diff --git a/assets/aws-event-sources/aws-event-sources-0.1.901.tgz b/assets/aws-event-sources/aws-event-sources-0.1.901.tgz new file mode 100644 index 000000000..046986ff7 Binary files /dev/null and b/assets/aws-event-sources/aws-event-sources-0.1.901.tgz differ diff --git a/assets/haproxy/haproxy-1.16.100.tgz b/assets/haproxy/haproxy-1.16.100.tgz new file mode 100644 index 000000000..794d6d50f Binary files /dev/null and b/assets/haproxy/haproxy-1.16.100.tgz differ diff --git a/assets/k8s-triliovault-operator/k8s-triliovault-operator-2.1.0.tgz b/assets/k8s-triliovault-operator/k8s-triliovault-operator-2.1.0.tgz new file mode 100644 index 000000000..b99d56397 Binary files /dev/null and b/assets/k8s-triliovault-operator/k8s-triliovault-operator-2.1.0.tgz differ diff --git a/assets/universal-crossplane/universal-crossplane-1.2.300200.tgz b/assets/universal-crossplane/universal-crossplane-1.2.300200.tgz new file mode 100644 index 000000000..0f126e5b5 Binary files /dev/null and b/assets/universal-crossplane/universal-crossplane-1.2.300200.tgz differ diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/.helmignore b/charts/aws-event-sources/aws-event-sources/0.1.901/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/Chart.yaml b/charts/aws-event-sources/aws-event-sources/0.1.901/Chart.yaml new file mode 100644 index 000000000..ac025ff04 --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/Chart.yaml @@ -0,0 +1,26 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Sources for Amazon Web Services + catalog.cattle.io/release-name: aws-event-sources +apiVersion: v2 +appVersion: 1.7.0 +description: AWS Event Sources controller for Kubernetes +home: https://github.com/triggermesh/aws-event-sources +icon: https://global-uploads.webflow.com/5f683649f57c927210b6707e/5f683649f57c9261bab67097_logo.svg +keywords: +- knative-eventing +- sources +- aws +- triggermesh +- serverless +kubeVersion: '>=1.18.0' +maintainers: +- email: sameer@triggermesh.com + name: sameersbn +- email: antoine@triggermesh.com + name: antoineco +name: aws-event-sources +sources: +- https://github.com/triggermesh/aws-event-sources +type: application +version: 0.1.901 diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/README.md b/charts/aws-event-sources/aws-event-sources/0.1.901/README.md new file mode 100644 index 000000000..cec82deb0 --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/README.md @@ -0,0 +1,113 @@ +# aws-event-sources + +Installs TriggerMesh AWS event sources controller. The following event sources are currently supported by the controller + +- Amazon CodeCommit (`kind: AWSCodeCommitSource`) +- Amazon Cognito Identity (`kind: AWSCognitoIdentitySource`) +- Amazon Cognito UserPool (`kind: AWSCognitoUserPoolSource`) +- Amazon DynamoDB (`kind: AWSDynamoDBSource`) +- Amazon Kinesis (`kind: AWSKinesisSource`) +- Amazon Simple Notification Service (`kind: AWSSNSSource`) +- Amazon Simple Queue Service (`kind: AWSSQSSource`) + +Refer to [aws-event-sources/config/samples](https://github.com/triggermesh/aws-event-sources/tree/master/config/samples) for examples that make use of the controller. + +## TL;DR; + +```console +$ helm repo add triggermesh https://storage.googleapis.com/triggermesh-charts +$ helm install triggermesh/aws-event-sources +``` + +To report bugs and for feedback and support please [create a new issue](https://github.com/triggermesh/aws-event-sources/issues/new). + +## Introduction + +This chart installs the [aws-event-sources](https://github.com/triggermesh/aws-event-sources) controller on a Kubernetes cluster. + +## Prerequisites + - Kubernetes 1.16+ with Beta APIs + - Helm 3.0+ + - Knative v0.14+ + +## Installing the Chart + +Add the TriggerMesh chart repository to Helm: + +```console +$ helm repo add triggermesh https://storage.googleapis.com/triggermesh-charts +``` + +To install the chart with the release name `my-release`: + +```console +$ helm install --name my-release triggermesh/aws-event-sources +``` + +The command deploys the aws-event-sources controller in the default configuration. Refer to the [configuration](#configuration) section for the complete list of parameters that can be specified to customize the deployment of the controller. + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +$ helm delete my-release +``` + +The Kubernetes resources associated with chart will be removed and the Helm release will be deleted. + +However note that the `CustomResourceDefinition` resources created by the chart will not be removed by the delete command and therefore need to be removed manually. + +```console +$ kubectl delete crd awscodecommitsources.sources.triggermesh.io +$ kubectl delete crd awscognitoidentitysources.sources.triggermesh.io +$ kubectl delete crd awscognitouserpoolsources.sources.triggermesh.io +$ kubectl delete crd awsdynamodbsources.sources.triggermesh.io +$ kubectl delete crd awsiotsources.sources.triggermesh.io +$ kubectl delete crd awskinesissources.sources.triggermesh.io +$ kubectl delete crd awssnssources.sources.triggermesh.io +$ kubectl delete crd awssqssources.sources.triggermesh.io +``` + +## Configuration + +| Parameter | Description | Default | +|---------------------------------------------|-----------------------------------------------------|--------------------------------------------| +| `nameOverride` | Override the name for controller resources | `""` | +| `fullnameOverride` | Override the fullname for controller resources | `""` | +| `rbac.create` | Create RBAC resources | `true` | +| `serviceAccount.create` | Create service account for the controller | `true` | +| `serviceAccount.annotations` | Annotations to add to controller service account | `{}` | +| `serviceAccount.name` | Override the name for the service account | `nil` | +| `imagePullSecrets` | Specify image pull secrets | `[]` | +| `image.registry` | Image registry name | `gcr.io` | +| `image.repository` | Image repository name | `triggermesh/aws-event-sources-controller` | +| `image.tag` | Image tag | `{TAG_NAME}` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `adapter.awscloudwatch.repository` | AWS adapter Cloudwatch image name | `triggermesh/awscloudwatchsource` | +| `adapter.awscloudwatch.tag` | AWS adapter Cloudwatch image tag | `_defaults to value of `.image.tag`_` | +| `adapter.awscloudwatchlogs.repository` | AWS adapter Cloudwatch Logs image name | `triggermesh/awscloudwatchlogssource` | +| `adapter.awscloudwatchlogs.tag` | AWS adapter Cloudwatch Logs image tag | `_defaults to value of `.image.tag`_` | +| `adapter.awscodecommit.repository` | AWS adapter CodeCommit image name | `triggermesh/awscodecommitsource` | +| `adapter.awscodecommit.tag` | AWS adapter CodeCommit image tag | `_defaults to value of `.image.tag`_` | +| `adapter.awscognitoidentity.repository` | AWS adapter Cognito Identity image name | `triggermesh/awscognitoidentitysource` | +| `adapter.awscognitoidentity.tag` | AWS adapter Cognito Identity image tag | `_defaults to value of `.image.tag`_` | +| `adapter.awscognitouserpool.repository` | AWS adapter Cognito Userpool image name | `triggermesh/awscognitouserpoolsource` | +| `adapter.awscognitouserpool.tag` | AWS adapter Cognito Userpool image tag | `_defaults to value of `.image.tag`_` | +| `adapter.awsdynamodb.repository` | AWS adapter DynamoDB image name | `triggermesh/awsdynamodbsource` | +| `adapter.awsdynamodb.tag` | AWS adapter DynamoDB image tag | `_defaults to value of `.image.tag`_` | +| `adapter.awskinesis.repository` | AWS adapter Kinesis image name | `triggermesh/awskinesissource` | +| `adapter.awskinesis.tag` | AWS adapter Kinesis image tag | `_defaults to value of `.image.tag`_` | +| `adapter.awsperformanceinsights.repository` | AWS adapter Performance Insights image name | `triggermesh/awsperformanceinsightssource` | +| `adapter.awsperformanceinsights.tag` | AWS adapter Performance Insights image tag | `_defaults to value of `.image.tag`_` | +| `adapter.awssns.repository` | AWS adapter SNS image name | `triggermesh/awssnssource` | +| `adapter.awssns.tag` | AWS adapter SNS image tag | `_defaults to value of `.image.tag`_` | +| `adapter.awssqs.repository` | AWS adapter SQS image name | `triggermesh/awssqssource` | +| `adapter.awssqs.tag` | AWS adapter SQS image tag | `_defaults to value of `.image.tag`_` | +| `podAnnotations` | Annotations to add to the controller pod | `{}`` | +| `podSecurityContext` | Security context for controller pods | `{}` | +| `securityContext` | Security context for controller containers | `{}` | +| `resources` | Resource requests/limits for the controller | `{requests: {cpu: 20m, memory: 20Mi}}` | +| `nodeSelector` | Controller node selector | `{}` | +| `tolerations` | Tolerations for use with node taints | `[]` | +| `affinity` | Assign custom affinity rules to the controller pods | `{}` | diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/app-readme.md b/charts/aws-event-sources/aws-event-sources/0.1.901/app-readme.md new file mode 100644 index 000000000..2ae25fffe --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/app-readme.md @@ -0,0 +1,5 @@ +# TriggerMesh AWS Event Sources + +[aws-event-sources](https://github.com/triggermesh/aws-event-sources) is a Kubernetes controller that implements Knative event sources for AWS services. + +You may be using some Cloud services on AWS but still interested to run workloads within Kubernetes. To trigger those workloads when events happen in your AWS service you need to have an event source that can consume AWS events and send them to your workload. diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awscloudwatch.yaml b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awscloudwatch.yaml new file mode 100644 index 000000000..ce82100b6 --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awscloudwatch.yaml @@ -0,0 +1,219 @@ +# Copyright 2020-2021 TriggerMesh Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: awscloudwatchsources.sources.triggermesh.io + labels: + eventing.knative.dev/source: 'true' + duck.knative.dev/source: 'true' + knative.dev/crd-install: 'true' + annotations: + registry.knative.dev/eventTypes: | + [ + { "type": "com.amazon.cloudwatch.metrics.message" }, + { "type": "com.amazon.cloudwatch.metrics.metric" } + ] +spec: + group: sources.triggermesh.io + scope: Namespaced + names: + kind: AWSCloudWatchSource + plural: awscloudwatchsources + categories: + - all + - knative + - eventing + - sources + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + region: + type: string + pollingInterval: + type: string + metricQueries: + type: array + items: + type: object + properties: + name: + type: string + pattern: ^[a-z]\w{0,254}$ + expression: + type: string + metric: + type: object + properties: + period: + type: integer + stat: + type: string + unit: + type: string + metric: + type: object + properties: + metricName: + type: string + namespace: + type: string + dimensions: + type: array + items: + type: object + properties: + name: + type: string + value: + type: