetes pod templates.
|
||||
Each additional agent corresponds to `agent` in terms of the configurable values and inherits all values from `agent` so you only need to specify values which differ.
|
||||
For example:
|
||||
|
||||
```yaml
|
||||
agent:
|
||||
podName: default
|
||||
customJenkinsLabels: default
|
||||
# set resources for additional agents to inherit
|
||||
resources:
|
||||
limits:
|
||||
cpu: "1"
|
||||
memory: "2048Mi"
|
||||
|
||||
additionalAgents:
|
||||
maven:
|
||||
podName: maven
|
||||
customJenkinsLabels: maven
|
||||
# An example of overriding the jnlp container
|
||||
# sideContainerName: jnlp
|
||||
image: jenkins/jnlp-agent-maven
|
||||
tag: latest
|
||||
python:
|
||||
podName: python
|
||||
customJenkinsLabels: python
|
||||
sideContainerName: python
|
||||
image: python
|
||||
tag: "3"
|
||||
command: "/bin/sh -c"
|
||||
args: "cat"
|
||||
TTYEnabled: true
|
||||
```
|
||||
|
||||
### Ingress Configuration
|
||||
|
||||
This chart provides ingress resources configurable via the `controller.ingress` block.
|
||||
|
||||
The simplest configuration looks like the following:
|
||||
|
||||
```yaml
|
||||
controller:
|
||||
ingress:
|
||||
enabled: true
|
||||
paths: []
|
||||
apiVersion: "extensions/v1beta1"
|
||||
hostName: jenkins.example.com
|
||||
```
|
||||
|
||||
This snippet configures an ingress rule for exposing jenkins at `jenkins.example.com`
|
||||
|
||||
You can define labels and annotations via `controller.ingress.labels` and `controller.ingress.annotations` respectively.
|
||||
Additionally, you can configure the ingress tls via `controller.ingress.tls`.
|
||||
By default, this ingress rule exposes all paths.
|
||||
If needed this can be overwritten by specifying the wanted paths in `controller.ingress.paths`
|
||||
|
||||
If you want to configure a secondary ingress e.g. you don't want the jenkins instance exposed but still want to receive webhooks you can configure `controller.secondaryingress`.
|
||||
The secondaryingress doesn't expose anything by default and has to be configured via `controller.secondaryingress.paths`:
|
||||
|
||||
```yaml
|
||||
controller:
|
||||
ingress:
|
||||
enabled: true
|
||||
apiVersion: "extensions/v1beta1"
|
||||
hostName: "jenkins.internal.example.com"
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "internal"
|
||||
secondaryingress:
|
||||
enabled: true
|
||||
apiVersion: "extensions/v1beta1"
|
||||
hostName: "jenkins-scm.example.com"
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "public"
|
||||
paths:
|
||||
- /github-webhook
|
||||
```
|
||||
|
||||
## Prometheus Metrics
|
||||
|
||||
If you want to expose Prometheus metrics you need to install the [Jenkins Prometheus Metrics Plugin](https://github.com/jenkinsci/prometheus-plugin).
|
||||
It will expose an endpoint (default `/prometheus`) with metrics where a Prometheus Server can scrape.
|
||||
|
||||
If you have implemented [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can set `controller.prometheus.enabled` to `true` to configure a `ServiceMonitor` and `PrometheusRule`.
|
||||
If you want to further adjust alerting rules you can do so by configuring `controller.prometheus.alertingrules`
|
||||
|
||||
If you have implemented Prometheus without using the operator, you can leave `controller.prometheus.enabled` set to `false`.
|
||||
|
||||
### Running Behind a Forward Proxy
|
||||
|
||||
The controller pod uses an Init Container to install plugins etc. If you are behind a corporate proxy it may be useful to set `controller.initContainerEnv` to add environment variables such as `http_proxy`, so that these can be downloaded.
|
||||
|
||||
Additionally, you may want to add env vars for the init container, the Jenkins container, and the JVM (`controller.javaOpts`):
|
||||
|
||||
```yaml
|
||||
controller:
|
||||
initContainerEnv:
|
||||
- name: http_proxy
|
||||
value: "http://192.168.64.1:3128"
|
||||
- name: https_proxy
|
||||
value: "http://192.168.64.1:3128"
|
||||
- name: no_proxy
|
||||
value: ""
|
||||
- name: JAVA_OPTS
|
||||
value: "-Dhttps.proxyHost=proxy_host_name_without_protocol -Dhttps.proxyPort=3128"
|
||||
containerEnv:
|
||||
- name: http_proxy
|
||||
value: "http://192.168.64.1:3128"
|
||||
- name: https_proxy
|
||||
value: "http://192.168.64.1:3128"
|
||||
javaOpts: >-
|
||||
-Dhttp.proxyHost=192.168.64.1
|
||||
-Dhttp.proxyPort=3128
|
||||
-Dhttps.proxyHost=192.168.64.1
|
||||
-Dhttps.proxyPort=3128
|
||||
```
|
||||
|
||||
### HTTPS Keystore Configuration
|
||||
|
||||
[This configuration](https://wiki.jenkins.io/pages/viewpage.action?pageId=135468777) enables jenkins to use keystore in order to serve HTTPS.
|
||||
Here is the [value file section](https://wiki.jenkins.io/pages/viewpage.action?pageId=135468777#RunningJenkinswithnativeSSL/HTTPS-ConfigureJenkinstouseHTTPSandtheJKSkeystore) related to keystore configuration.
|
||||
Keystore itself should be placed in front of `jenkinsKeyStoreBase64Encoded` key and in base64 encoded format. To achieve that after having `keystore.jks` file simply do this: `cat keystore.jks | base64` and paste the output in front of `jenkinsKeyStoreBase64Encoded`.
|
||||
After enabling `httpsKeyStore.enable` make sure that `httpPort` and `targetPort` are not the same, as `targetPort` will serve HTTPS.
|
||||
Do not set `controller.httpsKeyStore.httpPort` to `-1` because it will cause readiness and liveliness prob to fail.
|
||||
If you already have a kubernetes secret that has keystore and its password you can specify its' name in front of `jenkinsHttpsJksSecretName`, You need to remember that your secret should have proper data key names `jenkins-jks-file` (or override the key name using `jenkinsHttpsJksSecretKey`)
|
||||
and `https-jks-password` (or override the key name using `jenkinsHttpsJksPasswordSecretKey`; additionally you can make it get the password from a different secret using `jenkinsHttpsJksPasswordSecretName`). Example:
|
||||
|
||||
```yaml
|
||||
controller:
|
||||
httpsKeyStore:
|
||||
enable: true
|
||||
jenkinsHttpsJksSecretName: ''
|
||||
httpPort: 8081
|
||||
path: "/var/jenkins_keystore"
|
||||
fileName: "keystore.jks"
|
||||
password: "changeit"
|
||||
jenkinsKeyStoreBase64Encoded: ''
|
||||
```
|
||||
### AWS Security Group Policies
|
||||
|
||||
To create SecurityGroupPolicies set `awsSecurityGroupPolicies.enabled` to true and add your policies. Each policy requires a `name`, array of `securityGroupIds` and a `podSelector`. Example:
|
||||
|
||||
```yaml
|
||||
awsSecurityGroupPolicies:
|
||||
enabled: true
|
||||
policies:
|
||||
- name: "jenkins-controller"
|
||||
securityGroupIds:
|
||||
- sg-123456789
|
||||
podSelector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/component
|
||||
operator: In
|
||||
values:
|
||||
- jenkins-controller
|
||||
```
|
||||
|
||||
### Agent Direct Connection
|
||||
|
||||
Set `directConnection` to `true` to allow agents to connect directly to a given TCP port without having to negotiate a HTTP(S) connection. This can allow you to have agent connections without an external HTTP(S) port. Example:
|
||||
|
||||
```yaml
|
||||
agent:
|
||||
jenkinsTunnel: "jenkinsci-agent:50000"
|
||||
directConnection: true
|
||||
```
|
||||
|
||||
## Migration Guide
|
||||
|
||||
### From stable repository
|
||||
|
||||
Upgrade an existing release from `stable/jenkins` to `jenkins/jenkins` seamlessly by ensuring you have the latest [repository info](#get-repository-info) and running the [upgrade commands](#upgrade-chart) specifying the `jenkins/jenkins` chart.