string + oneOf: + - required: ['expression'] + - required: ['metric'] + credentials: + type: object + properties: + accessKeyID: + type: object + properties: + value: + type: string + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + secretAccessKey: + type: object + properties: + value: + type: string + format: password + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + sink: + type: object + properties: + ref: + type: object + properties: + apiVersion: + type: string + kind: + type: string + namespace: + type: string + name: + type: string + required: + - apiVersion + - kind + - name + uri: + type: string + format: uri + oneOf: + - required: ['ref'] + - required: ['uri'] + required: + - region + - metricQueries + - sink + status: + type: object + properties: + sinkUri: + type: string + format: uri + ceAttributes: + type: array + items: + type: object + properties: + type: + type: string + source: + type: string + required: + - type + - source + observedGeneration: + type: integer + format: int64 + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + enum: ['True', 'False', Unknown] + severity: + type: string + enum: [Error, Warning, Info] + reason: + type: string + message: + type: string + lastTransitionTime: + type: string + format: date-time + required: + - type + - status + additionalPrinterColumns: + - name: Ready + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].status + - name: Reason + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].reason + - name: Sink + type: string + jsonPath: .status.sinkUri + - name: Age + type: date + jsonPath: .metadata.creationTimestamp diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awscloudwatchlogs.yaml b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awscloudwatchlogs.yaml new file mode 100644 index 000000000..16ae9b2c2 --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awscloudwatchlogs.yaml @@ -0,0 +1,180 @@ +# Copyright 2020-2021 TriggerMesh Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: awscloudwatchlogssources.sources.triggermesh.io + labels: + eventing.knative.dev/source: 'true' + duck.knative.dev/source: 'true' + knative.dev/crd-install: 'true' + annotations: + registry.knative.dev/eventTypes: | + [ + { "type": "com.amazon.logs.log" } + ] +spec: + group: sources.triggermesh.io + scope: Namespaced + names: + kind: AWSCloudWatchLogsSource + plural: awscloudwatchlogssources + categories: + - all + - knative + - eventing + - sources + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + arn: + type: string + pattern: '^arn:aws(-cn|-us-gov)?:logs:[a-z]{2}(-gov)?-[a-z]+-\d:\d{12}:.+$' + pollingInterval: + type: string + credentials: + type: object + properties: + accessKeyID: + type: object + properties: + value: + type: string + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + secretAccessKey: + type: object + properties: + value: + type: string + format: password + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + sink: + type: object + properties: + ref: + type: object + properties: + apiVersion: + type: string + kind: + type: string + namespace: + type: string + name: + type: string + required: + - apiVersion + - kind + - name + uri: + type: string + format: uri + oneOf: + - required: ['ref'] + - required: ['uri'] + required: + - arn + - sink + status: + type: object + properties: + sinkUri: + type: string + format: uri + ceAttributes: + type: array + items: + type: object + properties: + type: + type: string + source: + type: string + required: + - type + - source + observedGeneration: + type: integer + format: int64 + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + enum: ['True', 'False', Unknown] + severity: + type: string + enum: [Error, Warning, Info] + reason: + type: string + message: + type: string + lastTransitionTime: + type: string + format: date-time + required: + - type + - status + additionalPrinterColumns: + - name: Ready + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].status + - name: Reason + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].reason + - name: Sink + type: string + jsonPath: .status.sinkUri + - name: Age + type: date + jsonPath: .metadata.creationTimestamp diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awscodecommit.yaml b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awscodecommit.yaml new file mode 100644 index 000000000..bd3c13399 --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awscodecommit.yaml @@ -0,0 +1,188 @@ +# Copyright 2020-2021 TriggerMesh Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: awscodecommitsources.sources.triggermesh.io + labels: + eventing.knative.dev/source: 'true' + duck.knative.dev/source: 'true' + knative.dev/crd-install: 'true' + annotations: + registry.knative.dev/eventTypes: | + [ + { "type": "com.amazon.codecommit.push" }, + { "type": "com.amazon.codecommit.pull_request" } + ] +spec: + group: sources.triggermesh.io + scope: Namespaced + names: + kind: AWSCodeCommitSource + plural: awscodecommitsources + categories: + - all + - knative + - eventing + - sources + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + arn: + type: string + pattern: '^arn:aws(-cn|-us-gov)?:codecommit:[a-z]{2}(-gov)?-[a-z]+-\d:\d{12}:.+$' + branch: + type: string + eventTypes: + type: array + items: + type: string + enum: [push, pull_request] + credentials: + type: object + properties: + accessKeyID: + type: object + properties: + value: + type: string + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + secretAccessKey: + type: object + properties: + value: + type: string + format: password + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + sink: + type: object + properties: + ref: + type: object + properties: + apiVersion: + type: string + kind: + type: string + namespace: + type: string + name: + type: string + required: + - apiVersion + - kind + - name + uri: + type: string + format: uri + oneOf: + - required: ['ref'] + - required: ['uri'] + required: + - arn + - branch + - eventTypes + - sink + status: + type: object + properties: + sinkUri: + type: string + format: uri + ceAttributes: + type: array + items: + type: object + properties: + type: + type: string + source: + type: string + required: + - type + - source + observedGeneration: + type: integer + format: int64 + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + enum: ['True', 'False', Unknown] + severity: + type: string + enum: [Error, Warning, Info] + reason: + type: string + message: + type: string + lastTransitionTime: + type: string + format: date-time + required: + - type + - status + additionalPrinterColumns: + - name: Ready + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].status + - name: Reason + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].reason + - name: Sink + type: string + jsonPath: .status.sinkUri + - name: Age + type: date + jsonPath: .metadata.creationTimestamp diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awscognitoidentity.yaml b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awscognitoidentity.yaml new file mode 100644 index 000000000..9adf079af --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awscognitoidentity.yaml @@ -0,0 +1,178 @@ +# Copyright 2020-2021 TriggerMesh Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: awscognitoidentitysources.sources.triggermesh.io + labels: + eventing.knative.dev/source: 'true' + duck.knative.dev/source: 'true' + knative.dev/crd-install: 'true' + annotations: + registry.knative.dev/eventTypes: | + [ + { "type": "com.amazon.cognito-identity.sync_trigger" } + ] +spec: + group: sources.triggermesh.io + scope: Namespaced + names: + kind: AWSCognitoIdentitySource + plural: awscognitoidentitysources + categories: + - all + - knative + - eventing + - sources + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + arn: + type: string + pattern: '^arn:aws(-cn|-us-gov)?:cognito-identity:[a-z]{2}(-gov)?-[a-z]+-\d:\d{12}:identitypool\/.+$' + credentials: + type: object + properties: + accessKeyID: + type: object + properties: + value: + type: string + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + secretAccessKey: + type: object + properties: + value: + type: string + format: password + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + sink: + type: object + properties: + ref: + type: object + properties: + apiVersion: + type: string + kind: + type: string + namespace: + type: string + name: + type: string + required: + - apiVersion + - kind + - name + uri: + type: string + format: uri + oneOf: + - required: ['ref'] + - required: ['uri'] + required: + - arn + - sink + status: + type: object + properties: + sinkUri: + type: string + format: uri + ceAttributes: + type: array + items: + type: object + properties: + type: + type: string + source: + type: string + required: + - type + - source + observedGeneration: + type: integer + format: int64 + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + enum: ['True', 'False', Unknown] + severity: + type: string + enum: [Error, Warning, Info] + reason: + type: string + message: + type: string + lastTransitionTime: + type: string + format: date-time + required: + - type + - status + additionalPrinterColumns: + - name: Ready + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].status + - name: Reason + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].reason + - name: Sink + type: string + jsonPath: .status.sinkUri + - name: Age + type: date + jsonPath: .metadata.creationTimestamp diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awscognitouserpool.yaml b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awscognitouserpool.yaml new file mode 100644 index 000000000..e42e0f636 --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awscognitouserpool.yaml @@ -0,0 +1,178 @@ +# Copyright 2020-2021 TriggerMesh Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: awscognitouserpoolsources.sources.triggermesh.io + labels: + eventing.knative.dev/source: 'true' + duck.knative.dev/source: 'true' + knative.dev/crd-install: 'true' + annotations: + registry.knative.dev/eventTypes: | + [ + { "type": "com.amazon.cognitouserpool.sync_trigger" } + ] +spec: + group: sources.triggermesh.io + scope: Namespaced + names: + kind: AWSCognitoUserPoolSource + plural: awscognitouserpoolsources + categories: + - all + - knative + - eventing + - sources + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + arn: + type: string + pattern: '^arn:aws(-cn|-us-gov)?:cognito-idp:[a-z]{2}(-gov)?-[a-z]+-\d:\d{12}:userpool\/.+$' + credentials: + type: object + properties: + accessKeyID: + type: object + properties: + value: + type: string + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + secretAccessKey: + type: object + properties: + value: + type: string + format: password + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + sink: + type: object + properties: + ref: + type: object + properties: + apiVersion: + type: string + kind: + type: string + namespace: + type: string + name: + type: string + required: + - apiVersion + - kind + - name + uri: + type: string + format: uri + oneOf: + - required: ['ref'] + - required: ['uri'] + required: + - arn + - sink + status: + type: object + properties: + sinkUri: + type: string + format: uri + ceAttributes: + type: array + items: + type: object + properties: + type: + type: string + source: + type: string + required: + - type + - source + observedGeneration: + type: integer + format: int64 + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + enum: ['True', 'False', Unknown] + severity: + type: string + enum: [Error, Warning, Info] + reason: + type: string + message: + type: string + lastTransitionTime: + type: string + format: date-time + required: + - type + - status + additionalPrinterColumns: + - name: Ready + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].status + - name: Reason + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].reason + - name: Sink + type: string + jsonPath: .status.sinkUri + - name: Age + type: date + jsonPath: .metadata.creationTimestamp diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awsdynamodb.yaml b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awsdynamodb.yaml new file mode 100644 index 000000000..0a1e71070 --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awsdynamodb.yaml @@ -0,0 +1,180 @@ +# Copyright 2020-2021 TriggerMesh Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: awsdynamodbsources.sources.triggermesh.io + labels: + eventing.knative.dev/source: 'true' + duck.knative.dev/source: 'true' + knative.dev/crd-install: 'true' + annotations: + registry.knative.dev/eventTypes: | + [ + { "type": "com.amazon.dynamodb.insert" }, + { "type": "com.amazon.dynamodb.modify" }, + { "type": "com.amazon.dynamodb.remove" } + ] +spec: + group: sources.triggermesh.io + scope: Namespaced + names: + kind: AWSDynamoDBSource + plural: awsdynamodbsources + categories: + - all + - knative + - eventing + - sources + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + arn: + type: string + pattern: '^arn:aws(-cn|-us-gov)?:dynamodb:[a-z]{2}(-gov)?-[a-z]+-\d:\d{12}:table\/.+$' + credentials: + type: object + properties: + accessKeyID: + type: object + properties: + value: + type: string + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + secretAccessKey: + type: object + properties: + value: + type: string + format: password + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + sink: + type: object + properties: + ref: + type: object + properties: + apiVersion: + type: string + kind: + type: string + namespace: + type: string + name: + type: string + required: + - apiVersion + - kind + - name + uri: + type: string + format: uri + oneOf: + - required: ['ref'] + - required: ['uri'] + required: + - arn + - sink + status: + type: object + properties: + sinkUri: + type: string + format: uri + ceAttributes: + type: array + items: + type: object + properties: + type: + type: string + source: + type: string + required: + - type + - source + observedGeneration: + type: integer + format: int64 + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + enum: ['True', 'False', Unknown] + severity: + type: string + enum: [Error, Warning, Info] + reason: + type: string + message: + type: string + lastTransitionTime: + type: string + format: date-time + required: + - type + - status + additionalPrinterColumns: + - name: Ready + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].status + - name: Reason + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].reason + - name: Sink + type: string + jsonPath: .status.sinkUri + - name: Age + type: date + jsonPath: .metadata.creationTimestamp diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awsiot.yaml b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awsiot.yaml new file mode 100644 index 000000000..ec2ff09e3 --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awsiot.yaml @@ -0,0 +1,157 @@ +# Copyright 2020-2021 TriggerMesh Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: awsiotsources.sources.triggermesh.io + labels: + eventing.knative.dev/source: 'true' + duck.knative.dev/source: 'true' + knative.dev/crd-install: 'true' + annotations: + registry.knative.dev/eventTypes: | + [ + { "type": "com.amazon.iot.greetings" } + ] +spec: + group: sources.triggermesh.io + scope: Namespaced + names: + kind: AWSIoTSource + plural: awsiotsources + categories: + - all + - knative + - eventing + - sources + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + endpoint: + type: string + format: hostname + arn: + type: string + pattern: '^arn:aws(-cn|-us-gov)?:iot:[a-z]{2}(-gov)?-[a-z]+-\d:\d{12}:topic\/.+$' + rootCA: + type: string + rootCAPath: + type: string + certificate: + type: string + certificatePath: + type: string + privateKey: + type: string + privateKeyPath: + type: string + sink: + type: object + properties: + ref: + type: object + properties: + apiVersion: + type: string + kind: + type: string + namespace: + type: string + name: + type: string + required: + - apiVersion + - kind + - name + uri: + type: string + format: uri + oneOf: + - required: ['ref'] + - required: ['uri'] + required: + - endpoint + - arn + - rootCA + - certificate + - privateKey + - sink + status: + type: object + properties: + sinkUri: + type: string + format: uri + ceAttributes: + type: array + items: + type: object + properties: + type: + type: string + source: + type: string + required: + - type + - source + observedGeneration: + type: integer + format: int64 + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + enum: ['True', 'False', Unknown] + severity: + type: string + enum: [Error, Warning, Info] + reason: + type: string + message: + type: string + lastTransitionTime: + type: string + format: date-time + required: + - type + - status + additionalPrinterColumns: + - name: Ready + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].status + - name: Reason + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].reason + - name: Sink + type: string + jsonPath: .status.sinkUri + - name: Age + type: date + jsonPath: .metadata.creationTimestamp diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awskinesis.yaml b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awskinesis.yaml new file mode 100644 index 000000000..f4197a2fc --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awskinesis.yaml @@ -0,0 +1,178 @@ +# Copyright 2020-2021 TriggerMesh Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: awskinesissources.sources.triggermesh.io + labels: + eventing.knative.dev/source: 'true' + duck.knative.dev/source: 'true' + knative.dev/crd-install: 'true' + annotations: + registry.knative.dev/eventTypes: | + [ + { "type": "com.amazon.kinesis.stream_record" } + ] +spec: + group: sources.triggermesh.io + scope: Namespaced + names: + kind: AWSKinesisSource + plural: awskinesissources + categories: + - all + - knative + - eventing + - sources + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + arn: + type: string + pattern: '^arn:aws(-cn|-us-gov)?:kinesis:[a-z]{2}(-gov)?-[a-z]+-\d:\d{12}:stream\/.+$' + credentials: + type: object + properties: + accessKeyID: + type: object + properties: + value: + type: string + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + secretAccessKey: + type: object + properties: + value: + type: string + format: password + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + sink: + type: object + properties: + ref: + type: object + properties: + apiVersion: + type: string + kind: + type: string + namespace: + type: string + name: + type: string + required: + - apiVersion + - kind + - name + uri: + type: string + format: uri + oneOf: + - required: ['ref'] + - required: ['uri'] + required: + - arn + - sink + status: + type: object + properties: + sinkUri: + type: string + format: uri + ceAttributes: + type: array + items: + type: object + properties: + type: + type: string + source: + type: string + required: + - type + - source + observedGeneration: + type: integer + format: int64 + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + enum: ['True', 'False', Unknown] + severity: + type: string + enum: [Error, Warning, Info] + reason: + type: string + message: + type: string + lastTransitionTime: + type: string + format: date-time + required: + - type + - status + additionalPrinterColumns: + - name: Ready + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].status + - name: Reason + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].reason + - name: Sink + type: string + jsonPath: .status.sinkUri + - name: Age + type: date + jsonPath: .metadata.creationTimestamp diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awsperformanceinsights.yaml b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awsperformanceinsights.yaml new file mode 100644 index 000000000..2bfff0c01 --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awsperformanceinsights.yaml @@ -0,0 +1,187 @@ +# Copyright 2020-2021 TriggerMesh Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: awsperformanceinsightssources.sources.triggermesh.io + labels: + eventing.knative.dev/source: 'true' + duck.knative.dev/source: 'true' + knative.dev/crd-install: 'true' + annotations: + registry.knative.dev/eventTypes: | + [ + { "type": "com.amazon.rds.pi.metric" } + ] +spec: + group: sources.triggermesh.io + scope: Namespaced + names: + kind: AWSPerformanceInsightsSource + plural: awsperformanceinsightssources + categories: + - all + - knative + - eventing + - sources + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + arn: + type: string + pattern: ^arn:aws(-cn|-us-gov)?:rds:[a-z]{2}(-gov)?-[a-z]+-\d:\d{12}:.