|
||||
|
||||
### Major Version Upgrades
|
||||
|
||||
Chart release versions follow [SemVer](../../CONTRIBUTING.md#versioning), where a MAJOR version change (example `1.0.0` -> `2.0.0`) indicates an incompatible breaking change needing manual actions.
|
||||
|
||||
See [UPGRADING.md](./UPGRADING.md) for a list of breaking changes
|
||||
|
|
@ -0,0 +1,148 @@
|
|||
# Upgrade Notes
|
||||
|
||||
## To 5.0.0
|
||||
- `controller.image`, `controller.tag`, and `controller.tagLabel` have been removed. If you want to overwrite the image you now need to configure any or all of:
|
||||
- `controller.image.registry`
|
||||
- `controller.image.repository`
|
||||
- `controller.image.tag`
|
||||
- `controller.image.tagLabel`
|
||||
- `controller.imagePullPolicy` has been removed. If you want to overwrite the pull policy you now need to configure `controller.image.pullPolicy`.
|
||||
- `controller.sidecars.configAutoReload.image` has been removed. If you want to overwrite the configAutoReload image you now need to configure any or all of:
|
||||
- `controller.sidecars.configAutoReload.image.registry`
|
||||
- `controller.sidecars.configAutoReload.image.repository`
|
||||
- `controller.sidecars.configAutoReload.image.tag`
|
||||
- `controller.sidecars.other` has been renamed to `controller.sidecars.additionalSidecarContainers`.
|
||||
- `agent.image` and `agent.tag` have been removed. If you want to overwrite the agent image you now need to configure any or all of:
|
||||
- `agent.image.repository`
|
||||
- `agent.image.tag`
|
||||
- The registry can still be overwritten by `agent.jnlpregistry`
|
||||
- `agent.additionalContainers[*].image` has been renamed to `agent.additionalContainers[*].image.repository`
|
||||
- `agent.additionalContainers[*].tag` has been renamed to `agent.additionalContainers[*].image.tag`
|
||||
- `additionalAgents.*.image` has been renamed to `additionalAgents.*.image.repository`
|
||||
- `additionalAgents.*.tag` has been renamed to `additionalAgents.*.image.tag`
|
||||
- `additionalClouds.*.additionalAgents.*.image` has been renamed to `additionalClouds.*.additionalAgents.*.image.repository`
|
||||
- `additionalClouds.*.additionalAgents.*.tag` has been renamed to `additionalClouds.*.additionalAgents.*.image.tag`
|
||||
- `helmtest.bats.image` has been split up to:
|
||||
- `helmtest.bats.image.registry`
|
||||
- `helmtest.bats.image.repository`
|
||||
- `helmtest.bats.image.tag`
|
||||
- `controller.adminUsername` and `controller.adminPassword` have been renamed to `controller.admin.username` and `controller.admin.password` respectively
|
||||
- `controller.adminSecret` has been renamed to `controller.admin.createSecret`
|
||||
- `backup.*` was unmaintained and has thus been removed. See the following page for alternatives: [Kubernetes Backup and Migrations](https://nubenetes.com/kubernetes-backup-migrations/).
|
||||
|
||||
## To 4.0.0
|
||||
Removes automatic `remotingSecurity` setting when using a container tag older than `2.326` (introduced in [`3.11.7`](./CHANGELOG.md#3117)). If you're using a version older than `2.326`, you should explicitly set `.controller.legacyRemotingSecurityEnabled` to `true`.
|
||||
|
||||
## To 3.0.0
|
||||
|
||||
* Check `securityRealm` and `authorizationStrategy` and adjust it.
|
||||
Otherwise, your configured users and permissions will be overridden.
|
||||
* You need to use helm version 3 as the `Chart.yaml` uses `apiVersion: v2`.
|
||||
* All XML configuration options have been removed.
|
||||
In case those are still in use you need to migrate to configuration as code.
|
||||
Upgrade guide to 2.0.0 contains pointers how to do that.
|
||||
* Jenkins is now using a `StatefulSet` instead of a `Deployment`
|
||||
* terminology has been adjusted that's also reflected in values.yaml
|
||||
The following values from `values.yaml` have been renamed:
|
||||
|
||||
* `master` => `controller`
|
||||
* `master.useSecurity` => `controller.adminSecret`
|
||||
* `master.slaveListenerPort` => `controller.agentListenerPort`
|
||||
* `master.slaveHostPort` => `controller.agentListenerHostPort`
|
||||
* `master.slaveKubernetesNamespace` => `agent.namespace`
|
||||
* `master.slaveDefaultsProviderTemplate` => `agent.defaultsProviderTemplate`
|
||||
* `master.slaveJenkinsUrl` => `agent.jenkinsUrl`
|
||||
* `master.slaveJenkinsTunnel` => `agent.jenkinsTunnel`
|
||||
* `master.slaveConnectTimeout` => `agent.kubernetesConnectTimeout`
|
||||
* `master.slaveReadTimeout` => `agent.kubernetesReadTimeout`
|
||||
* `master.slaveListenerServiceAnnotations` => `controller.agentListenerServiceAnnotations`
|
||||
* `master.slaveListenerServiceType` => `controller.agentListenerServiceType`
|
||||
* `master.slaveListenerLoadBalancerIP` => `controller.agentListenerLoadBalancerIP`
|
||||
* `agent.slaveConnectTimeout` => `agent.connectTimeout`
|
||||
* Removed values:
|
||||
|
||||
* `master.imageTag`: use `controller.image` and `controller.tag` instead
|
||||
* `slave.imageTag`: use `agent.image` and `agent.tag` instead
|
||||
|
||||
## To 2.0.0
|
||||
|
||||
Configuration as Code is now default + container does not run as root anymore.
|
||||
|
||||
### Configuration as Code new default
|
||||
|
||||
Configuration is done via [Jenkins Configuration as Code Plugin](https://github.com/jenkinsci/configuration-as-code-plugin) by default.
|
||||
That means that changes in values which result in a configuration change are always applied.
|
||||
In contrast, the XML configuration was only applied during the first start and never altered.
|
||||
|
||||
:exclamation::exclamation::exclamation:
|
||||
Attention:
|
||||
This also means if you manually altered configuration then this will most likely be reset to what was configured by default.
|
||||
It also applies to `securityRealm` and `authorizationStrategy` as they are also configured using configuration as code.
|
||||
:exclamation::exclamation::exclamation:
|
||||
|
||||
### Image does not run as root anymore
|
||||
|
||||
It's not recommended to run containers in Kubernetes as `root`.
|
||||
|
||||
❗Attention: If you had not configured a different user before then you need to ensure that your image supports the user and group ID configured and also manually change permissions of all files so that Jenkins is still able to use them.
|
||||
|
||||
### Summary of updated values
|
||||
|
||||
As version 2.0.0 only updates default values and nothing else it's still possible to migrate to this version and opt out of some or all new defaults.
|
||||
All you have to do is ensure the old values are set in your installation.