+$ + pollingInterval: + type: string + metricQueries: + type: array + items: + type: string + minLength: 1 + credentials: + type: object + properties: + accessKeyID: + type: object + properties: + value: + type: string + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + secretAccessKey: + type: object + properties: + value: + type: string + format: password + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + sink: + type: object + properties: + ref: + type: object + properties: + apiVersion: + type: string + kind: + type: string + namespace: + type: string + name: + type: string + required: + - apiVersion + - kind + - name + uri: + type: string + format: uri + oneOf: + - required: ['ref'] + - required: ['uri'] + required: + - arn + - sink + - pollingInterval + - metricQueries + status: + type: object + properties: + sinkUri: + type: string + format: uri + ceAttributes: + type: array + items: + type: object + properties: + type: + type: string + source: + type: string + required: + - type + - source + observedGeneration: + type: integer + format: int64 + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + enum: ['True', 'False', Unknown] + severity: + type: string + enum: [Error, Warning, Info] + reason: + type: string + message: + type: string + lastTransitionTime: + type: string + format: date-time + required: + - type + - status + additionalPrinterColumns: + - name: Ready + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].status + - name: Reason + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].reason + - name: Sink + type: string + jsonPath: .status.sinkUri + - name: Age + type: date + jsonPath: .metadata.creationTimestamp diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awss3.yaml b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awss3.yaml new file mode 100644 index 000000000..6be0026ac --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awss3.yaml @@ -0,0 +1,219 @@ +# Copyright 2020-2021 TriggerMesh Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: awss3sources.sources.triggermesh.io + labels: + eventing.knative.dev/source: 'true' + duck.knative.dev/source: 'true' + knative.dev/crd-install: 'true' + annotations: + registry.knative.dev/eventTypes: | + [ + { "type": "com.amazon.s3.objectcreated" }, + { "type": "com.amazon.s3.objectremoved" }, + { "type": "com.amazon.s3.objectrestore" }, + { "type": "com.amazon.s3.reducedredundancylostobject" }, + { "type": "com.amazon.s3.replication" }, + { "type": "com.amazon.s3.testevent" } + ] +spec: + group: sources.triggermesh.io + scope: Namespaced + names: + kind: AWSS3Source + plural: awss3sources + categories: + - all + - knative + - eventing + - sources + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + arn: + type: string + # Bucket naming rules + # https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html + pattern: ^arn:aws(-cn|-us-gov)?:s3:[a-z]{2}(-gov)?-[a-z]+-\d:\d{12}:[0-9a-z][0-9a-z.-]{2,62}$ + eventTypes: + type: array + items: + type: string + # Accepted values + # https://docs.aws.amazon.com/AmazonS3/latest/API/API_QueueConfiguration.html + # https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-how-to-event-types-and-destinations.html + enum: + - s3:ObjectCreated:* + - s3:ObjectCreated:Put + - s3:ObjectCreated:Post + - s3:ObjectCreated:Copy + - s3:ObjectCreated:CompleteMultipartUpload + - s3:ObjectRemoved:* + - s3:ObjectRemoved:Delete + - s3:ObjectRemoved:DeleteMarkerCreated + - s3:ObjectRestore:* + - s3:ObjectRestore:Post + - s3:ObjectRestore:Completed + - s3:ReducedRedundancyLostObject + - s3:Replication:* + - s3:Replication:OperationFailedReplication + - s3:Replication:OperationNotTracked + - s3:Replication:OperationMissedThreshold + - s3:Replication:OperationReplicatedAfterThreshold + queueARN: + type: string + pattern: ^arn:aws(-cn|-us-gov)?:sqs:[a-z]{2}(-gov)?-[a-z]+-\d:\d{12}:.+$ + credentials: + type: object + properties: + accessKeyID: + type: object + properties: + value: + type: string + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: [value] + - required: [valueFromSecret] + secretAccessKey: + type: object + properties: + value: + type: string + format: password + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: [value] + - required: [valueFromSecret] + sink: + type: object + properties: + ref: + type: object + properties: + apiVersion: + type: string + kind: + type: string + namespace: + type: string + name: + type: string + required: + - apiVersion + - kind + - name + uri: + type: string + format: uri + oneOf: + - required: [ref] + - required: [uri] + required: + - arn + - eventTypes + - sink + status: + type: object + properties: + queueARN: + type: string + sinkUri: + type: string + format: uri + ceAttributes: + type: array + items: + type: object + properties: + type: + type: string + source: + type: string + required: + - type + - source + observedGeneration: + type: integer + format: int64 + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + enum: ['True', 'False', Unknown] + severity: + type: string + enum: [Error, Warning, Info] + reason: + type: string + message: + type: string + lastTransitionTime: + type: string + format: date-time + required: + - type + - status + additionalPrinterColumns: + - name: Ready + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].status + - name: Reason + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].reason + - name: Queue + type: string + jsonPath: .status.queueARN + - name: Sink + type: string + jsonPath: .status.sinkUri + - name: Age + type: date + jsonPath: .metadata.creationTimestamp diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awssns.yaml b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awssns.yaml new file mode 100644 index 000000000..43504b3b8 --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awssns.yaml @@ -0,0 +1,207 @@ +# Copyright 2020-2021 TriggerMesh Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: awssnssources.sources.triggermesh.io + labels: + eventing.knative.dev/source: 'true' + duck.knative.dev/source: 'true' + knative.dev/crd-install: 'true' + annotations: + registry.knative.dev/eventTypes: | + [ + { "type": "com.amazon.sns.notification" } + ] +spec: + group: sources.triggermesh.io + scope: Namespaced + names: + kind: AWSSNSSource + plural: awssnssources + categories: + - all + - knative + - eventing + - sources + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + arn: + type: string + pattern: '^arn:aws(-cn|-us-gov)?:sns:[a-z]{2}(-gov)?-[a-z]+-\d:\d{12}:.+$' + subscriptionAttributes: + type: object + properties: + DeliveryPolicy: + type: string + format: json + nullable: true + FilterPolicy: + type: string + format: json + nullable: true + RawMessageDelivery: + type: string + format: json + nullable: true + RedrivePolicy: + type: string + format: json + nullable: true + credentials: + type: object + properties: + accessKeyID: + type: object + properties: + value: + type: string + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + secretAccessKey: + type: object + properties: + value: + type: string + format: password + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + sink: + type: object + properties: + ref: + type: object + properties: + apiVersion: + type: string + kind: + type: string + namespace: + type: string + name: + type: string + required: + - apiVersion + - kind + - name + uri: + type: string + format: uri + oneOf: + - required: ['ref'] + - required: ['uri'] + required: + - arn + - sink + status: + type: object + properties: + subscriptionARN: + type: string + sinkUri: + type: string + format: uri + ceAttributes: + type: array + items: + type: object + properties: + type: + type: string + source: + type: string + required: + - type + - source + observedGeneration: + type: integer + format: int64 + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + enum: ['True', 'False', Unknown] + severity: + type: string + enum: [Error, Warning, Info] + reason: + type: string + message: + type: string + lastTransitionTime: + type: string + format: date-time + required: + - type + - status + address: + type: object + properties: + url: + type: string + additionalPrinterColumns: + - name: Ready + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].status + - name: Reason + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].reason + - name: URL + type: string + jsonPath: .status.address.url + - name: Sink + type: string + jsonPath: .status.sinkUri + - name: Age + type: date + jsonPath: .metadata.creationTimestamp diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awssqs.yaml b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awssqs.yaml new file mode 100644 index 000000000..09da72248 --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/crds/crd-awssqs.yaml @@ -0,0 +1,178 @@ +# Copyright 2020-2021 TriggerMesh Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: awssqssources.sources.triggermesh.io + labels: + eventing.knative.dev/source: 'true' + duck.knative.dev/source: 'true' + knative.dev/crd-install: 'true' + annotations: + registry.knative.dev/eventTypes: | + [ + { "type": "com.amazon.sqs.message" } + ] +spec: + group: sources.triggermesh.io + scope: Namespaced + names: + kind: AWSSQSSource + plural: awssqssources + categories: + - all + - knative + - eventing + - sources + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + arn: + type: string + pattern: '^arn:aws(-cn|-us-gov)?:sqs:[a-z]{2}(-gov)?-[a-z]+-\d:\d{12}:.+$' + credentials: + type: object + properties: + accessKeyID: + type: object + properties: + value: + type: string + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + secretAccessKey: + type: object + properties: + value: + type: string + format: password + valueFromSecret: + type: object + properties: + name: + type: string + key: + type: string + required: + - name + - key + oneOf: + - required: ['value'] + - required: ['valueFromSecret'] + sink: + type: object + properties: + ref: + type: object + properties: + apiVersion: + type: string + kind: + type: string + namespace: + type: string + name: + type: string + required: + - apiVersion + - kind + - name + uri: + type: string + format: uri + oneOf: + - required: ['ref'] + - required: ['uri'] + required: + - arn + - sink + status: + type: object + properties: + sinkUri: + type: string + format: uri + ceAttributes: + type: array + items: + type: object + properties: + type: + type: string + source: + type: string + required: + - type + - source + observedGeneration: + type: integer + format: int64 + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + enum: ['True', 'False', Unknown] + severity: + type: string + enum: [Error, Warning, Info] + reason: + type: string + message: + type: string + lastTransitionTime: + type: string + format: date-time + required: + - type + - status + additionalPrinterColumns: + - name: Ready + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].status + - name: Reason + type: string + jsonPath: .status.conditions[?(@.type=='Ready')].reason + - name: Sink + type: string + jsonPath: .status.sinkUri + - name: Age + type: date + jsonPath: .metadata.creationTimestamp diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/questions.yml b/charts/aws-event-sources/aws-event-sources/0.1.901/questions.yml new file mode 100644 index 000000000..f07c28f00 --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/questions.yml @@ -0,0 +1,24 @@ +questions: +- variable: defaultImage + default: true + description: "Use default Docker images" + label: Use Default Images + type: boolean + show_subquestion_if: false + group: "Container Images" + subquestions: + - variable: image.registry + default: "gcr.io" + description: "Docker image registry" + type: string + label: Image Registry + - variable: image.repository + default: "triggermesh/aws-event-sources-controller" + description: "Docker image repository" + type: string + label: Image Repository + - variable: image.tag + default: "v1.7.0" + description: "Docker image tag" + type: string + label: Image Tag diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/templates/NOTES.txt b/charts/aws-event-sources/aws-event-sources/0.1.901/templates/NOTES.txt new file mode 100644 index 000000000..cde2826c2 --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/templates/NOTES.txt @@ -0,0 +1,9 @@ +TriggerMesh AWS event sources controller for Knative has been installed. + +To view the controller logs: + + kubectl logs -f deploy/{{ include "aws-event-sources.fullname" . }}-controller --namespace {{ .Release.Namespace }} + +Refer to https://github.com/triggermesh/aws-event-sources/tree/master/config/samples for examples that make use of the controller. + +For support and feedback contact us as https://github.com/triggermesh/aws-event-sources/issues/new. diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/templates/_helpers.tpl b/charts/aws-event-sources/aws-event-sources/0.1.901/templates/_helpers.tpl new file mode 100644 index 000000000..c3b42a6a5 --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "aws-event-sources.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "aws-event-sources.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "aws-event-sources.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "aws-event-sources.labels" -}} +helm.sh/chart: {{ include "aws-event-sources.chart" . }} +{{ include "aws-event-sources.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "aws-event-sources.selectorLabels" -}} +app.kubernetes.io/name: {{ include "aws-event-sources.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "aws-event-sources.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "aws-event-sources.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/templates/clusterrolebinding.yaml b/charts/aws-event-sources/aws-event-sources/0.1.901/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..593ef80a8 --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/templates/clusterrolebinding.yaml @@ -0,0 +1,213 @@ +# Copyright (c) 2021 TriggerMesh Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.serviceAccount.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: &app {{ template "aws-event-sources.fullname" . }}-controller + labels: + {{- include "aws-event-sources.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ template "aws-event-sources.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: *app + +--- + +# Permissions not required by controllers directly, but granted to +# receive-adapters via RoleBindings. +# +# Without them, the following error is thrown: +# "attempting to grant RBAC permissions not currently held" +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: &app awscloudwatchlogssource-adapter +subjects: +- kind: ServiceAccount + name: {{ template "aws-event-sources.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: *app +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: &app awscloudwatchsource-adapter +subjects: +- kind: ServiceAccount + name: {{ template "aws-event-sources.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: *app +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: &app awscodecommitsource-adapter +subjects: +- kind: ServiceAccount + name: {{ template "aws-event-sources.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: *app +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: &app awscognitoidentitysource-adapter +subjects: +- kind: ServiceAccount + name: {{ template "aws-event-sources.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: *app +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: &app awscognitouserpoolsource-adapter +subjects: +- kind: ServiceAccount + name: {{ template "aws-event-sources.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: *app +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: &app awsdynamodbsource-adapter +subjects: +- kind: ServiceAccount + name: {{ template "aws-event-sources.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: *app +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: &app awsiotsource-adapter +subjects: +- kind: ServiceAccount + name: {{ template "aws-event-sources.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: *app +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: &app awskinesissource-adapter +subjects: +- kind: ServiceAccount + name: {{ template "aws-event-sources.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: *app +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: &app awsperformanceinsightssource-adapter +subjects: +- kind: ServiceAccount + name: {{ template "aws-event-sources.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: *app +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: &app awss3source-adapter +subjects: +- kind: ServiceAccount + name: {{ template "aws-event-sources.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: *app +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: &app awssnssource-adapter +subjects: +- kind: ServiceAccount + name: {{ template "aws-event-sources.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: *app +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: &app awssqssource-adapter +subjects: +- kind: ServiceAccount + name: {{ template "aws-event-sources.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: *app + +--- + +# Resolve sink URIs +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "aws-event-sources.fullname" . }}-controller-addressable-resolver + labels: + {{- include "aws-event-sources.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ template "aws-event-sources.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: addressable-resolver +{{- end }} diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/templates/clusterroles.yaml b/charts/aws-event-sources/aws-event-sources/0.1.901/templates/clusterroles.yaml new file mode 100644 index 000000000..55fea878d --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/templates/clusterroles.yaml @@ -0,0 +1,378 @@ +# Copyright (c) 2020-2021 TriggerMesh Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "aws-event-sources.fullname" . }}-controller + labels: + {{- include "aws-event-sources.labels" . | nindent 4 }} +rules: + +# Record Kubernetes events +- apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - update + +# Manage receive-adapters +- apiGroups: + - apps + resources: + - deployments + verbs: &all + - get + - list + - watch + - create + - update + - delete + - patch +- apiGroups: + - serving.knative.dev + resources: + - services + verbs: *all + +# Read Source resources and update their statuses +- apiGroups: + - sources.triggermesh.io + resources: + - awscloudwatchlogssources + - awscloudwatchsources + - awscodecommitsources + - awscognitoidentitysources + - awscognitouserpoolsources + - awsdynamodbsources + - awsiotsources + - awskinesissources + - awsperformanceinsightssources + - awss3sources + - awssnssources + - awssqssources + verbs: + - list + - watch + - get +- apiGroups: + - sources.triggermesh.io + resources: + - awscloudwatchlogssources/status + - awscloudwatchsources/status + - awscodecommitsources/status + - awscognitoidentitysources/status + - awscognitouserpoolsources/status + - awsdynamodbsources/status + - awsiotsources/status + - awskinesissources/status + - awsperformanceinsightssources/status + - awss3sources/status + - awssnssources/status + - awssqssources/status + verbs: + - update + +# Ensure compatibility with the OwnerReferencesPermissionEnforcement Admission Controller +# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement +- apiGroups: + - sources.triggermesh.io + resources: + - awscloudwatchlogssources/finalizers + - awscloudwatchsources/finalizers + - awscodecommitsources/finalizers + - awscognitoidentitysources/finalizers + - awscognitouserpoolsources/finalizers + - awsdynamodbsources/finalizers + - awsiotsources/finalizers + - awskinesissources/finalizers + - awsperformanceinsightssources/finalizers + - awss3sources/finalizers + - awssnssources/finalizers + - awssqssources/finalizers + verbs: + - update + +# Set finalizers +- apiGroups: + - sources.triggermesh.io + resources: + - awss3sources + - awssnssources + verbs: + - patch + +# Manage resource-specific ServiceAccounts and RoleBindings +- apiGroups: + - '' + resources: + - serviceaccounts + verbs: + - list + - watch + - create +- apiGroups: + - '' + resources: + - serviceaccounts + resourceNames: &rbac-objects + - awscloudwatchlogssource-adapter + - awscloudwatchsource-adapter + - awscodecommitsource-adapter + - awscognitoidentitysource-adapter + - awscognitouserpoolsource-adapter + - awsdynamodbsource-adapter + - awsiotsource-adapter + - awskinesissource-adapter + - awsperformanceinsightssource-adapter + - awss3source-adapter + - awssnssource-adapter + - awssqssource-adapter + verbs: + - update +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - list + - watch + - create +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + resourceNames: *rbac-objects + verbs: + - update + +# Read credentials +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + +# Read controller configurations +- apiGroups: + - '' + resources: + - configmaps + verbs: + - list + - watch +- apiGroups: + - '' + resources: + - configmaps + resourceNames: + - config-logging + - config-observability + - config-leader-election + verbs: + - get + +# Acquire leases for leader election +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update + +# Determine the exact reason why Deployments fail +- apiGroups: + - '' + resources: + - pods + verbs: + - list + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: awscloudwatchlogssource-adapter +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: awscloudwatchsource-adapter +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: awscodecommitsource-adapter +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: awscognitoidentitysource-adapter +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: awscognitouserpoolsource-adapter +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: awsdynamodbsource-adapter +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: awsiotsource-adapter +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: awskinesissource-adapter +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: awsperformanceinsightssource-adapter +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: awss3source-adapter +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: awssnssource-adapter +rules: + +# Record Kubernetes events +- apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - update + +# Read Source resources and update their statuses +- apiGroups: + - sources.triggermesh.io + resources: + - awssnssources + verbs: + - list + - watch +- apiGroups: + - sources.triggermesh.io + resources: + - awssnssources/status + verbs: + - patch + +# Read credentials +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + +# Acquire leases for leader election +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: awssqssource-adapter +rules: [] + +--- + +# The role is needed for the aggregated role source-observer in knative-eventing to provide readonly access to "Sources". +# see https://github.com/knative/eventing/blob/release-0.14/docs/spec/sources.md#source-rbac +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "aws-event-sources.fullname" . }}-observer + labels: + duck.knative.dev/source: 'true' + {{- include "aws-event-sources.labels" . | nindent 4 }} +rules: +- apiGroups: + - sources.triggermesh.io + resources: + - awscloudwatchlogssources + - awscloudwatchsources + - awscodecommitsources + - awscognitoidentitysources + - awscognitouserpoolsources + - awsdynamodbsources + - awsiotsources + - awskinesissources + - awsperformanceinsightssources + - awssnssources + - awssqssources + verbs: + - get + - list + - watch +{{- end }} diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/templates/deployment.yaml b/charts/aws-event-sources/aws-event-sources/0.1.901/templates/deployment.yaml new file mode 100644 index 000000000..41ef1ddd2 --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/templates/deployment.yaml @@ -0,0 +1,109 @@ +# Copyright (c) 2020 TriggerMesh Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "aws-event-sources.fullname" . }}-controller + labels: + {{- include "aws-event-sources.labels" . | nindent 4 }} + +spec: + replicas: 1 + selector: + matchLabels: + {{- include "aws-event-sources.selectorLabels" . | nindent 6}} + template: + metadata: + labels: + {{- include "aws-event-sources.labels" . | nindent 8 }} + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "aws-event-sources.