|
||||
|
||||
Here we show which values have changed and the previous default values:
|
||||
|
||||
```yaml
|
||||
controller:
|
||||
runAsUser: 1000 # was unset before
|
||||
fsGroup: 1000 # was unset before
|
||||
JCasC:
|
||||
enabled: true # was false
|
||||
defaultConfig: true # was false
|
||||
sidecars:
|
||||
configAutoReload:
|
||||
enabled: true # was false
|
||||
```
|
||||
|
||||
### Migration steps
|
||||
|
||||
Migration instructions heavily depend on your current setup.
|
||||
So think of the list below more as a general guideline of what should be done.
|
||||
|
||||
- Ensure that the Jenkins image you are using contains a user with ID 1000 and a group with the same ID.
|
||||
That's the case for `jenkins/jenkins:lts` image, which the chart uses by default
|
||||
- Make a backup of your existing installation especially the persistent volume
|
||||
- Ensure that you have the configuration as code plugin installed
|
||||
- Export your current settings via the plugin:
|
||||
`Manage Jenkins` -> `Configuration as Code` -> `Download Configuration`
|
||||
- prepare your values file for the update e.g. add additional configuration as code setting that you need.
|
||||
The export taken from above might be a good starting point for this.
|
||||
In addition, the [demos](https://github.com/jenkinsci/configuration-as-code-plugin/tree/master/demos) from the plugin itself are quite useful.
|
||||
- Test drive those setting on a separate installation
|
||||
- Put Jenkins to Quiet Down mode so that it does not accept new jobs
|
||||
`<JENKINS_URL>/quietDown`
|
||||
- Change permissions of all files and folders to the new user and group ID:
|
||||
|
||||
```console
|
||||
kubectl exec -it <jenkins_pod> -c jenkins /bin/bash
|
||||
chown -R 1000:1000 /var/jenkins_home
|
||||
```
|
||||
|
||||
- Update Jenkins
|
||||
|
||||
## To 1.0.0
|
||||
|
||||
Breaking changes:
|
||||
|
||||
- Values have been renamed to follow [helm recommended naming conventions](https://helm.sh/docs/chart_best_practices/#naming-conventions) so that all variables start with a lowercase letter and words are separated with camelcase
|
||||
- All resources are now using [helm recommended standard labels](https://helm.sh/docs/chart_best_practices/#standard-labels)
|
||||
|
||||
As a result of the label changes also the selectors of the deployment have been updated.
|
||||
Those are immutable so trying an updated will cause an error like:
|
||||
|
||||
```console
|
||||
Error: Deployment.apps "jenkins" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app.kubernetes.io/component":"jenkins-controller", "app.kubernetes.io/instance":"jenkins"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable
|
||||
```
|
||||
|
||||
In order to upgrade, [uninstall](./README.md#uninstall-chart) the Jenkins Deployment before upgrading:
|
||||
|
|
@ -0,0 +1,316 @@
|
|||
# Jenkins
|
||||
|
||||
## Configuration
|
||||
|
||||
The following tables list the configurable parameters of the Jenkins chart and their default values.
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Description | Default |
|
||||
|:----|:-----|:---------|:------------|
|
||||
| [additionalAgents](./values.yaml#L1189) | object | Configure additional | `{}` |
|
||||
| [additionalClouds](./values.yaml#L1214) | object | | `{}` |
|
||||
| [agent.TTYEnabled](./values.yaml#L1095) | bool | Allocate pseudo tty to the side container | `false` |
|
||||
| [agent.additionalContainers](./values.yaml#L1142) | list | Add additional containers to the agents | `[]` |
|
||||
| [agent.alwaysPullImage](./values.yaml#L988) | bool | Always pull agent container image before build | `false` |
|
||||
| [agent.annotations](./values.yaml#L1138) | object | Annotations to apply to the pod | `{}` |
|
||||
| [agent.args](./values.yaml#L1089) | string | Arguments passed to command to execute | `"${computer.jnlpmac} ${computer.name}"` |
|
||||
| [agent.command](./values.yaml#L1087) | string | Command to execute when side container starts | `nil` |
|
||||
| [agent.componentName](./values.yaml#L956) | string | | `"jenkins-agent"` |
|
||||
| [agent.connectTimeout](./values.yaml#L1136) | int | Timeout in seconds for an agent to be online | `100` |
|
||||
| [agent.containerCap](./values.yaml#L1097) | int | Max number of agents to launch | `10` |
|
||||
| [agent.customJenkinsLabels](./values.yaml#L953) | list | Append Jenkins labels to the agent | `[]` |
|
||||
| [agent.defaultsProviderTemplate](./values.yaml#L907) | string | The name of the pod template to use for providing default values | `""` |
|
||||
| [agent.directConnection](./values.yaml#L959) | bool | | `false` |
|
||||
| [agent.disableDefaultAgent](./values.yaml#L1160) | bool | Disable the default Jenkins Agent configuration | `false` |
|
||||
| [agent.enabled](./values.yaml#L905) | bool | Enable Kubernetes plugin jnlp-agent podTemplate | `true` |
|
||||
| [agent.envVars](./values.yaml#L1070) | list | Environment variables for the agent Pod | `[]` |
|
||||
| [agent.garbageCollection.enabled](./values.yaml#L1104) | bool | When enabled, Jenkins will periodically check for orphan pods that have not been touched for the given timeout period and delete them. | `false` |
|
||||
| [agent.garbageCollection.namespaces](./values.yaml#L1106) | string | Namespaces to look at for garbage collection, in addition to the default namespace defined for the cloud. One namespace per line. | `""` |
|
||||
| [agent.garbageCollection.timeout](./values.yaml#L1111) | int | Timeout value for orphaned pods | `300` |
|
||||
| [agent.hostNetworking](./values.yaml#L967) | bool | Enables the agent to use the host network | `false` |
|
||||
| [agent.idleMinutes](./values.yaml#L1114) | int | Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it | `0` |
|
||||
| [agent.image.repository](./values.yaml#L946) | string | Repository to pull the agent jnlp image from | `"jenkins/inbound-agent"` |
|
||||
| [agent.image.tag](./values.yaml#L948) | string | Tag of the image to pull | `"3261.v9c670a_4748a_9-1"` |
|
||||
| [agent.imagePullSecretName](./values.yaml#L955) | string | Name of the secret to be used to pull the image | `nil` |
|
||||
| [agent.inheritYamlMergeStrategy](./values.yaml#L1134) | bool | Controls whether the defined yaml merge strategy will be inherited if another defined pod template is configured to inherit from the current one | `false` |
|
||||
| [agent.jenkinsTunnel](./values.yaml#L923) | string | Overrides the Kubernetes Jenkins tunnel | `nil` |
|
||||
| [agent.jenkinsUrl](./values.yaml#L919) | string | Overrides the Kubernetes Jenkins URL | `nil` |
|
||||
| [agent.jnlpregistry](./values.yaml#L943) | string | Custom registry used to pull the agent jnlp image from | `nil` |
|
||||
| [agent.kubernetesConnectTimeout](./values.yaml#L929) | int | The connection timeout in seconds for connections to Kubernetes API. The minimum value is 5 | `5` |
|
||||
| [agent.kubernetesReadTimeout](./values.yaml#L931) | int | The read timeout in seconds for connections to Kubernetes API. The minimum value is 15 | `15` |
|
||||
| [agent.livenessProbe](./values.yaml#L978) | object | | `{}` |
|
||||
| [agent.maxRequestsPerHostStr](./values.yaml#L933) | string | The maximum concurrent connections to Kubernetes API | `"32"` |
|
||||
| [agent.namespace](./values.yaml#L939) | string | Namespace in which the Kubernetes agents should be launched | `nil` |
|
||||
| [agent.nodeSelector](./values.yaml#L1081) | object | Node labels for pod assignment | `{}` |
|
||||
| [agent.nodeUsageMode](./values.yaml#L951) | string | | `"NORMAL"` |
|
||||
| [agent.podLabels](./values.yaml#L941) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` |
|
||||
| [agent.podName](./values.yaml#L1099) | string | Agent Pod base name | `"default"` |
|
||||
| [agent.podRetention](./values.yaml#L997) | string | | `"Never"` |
|
||||
| [agent.podTemplates](./values.yaml#L1170) | object | Configures extra pod templates for the default kubernetes cloud | `{}` |
|
||||
| [agent.privileged](./values.yaml#L961) | bool | Agent privileged container | `false` |
|
||||
| [agent.resources](./values.yaml#L969) | object | Resources allocation (Requests and Limits) | `{"limits":{"cpu":"512m","memory":"512Mi"},"requests":{"cpu":"512m","memory":"512Mi"}}` |
|
||||
| [agent.restrictedPssSecurityContext](./values.yaml#L994) | bool | Set a restricted securityContext on jnlp containers | `false` |
|
||||
| [agent.retentionTimeout](./values.yaml#L935) | int | Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated | `5` |
|
||||
| [agent.runAsGroup](./values.yaml#L965) | string | Configure container group | `nil` |
|
||||
| [agent.runAsUser](./values.yaml#L963) | string | Configure container user | `nil` |
|
||||
| [agent.secretEnvVars](./values.yaml#L1074) | list | Mount a secret as environment variable | `[]` |
|
||||
| [agent.serviceAccount](./values.yaml#L915) | string | Override the default service account | `serviceAccountAgent.name` if `agent.useDefaultServiceAccount` is `true` |
|
||||
| [agent.showRawYaml](./values.yaml#L1001) | bool | | `true` |
|
||||
| [agent.sideContainerName](./values.yaml#L1091) | string | Side container name | `"jnlp"` |
|
||||
| [agent.skipTlsVerify](./values.yaml#L925) | bool | Disables the verification of the controller certificate on remote connection. This flag correspond to the "Disable https certificate check" flag in kubernetes plugin UI | `false` |
|
||||
| [agent.usageRestricted](./values.yaml#L927) | bool | Enable the possibility to restrict the usage of this agent to specific folder. This flag correspond to the "Restrict pipeline support to authorized folders" flag in kubernetes plugin UI | `false` |
|
||||
| [agent.useDefaultServiceAccount](./values.yaml#L911) | bool | Use `serviceAccountAgent.name` as the default value for defaults template `serviceAccount` | `true` |
|
||||
| [agent.volumes](./values.yaml#L1008) | list | Additional volumes | `[]` |
|
||||
| [agent.waitForPodSec](./values.yaml#L937) | int | Seconds to wait for pod to be running | `600` |
|
||||
| [agent.websocket](./values.yaml#L958) | bool | Enables agent communication via websockets | `false` |
|
||||
| [agent.workingDir](./values.yaml#L950) | string | Configure working directory for default agent | `"/home/jenkins/agent"` |
|
||||
| [agent.workspaceVolume](./values.yaml#L1043) | object | Workspace volume (defaults to EmptyDir) | `{}` |
|
||||
| [agent.yamlMergeStrategy](./values.yaml#L1132) | string | Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates. Possible values: "merge" or "override" | `"override"` |
|
||||
| [agent.yamlTemplate](./values.yaml#L1121) | string | The raw yaml of a Pod API Object to merge into the agent spec | `""` |
|
||||
| [awsSecurityGroupPolicies.enabled](./values.yaml#L1340) | bool | | `false` |
|
||||
| [awsSecurityGroupPolicies.policies[0].name](./values.yaml#L1342) | string | | `""` |
|
||||
| [awsSecurityGroupPolicies.policies[0].podSelector](./values.yaml#L1344) | object | | `{}` |
|
||||
| [awsSecurityGroupPolicies.policies[0].securityGroupIds](./values.yaml#L1343) | list | | `[]` |
|
||||
| [checkDeprecation](./values.yaml#L1337) | bool | Checks if any deprecated values are used | `true` |
|
||||
| [clusterZone](./values.yaml#L21) | string | Override the cluster name for FQDN resolving | `"cluster.local"` |
|
||||
| [controller.JCasC.authorizationStrategy](./values.yaml#L533) | string | Jenkins Config as Code Authorization Strategy-section | `"loggedInUsersCanDoAnything:\n allowAnonymousRead: false"` |
|
||||
| [controller.JCasC.configMapAnnotations](./values.yaml#L538) | object | Annotations for the JCasC ConfigMap | `{}` |
|
||||
| [controller.JCasC.configScripts](./values.yaml#L507) | object | List of Jenkins Config as Code scripts | `{}` |
|
||||
| [controller.JCasC.configUrls](./values.yaml#L504) | list | Remote URLs for configuration files. | `[]` |
|
||||
| [controller.JCasC.defaultConfig](./values.yaml#L498) | bool | Enables default Jenkins configuration via configuration as code plugin | `true` |
|
||||
| [controller.JCasC.overwriteConfiguration](./values.yaml#L502) | bool | Whether Jenkins Config as Code should overwrite any existing configuration | `false` |
|
||||
| [controller.JCasC.security](./values.yaml#L514) | object | Jenkins Config as Code security-section | `{"apiToken":{"creationOfLegacyTokenEnabled":false,"tokenGenerationOnCreationEnabled":false,"usageStatisticsEnabled":true}}` |
|
||||
| [controller.JCasC.securityRealm](./values.yaml#L522) | string | Jenkins Config as Code Security Realm-section | `"local:\n allowsSignup: false\n enableCaptcha: false\n users:\n - id: \"${chart-admin-username}\"\n name: \"Jenkins Admin\"\n password: \"${chart-admin-password}\""` |
|
||||
| [controller.additionalExistingSecrets](./values.yaml#L459) | list | List of additional existing secrets to mount | `[]` |
|
||||
| [controller.additionalPlugins](./values.yaml#L409) | list | List of plugins to install in addition to those listed in controller.installPlugins | `[]` |
|
||||
| [controller.additionalSecrets](./values.yaml#L468) | list | List of additional secrets to create and mount | `[]` |
|
||||
| [controller.admin.createSecret](./values.yaml#L91) | bool | Create secret for admin user | `true` |
|
||||
| [controller.admin.existingSecret](./values.yaml#L94) | string | The name of an existing secret containing the admin credentials | `""` |
|
||||
| [controller.admin.password](./values.yaml#L81) | string | Admin password created as a secret if `controller.admin.createSecret` is true | `<random password>` |
|
||||
| [controller.admin.passwordKey](./values.yaml#L86) | string | The key in the existing admin secret containing the password | `"jenkins-admin-password"` |
|
||||
| [controller.admin.userKey](./values.yaml#L84) | string | The key in the existing admin secret containing the username | `"jenkins-admin-user"` |
|
||||
| [controller.admin.username](./values.yaml#L78) | string | Admin username created as a secret if `controller.admin.createSecret` is true | `"admin"` |
|
||||
| [controller.affinity](./values.yaml#L660) | object | Affinity settings | `{}` |
|
||||
| [controller.agentListenerEnabled](./values.yaml#L318) | bool | Create Agent listener service | `true` |
|
||||
| [controller.agentListenerExternalTrafficPolicy](./values.yaml#L328) | string | Traffic Policy of for the agentListener service | `nil` |
|
||||
| [controller.agentListenerHostPort](./values.yaml#L322) | string | Host port to listen for agents | `nil` |