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + + containers: + - name: controller + terminationMessagePolicy: FallbackToLogsOnError + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy}} + + resources: + {{- toYaml .Values.resources | nindent 12 }} + + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # Logging/observability configuration + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: triggermesh.io/sources + # Source adapters + - name: AWSCLOUDWATCHSOURCE_IMAGE + value: "{{ .Values.image.registry }}/{{ .Values.adapters.awscloudwatch.repository }}:{{ default .Values.image.tag .Values.adapters.awscloudwatch.tag }}" + - name: AWSCLOUDWATCHLOGSSOURCE_IMAGE + value: "{{ .Values.image.registry }}/{{ .Values.adapters.awscloudwatchlogs.repository }}:{{ default .Values.image.tag .Values.adapters.awscloudwatchlogs.tag }}" + - name: AWSCODECOMMITSOURCE_IMAGE + value: "{{ .Values.image.registry }}/{{ .Values.adapters.awscodecommit.repository }}:{{ default .Values.image.tag .Values.adapters.awscodecommit.tag }}" + - name: AWSCOGNITOIDENTITYSOURCE_IMAGE + value: "{{ .Values.image.registry }}/{{ .Values.adapters.awscognitoidentity.repository }}:{{ default .Values.image.tag .Values.adapters.awscognitoidentity.tag }}" + - name: AWSCOGNITOUSERPOOLSOURCE_IMAGE + value: "{{ .Values.image.registry }}/{{ .Values.adapters.awscognitouserpool.repository }}:{{ default .Values.image.tag .Values.adapters.awscognitouserpool.tag }}" + - name: AWSDYNAMODBSOURCE_IMAGE + value: "{{ .Values.image.registry }}/{{ .Values.adapters.awsdynamodb.repository }}:{{ default .Values.image.tag .Values.adapters.awsdynamodb.tag }}" + - name: AWSKINESISSOURCE_IMAGE + value: "{{ .Values.image.registry }}/{{ .Values.adapters.awskinesis.repository }}:{{ default .Values.image.tag .Values.adapters.awskinesis.tag }}" + - name: AWSPERFORMANCEINSIGHTSSOURCE_IMAGE + value: "{{ .Values.image.registry }}/{{ .Values.adapters.awsperformanceinsights.repository }}:{{ default .Values.image.tag .Values.adapters.awsperformanceinsights.tag }}" + - name: AWSSNSSOURCE_IMAGE + value: "{{ .Values.image.registry }}/{{ .Values.adapters.awssns.repository }}:{{ default .Values.image.tag .Values.adapters.awssns.tag }}" + - name: AWSSQSSOURCE_IMAGE + value: "{{ .Values.image.registry }}/{{ .Values.adapters.awssqs.repository }}:{{ default .Values.image.tag .Values.adapters.awssqs.tag }}" + securityContext: + allowPrivilegeEscalation: false + {{- with .Values.securityContext }} + {{- toYaml . | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/templates/serviceaccount.yaml b/charts/aws-event-sources/aws-event-sources/0.1.901/templates/serviceaccount.yaml new file mode 100644 index 000000000..e61b0f896 --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/templates/serviceaccount.yaml @@ -0,0 +1,26 @@ +# Copyright (c) 2020-2021 TriggerMesh Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "aws-event-sources.serviceAccountName" . }} + labels: + {{- include "aws-event-sources.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/aws-event-sources/aws-event-sources/0.1.901/values.yaml b/charts/aws-event-sources/aws-event-sources/0.1.901/values.yaml new file mode 100644 index 000000000..63aa57f8a --- /dev/null +++ b/charts/aws-event-sources/aws-event-sources/0.1.901/values.yaml @@ -0,0 +1,68 @@ +nameOverride: "" + +fullnameOverride: "" + +rbac: + create: true + +serviceAccount: + create: true + annotations: {} + name: "" + +imagePullSecrets: [] + +image: + registry: gcr.io + repository: triggermesh/aws-event-sources-controller + tag: v1.7.0 + pullPolicy: IfNotPresent + +adapters: + awscloudwatch: + repository: triggermesh/awscloudwatchsource + tag: "" + awscloudwatchlogs: + repository: triggermesh/awscloudwatchlogssource + tag: "" + awscodecommit: + repository: triggermesh/awscodecommitsource + tag: "" + awscognitoidentity: + repository: triggermesh/awscognitoidentitysource + tag: "" + awscognitouserpool: + repository: triggermesh/awscognitouserpoolsource + tag: "" + awsdynamodb: + repository: triggermesh/awsdynamodbsource + tag: "" + awskinesis: + repository: triggermesh/awskinesissource + tag: "" + awsperformanceinsights: + repository: triggermesh/awsperformanceinsightssource + tag: "" + awssns: + repository: triggermesh/awssnssource + tag: "" + awssqs: + repository: triggermesh/awssqssource + tag: "" + +podAnnotations: {} + +podSecurityContext: {} + +securityContext: {} + +resources: + requests: + cpu: 20m + memory: 20Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/charts/haproxy/haproxy/1.16.100/.helmignore b/charts/haproxy/haproxy/1.16.100/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.16.100/Chart.yaml b/charts/haproxy/haproxy/1.16.100/Chart.yaml new file mode 100644 index 000000000..eec642bf8 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/release-name: haproxy +apiVersion: v1 +appVersion: 1.6.5 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: http://www.haproxy.org/img/HAProxyCommunityEdition_60px.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.12.0-0' +maintainers: +- email: mmhedhbi@haproxy.com + name: Moemen Mhedhbi +- email: bassmann@haproxy.com + name: Baptiste Assmann +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +version: 1.16.100 diff --git a/charts/haproxy/haproxy/1.16.100/README.md b/charts/haproxy/haproxy/1.16.100/README.md new file mode 100644 index 000000000..17fcdb04d --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/README.md @@ -0,0 +1,264 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.12+ +- Helm 2.9+ + +## Before you begin + +### Setup a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Add Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Install the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.16.100/app-readme.md b/charts/haproxy/haproxy/1.16.100/app-readme.md new file mode 100644 index 000000000..aae3d1bd8 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.16.100/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/daemonset-customconfig-values.yaml new file mode 100644 index 000000000..116158a14 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.16.100/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 000000000..c9de04c16 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.16.100/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/daemonset-default-values.yaml new file mode 100644 index 000000000..ddb25623a --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.16.100/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 000000000..3a1687a33 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.16.100/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 000000000..362fbb982 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.16.100/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/daemonset-enableports-values.yaml new file mode 100644 index 000000000..9a41dac52 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.16.100/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/daemonset-extraargs-values.yaml new file mode 100644 index 000000000..691acbc44 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.16.100/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 000000000..35294fad2 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.16.100/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/daemonset-hostport-values.yaml new file mode 100644 index 000000000..45042ea50 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.16.100/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 000000000..15b3daed2 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.16.100/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/daemonset-nodeport-values.yaml new file mode 100644 index 000000000..ebc8f1020 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.16.100/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/daemonset-publishservice-values.yaml new file mode 100644 index 000000000..b538cb542 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.16.100/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 000000000..b538cb542 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.16.100/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/deployment-customconfig-values.yaml new file mode 100644 index 000000000..12c48d22d --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.16.100/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/deployment-customnodeport-values.yaml new file mode 100644 index 000000000..f044362aa --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.16.100/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/deployment-default-values.yaml new file mode 100644 index 000000000..792d60054 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.16.100/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 000000000..ba2a61ebe --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.16.100/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 000000000..767645997 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.16.100/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/deployment-enableports-values.yaml new file mode 100644 index 000000000..03ff297b4 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.16.100/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/deployment-extraargs-values.yaml new file mode 100644 index 000000000..d0e1dbe73 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.16.100/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/deployment-extraenvs-values.yaml new file mode 100644 index 000000000..1f9e30c16 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.16.100/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/deployment-hpa-values.yaml new file mode 100644 index 000000000..0c8326236 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/deployment-hpa-values.yaml @@ -0,0 +1,14 @@ +controller: + kind: Deployment + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.16.100/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/deployment-ingressclass-values.yaml new file mode 100644 index 000000000..6f4f1fcdc --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.16.100/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/deployment-nodeport-values.yaml new file mode 100644 index 000000000..ffdc47b2d --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.16.100/ci/deployment-psp-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/deployment-psp-values.yaml new file mode 100644 index 000000000..7aae8605d --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/deployment-psp-values.yaml @@ -0,0 +1,2 @@ +podSecurityPolicy: + enabled: true diff --git a/charts/haproxy/haproxy/1.16.100/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.16.100/ci/deployment-publishservice-values.yaml new file mode 100644 index 000000000..6d8bf9bf7 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.16.100/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.16.100/ci/deployment-replicacount-unset.yaml new file mode 100644 index 000000000..78ee30060 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.16.100/questions.yml b/charts/haproxy/haproxy/1.16.100/questions.yml new file mode 100644 index 000000000..693d6e966 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.6.5" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.16.100/templates/NOTES.txt b/charts/haproxy/haproxy/1.16.100/templates/NOTES.txt new file mode 100644 index 000000000..f7a9efb6b --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/NOTES.txt @@ -0,0 +1,67 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ .Release.Namespace }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1beta1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/hapee/2-0r1/traffic-management/kubernetes-ingress-controller/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + + + diff --git a/charts/haproxy/haproxy/1.16.100/templates/_helpers.tpl b/charts/haproxy/haproxy/1.16.100/templates/_helpers.tpl new file mode 100644 index 000000000..5a1e28588 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/_helpers.tpl @@ -0,0 +1,130 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name .Release.Namespace -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" .Release.Namespace (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.16.100/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.16.100/templates/clusterrole.yaml new file mode 100644 index 000000000..4cf54d0c7 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/clusterrole.yaml @@ -0,0 +1,60 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - services + - namespaces + - events + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +{{- end -}} diff --git a/charts/haproxy/haproxy/1.16.100/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.16.100/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..642904d7b --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.16.100/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.16.100/templates/controller-configmap.yaml new file mode 100644 index 000000000..94aa9c554 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/controller-configmap.yaml @@ -0,0 +1,34 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ template "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.16.100/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.16.100/templates/controller-daemonset.yaml new file mode 100644 index 000000000..d4fad8067 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/controller-daemonset.yaml @@ -0,0 +1,242 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: 0 + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ template "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + containers: + - name: {{ template "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ .Release.Namespace }}/{{ template "kubernetes-ingress.fullname" . }} +{{- if .Values.defaultBackend.enabled }} + - --default-backend-service={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultBackend.fullname" . }} +{{- end }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ template "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + {{- if .Values.controller.livenessProbe.enabled }} + livenessProbe: + failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }} + httpGet: + path: {{ .Values.controller.livenessProbe.path }} + port: {{ .Values.controller.livenessProbe.port }} + scheme: {{ .Values.controller.livenessProbe.scheme }} + initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.controller.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }} + {{- end }} + {{- if .Values.controller.readinessProbe.enabled }} + readinessProbe: + failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} + httpGet: + path: {{ .Values.controller.readinessProbe.path }} + port: {{ .Values.controller.readinessProbe.port }} + scheme: {{ .Values.controller.readinessProbe.scheme }} + initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} + {{- end }} + {{- if .Values.controller.startupProbe.enabled }} + startupProbe: + failureThreshold: {{ .Values.controller.startupProbe.failureThreshold }} + httpGet: + path: {{ .Values.controller.startupProbe.path }} + port: {{ .Values.controller.startupProbe.port }} + scheme: {{ .Values.controller.startupProbe.scheme }} + initialDelaySeconds: {{ .Values.controller.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.startupProbe.periodSeconds }} + successThreshold: {{ .Values.controller.startupProbe.successThreshold }} + timeoutSeconds: {{ .Values.controller.startupProbe.timeoutSeconds }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if .Values.controller.extraVolumeMounts }} + volumeMounts: + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if .Values.controller.extraVolumes }} + volumes: + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.unprivileged .Values.controller.initContainers }} + initContainers: + {{- if .Values.controller.unprivileged }} + - name: sysctl + image: busybox:musl + command: + - /bin/sh + - -c + - sysctl -w net.ipv4.ip_unprivileged_port_start=0 + securityContext: + privileged: true + {{- end }} + {{- with.Values.controller.initContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.16.100/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.16.100/templates/controller-defaultcertsecret.yaml new file mode 100644 index 000000000..b409c7b25 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,35 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ template "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.16.100/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.16.100/templates/controller-deployment.yaml new file mode 100644 index 000000000..181ee930e --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/controller-deployment.yaml @@ -0,0 +1,245 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ template "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + containers: + - name: {{ template "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ .Release.Namespace }}/{{ template "kubernetes-ingress.fullname" . }} +{{- if .Values.defaultBackend.enabled }} + - --default-backend-service={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultBackend.fullname" . }} +{{- end }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ template "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- if .Values.controller.livenessProbe.enabled }} + livenessProbe: + failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }} + httpGet: + path: {{ .Values.controller.livenessProbe.path }} + port: {{ .Values.controller.livenessProbe.port }} + scheme: {{ .Values.controller.livenessProbe.scheme }} + {{- if .Values.controller.livenessProbe.httpHeaders }} + httpHeaders: {{ toYaml .Values.controller.livenessProbe.httpHeaders | nindent 16 }} + {{- end }} + initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.controller.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }} + {{- end }} + {{- if .Values.controller.readinessProbe.enabled }} + readinessProbe: + failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} + httpGet: + path: {{ .Values.controller.readinessProbe.path }} + port: {{ .Values.controller.readinessProbe.port }} + scheme: {{ .Values.controller.readinessProbe.scheme }} + {{- if .Values.controller.readinessProbe.httpHeaders }} + httpHeaders: {{ toYaml .Values.controller.readinessProbe.httpHeaders | nindent 16 }} + {{- end }} + initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} + {{- end }} + {{- if .Values.controller.startupProbe.enabled }} + startupProbe: + failureThreshold: {{ .Values.controller.startupProbe.failureThreshold }} + httpGet: + path: {{ .Values.controller.startupProbe.path }} + port: {{ .Values.controller.startupProbe.port }} + scheme: {{ .Values.controller.startupProbe.scheme }} + {{- if .Values.controller.startupProbe.httpHeaders }} + httpHeaders: {{ toYaml .Values.controller.startupProbe.httpHeaders | nindent 16 }} + {{- end }} + initialDelaySeconds: {{ .Values.controller.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.startupProbe.periodSeconds }} + successThreshold: {{ .Values.controller.startupProbe.successThreshold }} + timeoutSeconds: {{ .Values.controller.startupProbe.timeoutSeconds }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if .Values.controller.extraVolumeMounts }} + volumeMounts: + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if .Values.controller.extraVolumes }} + volumes: + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.unprivileged .Values.controller.initContainers }} + initContainers: + {{- if .Values.controller.unprivileged }} + - name: sysctl + image: busybox:musl + command: + - /bin/sh + - -c + - sysctl -w net.ipv4.ip_unprivileged_port_start=0 + securityContext: + privileged: true + {{- end }} + {{- with.Values.controller.initContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.16.100/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.16.100/templates/controller-hpa.yaml new file mode 100644 index 000000000..74fe00439 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/controller-hpa.yaml @@ -0,0 +1,58 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.16.100/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.16.100/templates/controller-ingressclass.yaml new file mode 100644 index 000000000..5c9a5aee8 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/controller-ingressclass.