|
||||
| [controller.agentListenerLoadBalancerIP](./values.yaml#L358) | string | Static IP for the agentListener LoadBalancer | `nil` |
|
||||
| [controller.agentListenerLoadBalancerSourceRanges](./values.yaml#L330) | list | Allowed inbound IP for the agentListener service | `["0.0.0.0/0"]` |
|
||||
| [controller.agentListenerNodePort](./values.yaml#L324) | string | Node port to listen for agents | `nil` |
|
||||
| [controller.agentListenerPort](./values.yaml#L320) | int | Listening port for agents | `50000` |
|
||||
| [controller.agentListenerServiceAnnotations](./values.yaml#L353) | object | Annotations for the agentListener service | `{}` |
|
||||
| [controller.agentListenerServiceType](./values.yaml#L350) | string | Defines how to expose the agentListener service | `"ClusterIP"` |
|
||||
| [controller.backendconfig.annotations](./values.yaml#L763) | object | backendconfig annotations | `{}` |
|
||||
| [controller.backendconfig.apiVersion](./values.yaml#L757) | string | backendconfig API version | `"extensions/v1beta1"` |
|
||||
| [controller.backendconfig.enabled](./values.yaml#L755) | bool | Enables backendconfig | `false` |
|
||||
| [controller.backendconfig.labels](./values.yaml#L761) | object | backendconfig labels | `{}` |
|
||||
| [controller.backendconfig.name](./values.yaml#L759) | string | backendconfig name | `nil` |
|
||||
| [controller.backendconfig.spec](./values.yaml#L765) | object | backendconfig spec | `{}` |
|
||||
| [controller.cloudName](./values.yaml#L487) | string | Name of default cloud configuration. | `"kubernetes"` |
|
||||
| [controller.clusterIp](./values.yaml#L217) | string | k8s service clusterIP. Only used if serviceType is ClusterIP | `nil` |
|
||||
| [controller.componentName](./values.yaml#L34) | string | Used for label app.kubernetes.io/component | `"jenkins-controller"` |
|
||||
| [controller.containerEnv](./values.yaml#L150) | list | Environment variables for Jenkins Container | `[]` |
|
||||
| [controller.containerEnvFrom](./values.yaml#L147) | list | Environment variable sources for Jenkins Container | `[]` |
|
||||
| [controller.containerSecurityContext](./values.yaml#L205) | object | Allow controlling the securityContext for the jenkins container | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsUser":1000}` |
|
||||
| [controller.csrf.defaultCrumbIssuer.enabled](./values.yaml#L339) | bool | Enable the default CSRF Crumb issuer | `true` |
|
||||
| [controller.csrf.defaultCrumbIssuer.proxyCompatability](./values.yaml#L341) | bool | Enable proxy compatibility | `true` |
|
||||
| [controller.customInitContainers](./values.yaml#L541) | list | Custom init-container specification in raw-yaml format | `[]` |
|
||||
| [controller.customJenkinsLabels](./values.yaml#L68) | list | Append Jenkins labels to the controller | `[]` |
|
||||
| [controller.disableRememberMe](./values.yaml#L59) | bool | Disable use of remember me | `false` |
|
||||
| [controller.disabledAgentProtocols](./values.yaml#L333) | list | Disabled agent protocols | `["JNLP-connect","JNLP2-connect"]` |
|
||||
| [controller.enableRawHtmlMarkupFormatter](./values.yaml#L429) | bool | Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter) | `false` |
|
||||
| [controller.executorMode](./values.yaml#L65) | string | Sets the executor mode of the Jenkins node. Possible values are "NORMAL" or "EXCLUSIVE" | `"NORMAL"` |
|
||||
| [controller.existingSecret](./values.yaml#L456) | string | | `nil` |
|
||||
| [controller.extraPorts](./values.yaml#L388) | list | Optionally configure other ports to expose in the controller container | `[]` |
|
||||
| [controller.fsGroup](./values.yaml#L186) | int | Deprecated in favor of `controller.podSecurityContextOverride`. uid that will be used for persistent volume. | `1000` |
|
||||
| [controller.googlePodMonitor.enabled](./values.yaml#L826) | bool | | `false` |
|
||||
| [controller.googlePodMonitor.scrapeEndpoint](./values.yaml#L831) | string | | `"/prometheus"` |
|
||||
| [controller.googlePodMonitor.scrapeInterval](./values.yaml#L829) | string | | `"60s"` |
|
||||
| [controller.healthProbes](./values.yaml#L248) | bool | Enable Kubernetes Probes configuration configured in `controller.probes` | `true` |
|
||||
| [controller.hostAliases](./values.yaml#L779) | list | Allows for adding entries to Pod /etc/hosts | `[]` |
|
||||
| [controller.hostNetworking](./values.yaml#L70) | bool | | `false` |
|
||||
| [controller.httpsKeyStore.disableSecretMount](./values.yaml#L847) | bool | | `false` |
|
||||
| [controller.httpsKeyStore.enable](./values.yaml#L838) | bool | Enables HTTPS keystore on jenkins controller | `false` |
|
||||
| [controller.httpsKeyStore.fileName](./values.yaml#L855) | string | Jenkins keystore filename which will appear under controller.httpsKeyStore.path | `"keystore.jks"` |
|
||||
| [controller.httpsKeyStore.httpPort](./values.yaml#L851) | int | HTTP Port that Jenkins should listen to along with HTTPS, it also serves as the liveness and readiness probes port. | `8081` |
|
||||
| [controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretKey](./values.yaml#L846) | string | Name of the key in the secret that contains the JKS password | `"https-jks-password"` |
|
||||
| [controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretName](./values.yaml#L844) | string | Name of the secret that contains the JKS password, if it is not in the same secret as the JKS file | `""` |
|
||||
| [controller.httpsKeyStore.jenkinsHttpsJksSecretKey](./values.yaml#L842) | string | Name of the key in the secret that already has ssl keystore | `"jenkins-jks-file"` |
|
||||
| [controller.httpsKeyStore.jenkinsHttpsJksSecretName](./values.yaml#L840) | string | Name of the secret that already has ssl keystore | `""` |
|
||||
| [controller.httpsKeyStore.jenkinsKeyStoreBase64Encoded](./values.yaml#L860) | string | Base64 encoded Keystore content. Keystore must be converted to base64 then being pasted here | `nil` |
|
||||
| [controller.httpsKeyStore.password](./values.yaml#L857) | string | Jenkins keystore password | `"password"` |
|
||||
| [controller.httpsKeyStore.path](./values.yaml#L853) | string | Path of HTTPS keystore file | `"/var/jenkins_keystore"` |
|
||||
| [controller.image.pullPolicy](./values.yaml#L47) | string | Controller image pull policy | `"Always"` |
|
||||
| [controller.image.registry](./values.yaml#L37) | string | Controller image registry | `"docker.io"` |
|
||||
| [controller.image.repository](./values.yaml#L39) | string | Controller image repository | `"jenkins/jenkins"` |
|
||||
| [controller.image.tag](./values.yaml#L42) | string | Controller image tag override; i.e., tag: "2.440.1-jdk17" | `nil` |
|
||||
| [controller.image.tagLabel](./values.yaml#L45) | string | Controller image tag label | `"jdk17"` |
|
||||
| [controller.imagePullSecretName](./values.yaml#L49) | string | Controller image pull secret | `nil` |
|
||||
| [controller.ingress.annotations](./values.yaml#L702) | object | Ingress annotations | `{}` |
|
||||
| [controller.ingress.apiVersion](./values.yaml#L698) | string | Ingress API version | `"extensions/v1beta1"` |
|
||||
| [controller.ingress.enabled](./values.yaml#L681) | bool | Enables ingress | `false` |
|
||||
| [controller.ingress.hostName](./values.yaml#L715) | string | Ingress hostname | `nil` |
|
||||
| [controller.ingress.labels](./values.yaml#L700) | object | Ingress labels | `{}` |
|
||||
| [controller.ingress.path](./values.yaml#L711) | string | Ingress path | `nil` |
|
||||
| [controller.ingress.paths](./values.yaml#L685) | list | Override for the default Ingress paths | `[]` |
|
||||
| [controller.ingress.resourceRootUrl](./values.yaml#L717) | string | Hostname to serve assets from | `nil` |
|
||||
| [controller.ingress.tls](./values.yaml#L719) | list | Ingress TLS configuration | `[]` |
|
||||
| [controller.initConfigMap](./values.yaml#L446) | string | Name of the existing ConfigMap that contains init scripts | `nil` |
|
||||
| [controller.initContainerEnv](./values.yaml#L141) | list | Environment variables for Init Container | `[]` |
|
||||
| [controller.initContainerEnvFrom](./values.yaml#L137) | list | Environment variable sources for Init Container | `[]` |
|
||||
| [controller.initContainerResources](./values.yaml#L128) | object | Resources allocation (Requests and Limits) for Init Container | `{}` |
|
||||
| [controller.initScripts](./values.yaml#L442) | object | Map of groovy init scripts to be executed during Jenkins controller start | `{}` |
|
||||
| [controller.initializeOnce](./values.yaml#L414) | bool | Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` | `false` |
|
||||
| [controller.installLatestPlugins](./values.yaml#L403) | bool | Download the minimum required version or latest version of all dependencies | `true` |
|
||||
| [controller.installLatestSpecifiedPlugins](./values.yaml#L406) | bool | Set to true to download the latest version of any plugin that is requested to have the latest version | `false` |
|
||||
| [controller.installPlugins](./values.yaml#L395) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4285.v50ed5f624918","workflow-aggregator:600.vb_57cdd26fdd7","git:5.4.1","configuration-as-code:1850.va_a_8c31d3158b_"]` |
|
||||
| [controller.javaOpts](./values.yaml#L156) | string | Append to `JAVA_OPTS` env var | `nil` |
|
||||
| [controller.jenkinsAdminEmail](./values.yaml#L96) | string | Email address for the administrator of the Jenkins instance | `nil` |
|
||||
| [controller.jenkinsHome](./values.yaml#L101) | string | Custom Jenkins home path | `"/var/jenkins_home"` |
|
||||
| [controller.jenkinsOpts](./values.yaml#L158) | string | Append to `JENKINS_OPTS` env var | `nil` |
|
||||
| [controller.jenkinsRef](./values.yaml#L106) | string | Custom Jenkins reference path | `"/usr/share/jenkins/ref"` |
|
||||
| [controller.jenkinsUriPrefix](./values.yaml#L173) | string | Root URI Jenkins will be served on | `nil` |
|
||||
| [controller.jenkinsUrl](./values.yaml#L168) | string | Set Jenkins URL if you are not using the ingress definitions provided by the chart | `nil` |
|
||||
| [controller.jenkinsUrlProtocol](./values.yaml#L165) | string | Set protocol for Jenkins URL; `https` if `controller.ingress.tls`, `http` otherwise | `nil` |
|
||||
| [controller.jenkinsWar](./values.yaml#L109) | string | | `"/usr/share/jenkins/jenkins.war"` |
|
||||
| [controller.jmxPort](./values.yaml#L385) | string | Open a port, for JMX stats | `nil` |
|
||||
| [controller.legacyRemotingSecurityEnabled](./values.yaml#L361) | bool | Whether legacy remoting security should be enabled | `false` |
|
||||
| [controller.lifecycle](./values.yaml#L51) | object | Lifecycle specification for controller-container | `{}` |
|
||||
| [controller.loadBalancerIP](./values.yaml#L376) | string | Optionally assign a known public LB IP | `nil` |
|
||||
| [controller.loadBalancerSourceRanges](./values.yaml#L372) | list | Allowed inbound IP addresses | `["0.0.0.0/0"]` |
|
||||
| [controller.markupFormatter](./values.yaml#L433) | string | Yaml of the markup formatter to use | `"plainText"` |
|
||||
| [controller.nodePort](./values.yaml#L223) | string | k8s node port. Only used if serviceType is NodePort | `nil` |
|
||||
| [controller.nodeSelector](./values.yaml#L647) | object | Node labels for pod assignment | `{}` |
|
||||
| [controller.numExecutors](./values.yaml#L62) | int | Set Number of executors | `0` |
|
||||
| [controller.overwritePlugins](./values.yaml#L418) | bool | Overwrite installed plugins on start | `false` |
|
||||
| [controller.overwritePluginsFromImage](./values.yaml#L422) | bool | Overwrite plugins that are already installed in the controller image | `true` |
|
||||
| [controller.podAnnotations](./values.yaml#L668) | object | Annotations for controller pod | `{}` |
|
||||
| [controller.podDisruptionBudget.annotations](./values.yaml#L312) | object | | `{}` |
|
||||
| [controller.podDisruptionBudget.apiVersion](./values.yaml#L310) | string | Policy API version | `"policy/v1beta1"` |
|
||||
| [controller.podDisruptionBudget.enabled](./values.yaml#L305) | bool | Enable Kubernetes Pod Disruption Budget configuration | `false` |
|
||||
| [controller.podDisruptionBudget.labels](./values.yaml#L313) | object | | `{}` |
|
||||
| [controller.podDisruptionBudget.maxUnavailable](./values.yaml#L315) | string | Number of pods that can be unavailable. Either an absolute number or a percentage | `"0"` |
|
||||
| [controller.podLabels](./values.yaml#L241) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` |
|
||||
| [controller.podSecurityContextOverride](./values.yaml#L202) | string | Completely overwrites the contents of the pod security context, ignoring the values provided for `runAsUser`, `fsGroup`, and `securityContextCapabilities` | `nil` |
|
||||
| [controller.priorityClassName](./values.yaml#L665) | string | The name of a `priorityClass` to apply to the controller pod | `nil` |
|
||||
| [controller.probes.livenessProbe.failureThreshold](./values.yaml#L266) | int | Set the failure threshold for the liveness probe | `5` |
|
||||
| [controller.probes.livenessProbe.httpGet.path](./values.yaml#L269) | string | Set the Pod's HTTP path for the liveness probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
|
||||
| [controller.probes.livenessProbe.httpGet.port](./values.yaml#L271) | string | Set the Pod's HTTP port to use for the liveness probe | `"http"` |
|
||||
| [controller.probes.livenessProbe.initialDelaySeconds](./values.yaml#L280) | string | Set the initial delay for the liveness probe in seconds | `nil` |
|
||||
| [controller.probes.livenessProbe.periodSeconds](./values.yaml#L273) | int | Set the time interval between two liveness probes executions in seconds | `10` |
|
||||
| [controller.probes.livenessProbe.timeoutSeconds](./values.yaml#L275) | int | Set the timeout for the liveness probe in seconds | `5` |
|
||||
| [controller.probes.readinessProbe.failureThreshold](./values.yaml#L284) | int | Set the failure threshold for the readiness probe | `3` |
|
||||
| [controller.probes.readinessProbe.httpGet.path](./values.yaml#L287) | string | Set the Pod's HTTP path for the liveness probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
|
||||
| [controller.probes.readinessProbe.httpGet.port](./values.yaml#L289) | string | Set the Pod's HTTP port to use for the readiness probe | `"http"` |
|
||||
| [controller.probes.readinessProbe.initialDelaySeconds](./values.yaml#L298) | string | Set the initial delay for the readiness probe in seconds | `nil` |