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) (.Values.controller.ingressClassResource.enabled) -}} +{{- if and (semverCompare "=1.18-0" .Capabilities.KubeVersion.GitVersion) }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClass }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: + controller: haproxy.org/ingress-controller + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.16.100/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.16.100/templates/controller-keda.yaml new file mode 100644 index 000000000..3807f2fa1 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ template "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.16.100/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.16.100/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 000000000..e08d25cc7 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,40 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.16.100/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.16.100/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 000000000..7851e2acf --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,80 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ template "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: false + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} diff --git a/charts/haproxy/haproxy/1.16.100/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.16.100/templates/controller-pullsecret.yaml new file mode 100644 index 000000000..88252394c --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.16.100/templates/controller-role.yaml b/charts/haproxy/haproxy/1.16.100/templates/controller-role.yaml new file mode 100644 index 000000000..3e41df6e4 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.16.100/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.16.100/templates/controller-rolebinding.yaml new file mode 100644 index 000000000..40404a401 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.16.100/templates/controller-service.yaml b/charts/haproxy/haproxy/1.16.100/templates/controller-service.yaml new file mode 100644 index 000000000..eb2eea381 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/controller-service.yaml @@ -0,0 +1,101 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.16.100/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.16.100/templates/controller-serviceaccount.yaml new file mode 100644 index 000000000..c90710990 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/controller-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.16.100/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.16.100/templates/controller-servicemonitor.yaml new file mode 100644 index 000000000..0f4c2c3af --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/controller-servicemonitor.yaml @@ -0,0 +1,41 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "kubernetes-ingress.serviceMonitorName" . }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.16.100/templates/default-backend-deployment.yaml b/charts/haproxy/haproxy/1.16.100/templates/default-backend-deployment.yaml new file mode 100644 index 000000000..89566c676 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/default-backend-deployment.yaml @@ -0,0 +1,85 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.defaultBackend.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if not .Values.defaultBackend.autoscaling.enabled }} + replicas: {{ .Values.defaultBackend.replicaCount }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.defaultBackend.podLabels }} +{{ toYaml .Values.defaultBackend.podLabels | indent 8 }} + {{- end }} + {{- if .Values.defaultBackend.podAnnotations }} + annotations: +{{ toYaml .Values.defaultBackend.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- with .Values.defaultBackend.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + containers: + - name: {{ template "kubernetes-ingress.name" . }}-{{ .Values.defaultBackend.name }} + image: "{{ .Values.defaultBackend.image.repository }}:{{ .Values.defaultBackend.image.tag }}" + imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.defaultBackend.containerPort }} + protocol: TCP + {{- if .Values.defaultBackend.extraEnvs }} + env: + {{- toYaml .Values.defaultBackend.extraEnvs | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.defaultBackend.resources | nindent 12 }} + {{- with .Values.defaultBackend.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.defaultBackend.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "kubernetes-ingress.defaultBackend.serviceAccountName" . }} + terminationGracePeriodSeconds: 60 + {{- with .Values.defaultBackend.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.16.100/templates/default-backend-hpa.yaml b/charts/haproxy/haproxy/1.16.100/templates/default-backend-hpa.yaml new file mode 100644 index 000000000..655bfd3fe --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/default-backend-hpa.yaml @@ -0,0 +1,56 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.defaultBackend.autoscaling.enabled .Values.defaultBackend.enabled }} +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + minReplicas: {{ .Values.defaultBackend.autoscaling.minReplicas }} + maxReplicas: {{ .Values.defaultBackend.autoscaling.maxReplicas }} + metrics: + {{- if .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.defaultBackend.autoscaling.custom }} + {{- toYaml .Values.defaultBackend.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.16.100/templates/default-backend-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.16.100/templates/default-backend-podsecuritypolicy.yaml new file mode 100644 index 000000000..82397b57b --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/default-backend-podsecuritypolicy.yaml @@ -0,0 +1,64 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: false + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + hostNetwork: false + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} diff --git a/charts/haproxy/haproxy/1.16.100/templates/default-backend-role.yaml b/charts/haproxy/haproxy/1.16.100/templates/default-backend-role.yaml new file mode 100644 index 000000000..8475d04fc --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/default-backend-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "kubernetes-ingress.defaultBackend.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.16.100/templates/default-backend-rolebinding.yaml b/charts/haproxy/haproxy/1.16.100/templates/default-backend-rolebinding.yaml new file mode 100644 index 000000000..3a94e9418 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/default-backend-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "kubernetes-ingress.defaultBackend.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.16.100/templates/default-backend-service.yaml b/charts/haproxy/haproxy/1.16.100/templates/default-backend-service.yaml new file mode 100644 index 000000000..682f32a32 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/default-backend-service.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.defaultBackend.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.defaultBackend.service.annotations }} + annotations: +{{ toYaml .Values.defaultBackend.service.annotations | indent 8 }} +{{- end }} +spec: + type: ClusterIP + clusterIP: None + ports: + - name: http + port: {{ .Values.defaultBackend.service.port }} + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/name: {{ template "kubernetes-ingress.defaultBackend.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.16.100/templates/default-backend-serviceaccount.yaml b/charts/haproxy/haproxy/1.16.100/templates/default-backend-serviceaccount.yaml new file mode 100644 index 000000000..3c0853b14 --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/templates/default-backend-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create .Values.defaultBackend.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kubernetes-ingress.defaultBackend.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.16.100/values.yaml b/charts/haproxy/haproxy/1.16.100/values.yaml new file mode 100644 index 000000000..fb321575e --- /dev/null +++ b/charts/haproxy/haproxy/1.16.100/values.yaml @@ -0,0 +1,576 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: false + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + containerPort: + http: 80 + https: 443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 0 + path: /healthz + periodSeconds: 10 + port: 1042 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + + readinessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 0 + path: /healthz + periodSeconds: 10 + port: 1042 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + + startupProbe: + enabled: true + failureThreshold: 20 + initialDelaySeconds: 0 + path: /healthz + periodSeconds: 1 + port: 1042 + scheme: HTTP + successThreshold: 1 + timeoutSeconds: 1 + + ## Ingress Class used for ingress.class annotation in multi-ingress environments + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + ## Ingress Class resource with additional configuration and name of the controller + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + ## Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + enabled: false + default: false + parameters: {} + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: "{{ .Release.Namespace }}" + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 100m + # memory: 64Mi + requests: + cpu: 100m + memory: 64Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behaviour: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + strategy: {} + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + # type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + +## Default 404 backend +defaultBackend: + enabled: true + name: default-backend + replicaCount: 2 + + image: + repository: k8s.gcr.io/defaultbackend-amd64 + tag: 1.5 + pullPolicy: IfNotPresent + runAsUser: 65534 + + ## Compute Resources + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 10m + # memory: 16Mi + requests: + cpu: 10m + memory: 16Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + containerPort: 8080 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress-kubernetes-ingress-default-backend + # app.kubernetes.io/instance: haproxy-ingress + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + service: + ## Annotations for the default backend service object + annotations: {} + # Use the controller as default backend + # haproxy.org/backend-config-snippet: http-request return status 404 + + ## Service ports + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + port: 8080 + + ## Configure Service Account + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + serviceAccount: + create: true + + ## Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/.helmignore b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/.helmignore new file mode 100644 index 000000000..be86b789d --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Helm files +OWNERS diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/Chart.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/Chart.yaml new file mode 100644 index 000000000..eaed0eb40 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/Chart.yaml @@ -0,0 +1,18 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: TrilioVault for Kubernetes Operator + catalog.cattle.io/release-name: k8s-triliovault-operator +apiVersion: v1 +appVersion: v2.1.0 +description: K8s-TrilioVault-Operator is an operator designed to manage the K8s-TrilioVault + Application Lifecycle. +home: https://github.com/trilioData/