|
||||
| [controller.probes.readinessProbe.periodSeconds](./values.yaml#L291) | int | Set the time interval between two readiness probes executions in seconds | `10` |
|
||||
| [controller.probes.readinessProbe.timeoutSeconds](./values.yaml#L293) | int | Set the timeout for the readiness probe in seconds | `5` |
|
||||
| [controller.probes.startupProbe.failureThreshold](./values.yaml#L253) | int | Set the failure threshold for the startup probe | `12` |
|
||||
| [controller.probes.startupProbe.httpGet.path](./values.yaml#L256) | string | Set the Pod's HTTP path for the startup probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
|
||||
| [controller.probes.startupProbe.httpGet.port](./values.yaml#L258) | string | Set the Pod's HTTP port to use for the startup probe | `"http"` |
|
||||
| [controller.probes.startupProbe.periodSeconds](./values.yaml#L260) | int | Set the time interval between two startup probes executions in seconds | `10` |
|
||||
| [controller.probes.startupProbe.timeoutSeconds](./values.yaml#L262) | int | Set the timeout for the startup probe in seconds | `5` |
|
||||
| [controller.projectNamingStrategy](./values.yaml#L425) | string | | `"standard"` |
|
||||
| [controller.prometheus.alertingRulesAdditionalLabels](./values.yaml#L812) | object | Additional labels to add to the PrometheusRule object | `{}` |
|
||||
| [controller.prometheus.alertingrules](./values.yaml#L810) | list | Array of prometheus alerting rules | `[]` |
|
||||
| [controller.prometheus.enabled](./values.yaml#L795) | bool | Enables prometheus service monitor | `false` |
|
||||
| [controller.prometheus.metricRelabelings](./values.yaml#L822) | list | | `[]` |
|
||||
| [controller.prometheus.prometheusRuleNamespace](./values.yaml#L814) | string | Set a custom namespace where to deploy PrometheusRule resource | `""` |
|
||||
| [controller.prometheus.relabelings](./values.yaml#L820) | list | | `[]` |
|
||||
| [controller.prometheus.scrapeEndpoint](./values.yaml#L805) | string | The endpoint prometheus should get metrics from | `"/prometheus"` |
|
||||
| [controller.prometheus.scrapeInterval](./values.yaml#L801) | string | How often prometheus should scrape metrics | `"60s"` |
|
||||
| [controller.prometheus.serviceMonitorAdditionalLabels](./values.yaml#L797) | object | Additional labels to add to the service monitor object | `{}` |
|
||||
| [controller.prometheus.serviceMonitorNamespace](./values.yaml#L799) | string | Set a custom namespace where to deploy ServiceMonitor resource | `nil` |
|
||||
| [controller.resources](./values.yaml#L115) | object | Resource allocation (Requests and Limits) | `{"limits":{"cpu":"2000m","memory":"4096Mi"},"requests":{"cpu":"50m","memory":"256Mi"}}` |
|
||||
| [controller.route.annotations](./values.yaml#L774) | object | Route annotations | `{}` |
|
||||
| [controller.route.enabled](./values.yaml#L770) | bool | Enables openshift route | `false` |
|
||||
| [controller.route.labels](./values.yaml#L772) | object | Route labels | `{}` |
|
||||
| [controller.route.path](./values.yaml#L776) | string | Route path | `nil` |
|
||||
| [controller.runAsUser](./values.yaml#L183) | int | Deprecated in favor of `controller.podSecurityContextOverride`. uid that jenkins runs with. | `1000` |
|
||||
| [controller.schedulerName](./values.yaml#L643) | string | Name of the Kubernetes scheduler to use | `""` |
|
||||
| [controller.scriptApproval](./values.yaml#L437) | list | List of groovy functions to approve | `[]` |
|
||||
| [controller.secondaryingress.annotations](./values.yaml#L737) | object | | `{}` |
|
||||
| [controller.secondaryingress.apiVersion](./values.yaml#L735) | string | | `"extensions/v1beta1"` |
|
||||
| [controller.secondaryingress.enabled](./values.yaml#L729) | bool | | `false` |
|
||||
| [controller.secondaryingress.hostName](./values.yaml#L744) | string | | `nil` |
|
||||
| [controller.secondaryingress.labels](./values.yaml#L736) | object | | `{}` |
|
||||
| [controller.secondaryingress.paths](./values.yaml#L732) | list | | `[]` |
|
||||
| [controller.secondaryingress.tls](./values.yaml#L745) | string | | `nil` |
|
||||
| [controller.secretClaims](./values.yaml#L480) | list | List of `SecretClaim` resources to create | `[]` |
|
||||
| [controller.securityContextCapabilities](./values.yaml#L192) | object | | `{}` |
|
||||
| [controller.serviceAnnotations](./values.yaml#L230) | object | Jenkins controller service annotations | `{}` |
|
||||
| [controller.serviceExternalTrafficPolicy](./values.yaml#L227) | string | | `nil` |
|
||||
| [controller.serviceLabels](./values.yaml#L236) | object | Labels for the Jenkins controller-service | `{}` |
|
||||
| [controller.servicePort](./values.yaml#L219) | int | k8s service port | `8080` |
|
||||
| [controller.serviceType](./values.yaml#L214) | string | k8s service type | `"ClusterIP"` |
|
||||
| [controller.shareProcessNamespace](./values.yaml#L124) | bool | | `false` |
|
||||
| [controller.sidecars.additionalSidecarContainers](./values.yaml#L625) | list | Configures additional sidecar container(s) for the Jenkins controller | `[]` |
|
||||
| [controller.sidecars.configAutoReload.additionalVolumeMounts](./values.yaml#L571) | list | Enables additional volume mounts for the config auto-reload container | `[]` |
|
||||
| [controller.sidecars.configAutoReload.containerSecurityContext](./values.yaml#L620) | object | Enable container security context | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true}` |
|
||||
| [controller.sidecars.configAutoReload.enabled](./values.yaml#L554) | bool | Enables Jenkins Config as Code auto-reload | `true` |
|
||||
| [controller.sidecars.configAutoReload.env](./values.yaml#L602) | object | Environment variables for the Jenkins Config as Code auto-reload container | `{}` |
|
||||
| [controller.sidecars.configAutoReload.envFrom](./values.yaml#L600) | list | Environment variable sources for the Jenkins Config as Code auto-reload container | `[]` |
|
||||
| [controller.sidecars.configAutoReload.folder](./values.yaml#L613) | string | | `"/var/jenkins_home/casc_configs"` |
|
||||
| [controller.sidecars.configAutoReload.image.registry](./values.yaml#L557) | string | Registry for the image that triggers the reload | `"docker.io"` |
|
||||
| [controller.sidecars.configAutoReload.image.repository](./values.yaml#L559) | string | Repository of the image that triggers the reload | `"kiwigrid/k8s-sidecar"` |
|
||||
| [controller.sidecars.configAutoReload.image.tag](./values.yaml#L561) | string | Tag for the image that triggers the reload | `"1.27.6"` |
|
||||
| [controller.sidecars.configAutoReload.imagePullPolicy](./values.yaml#L562) | string | | `"IfNotPresent"` |
|
||||
| [controller.sidecars.configAutoReload.logging](./values.yaml#L577) | object | Config auto-reload logging settings | `{"configuration":{"backupCount":3,"formatter":"JSON","logLevel":"INFO","logToConsole":true,"logToFile":false,"maxBytes":1024,"override":false}}` |
|
||||
| [controller.sidecars.configAutoReload.logging.configuration.override](./values.yaml#L581) | bool | Enables custom log config utilizing using the settings below. | `false` |
|
||||
| [controller.sidecars.configAutoReload.reqRetryConnect](./values.yaml#L595) | int | How many connection-related errors to retry on | `10` |
|
||||
| [controller.sidecars.configAutoReload.resources](./values.yaml#L563) | object | | `{}` |
|
||||
| [controller.sidecars.configAutoReload.scheme](./values.yaml#L590) | string | The scheme to use when connecting to the Jenkins configuration as code endpoint | `"http"` |
|
||||
| [controller.sidecars.configAutoReload.skipTlsVerify](./values.yaml#L592) | bool | Skip TLS verification when connecting to the Jenkins configuration as code endpoint | `false` |
|
||||
| [controller.sidecars.configAutoReload.sleepTime](./values.yaml#L597) | string | How many seconds to wait before updating config-maps/secrets (sets METHOD=SLEEP on the sidecar) | `nil` |
|
||||
| [controller.sidecars.configAutoReload.sshTcpPort](./values.yaml#L611) | int | | `1044` |
|
||||
| [controller.statefulSetAnnotations](./values.yaml#L670) | object | Annotations for controller StatefulSet | `{}` |
|
||||
| [controller.statefulSetLabels](./values.yaml#L232) | object | Jenkins controller custom labels for the StatefulSet | `{}` |
|
||||
| [controller.targetPort](./values.yaml#L221) | int | k8s target port | `8080` |
|
||||
| [controller.terminationGracePeriodSeconds](./values.yaml#L653) | string | Set TerminationGracePeriodSeconds | `nil` |
|
||||
| [controller.terminationMessagePath](./values.yaml#L655) | string | Set the termination message path | `nil` |
|
||||
| [controller.terminationMessagePolicy](./values.yaml#L657) | string | Set the termination message policy | `nil` |
|
||||
| [controller.testEnabled](./values.yaml#L834) | bool | Can be used to disable rendering controller test resources when using helm template | `true` |
|
||||
| [controller.tolerations](./values.yaml#L651) | list | Toleration labels for pod assignment | `[]` |
|
||||
| [controller.topologySpreadConstraints](./values.yaml#L677) | object | Topology spread constraints | `{}` |
|
||||
| [controller.updateStrategy](./values.yaml#L674) | object | Update strategy for StatefulSet | `{}` |
|
||||
| [controller.usePodSecurityContext](./values.yaml#L176) | bool | Enable pod security context (must be `true` if podSecurityContextOverride, runAsUser or fsGroup are set) | `true` |
|
||||
| [credentialsId](./values.yaml#L27) | string | The Jenkins credentials to access the Kubernetes API server. For the default cluster it is not needed. | `nil` |
|
||||
| [fullnameOverride](./values.yaml#L13) | string | Override the full resource names | `jenkins-(release-name)` or `jenkins` if the release-name is `jenkins` |
|
||||
| [helmtest.bats.image.registry](./values.yaml#L1353) | string | Registry of the image used to test the framework | `"docker.io"` |
|
||||
| [helmtest.bats.image.repository](./values.yaml#L1355) | string | Repository of the image used to test the framework | `"bats/bats"` |
|
||||
| [helmtest.bats.image.tag](./values.yaml#L1357) | string | Tag of the image to test the framework | `"1.11.0"` |
|
||||
| [kubernetesURL](./values.yaml#L24) | string | The URL of the Kubernetes API server | `"https://kubernetes.default"` |
|
||||
| [nameOverride](./values.yaml#L10) | string | Override the resource name prefix | `Chart.Name` |
|
||||
| [namespaceOverride](./values.yaml#L16) | string | Override the deployment namespace | `Release.Namespace` |
|
||||
| [networkPolicy.apiVersion](./values.yaml#L1283) | string | NetworkPolicy ApiVersion | `"networking.k8s.io/v1"` |
|
||||
| [networkPolicy.enabled](./values.yaml#L1278) | bool | Enable the creation of NetworkPolicy resources | `false` |
|
||||
| [networkPolicy.externalAgents.except](./values.yaml#L1297) | list | A list of IP sub-ranges to be excluded from the allowlisted IP range | `[]` |
|
||||
| [networkPolicy.externalAgents.ipCIDR](./values.yaml#L1295) | string | The IP range from which external agents are allowed to connect to controller, i.e., 172.17.0.0/16 | `nil` |
|
||||
| [networkPolicy.internalAgents.allowed](./values.yaml#L1287) | bool | Allow internal agents (from the same cluster) to connect to controller. Agent pods will be filtered based on PodLabels | `true` |
|
||||
| [networkPolicy.internalAgents.namespaceLabels](./values.yaml#L1291) | object | A map of labels (keys/values) that agents namespaces must have to be able to connect to controller | `{}` |
|
||||
| [networkPolicy.internalAgents.podLabels](./values.yaml#L1289) | object | A map of labels (keys/values) that agent pods must have to be able to connect to controller | `{}` |
|
||||
| [persistence.accessMode](./values.yaml#L1253) | string | The PVC access mode | `"ReadWriteOnce"` |
|
||||
| [persistence.annotations](./values.yaml#L1249) | object | Annotations for the PVC | `{}` |
|
||||
| [persistence.dataSource](./values.yaml#L1259) | object | Existing data source to clone PVC from | `{}` |
|
||||
| [persistence.enabled](./values.yaml#L1233) | bool | Enable the use of a Jenkins PVC | `true` |
|
||||
| [persistence.existingClaim](./values.yaml#L1239) | string | Provide the name of a PVC | `nil` |
|
||||
| [persistence.labels](./values.yaml#L1251) | object | Labels for the PVC | `{}` |
|
||||
| [persistence.mounts](./values.yaml#L1271) | list | Additional mounts | `[]` |
|
||||
| [persistence.size](./values.yaml#L1255) | string | The size of the PVC | `"8Gi"` |
|
||||
| [persistence.storageClass](./values.yaml#L1247) | string | Storage class for the PVC | `nil` |
|
||||
| [persistence.subPath](./values.yaml#L1264) | string | SubPath for jenkins-home mount | `nil` |
|
||||
| [persistence.volumes](./values.yaml#L1266) | list | Additional volumes | `[]` |
|
||||
| [rbac.create](./values.yaml#L1303) | bool | Whether RBAC resources are created | `true` |
|
||||
| [rbac.readSecrets](./values.yaml#L1305) | bool | Whether the Jenkins service account should be able to read Kubernetes secrets | `false` |
|
||||
| [renderHelmLabels](./values.yaml#L30) | bool | Enables rendering of the helm.sh/chart label to the annotations | `true` |
|
||||
| [serviceAccount.annotations](./values.yaml#L1315) | object | Configures annotations for the ServiceAccount | `{}` |
|
||||
| [serviceAccount.create](./values.yaml#L1309) | bool | Configures if a ServiceAccount with this name should be created | `true` |
|
||||
| [serviceAccount.extraLabels](./values.yaml#L1317) | object | Configures extra labels for the ServiceAccount | `{}` |
|
||||
| [serviceAccount.imagePullSecretName](./values.yaml#L1319) | string | Controller ServiceAccount image pull secret | `nil` |
|
||||
| [serviceAccount.name](./values.yaml#L1313) | string | | `nil` |
|
||||
| [serviceAccountAgent.annotations](./values.yaml#L1330) | object | Configures annotations for the agent ServiceAccount | `{}` |
|
||||
| [serviceAccountAgent.create](./values.yaml#L1324) | bool | Configures if an agent ServiceAccount should be created | `false` |
|
||||
| [serviceAccountAgent.extraLabels](./values.yaml#L1332) | object | Configures extra labels for the agent ServiceAccount | `{}` |
|
||||
| [serviceAccountAgent.imagePullSecretName](./values.yaml#L1334) | string | Agent ServiceAccount image pull secret | `nil` |
|
||||
| [serviceAccountAgent.name](./values.yaml#L1328) | string | The name of the agent ServiceAccount to be used by access-controlled resources | `nil` |
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue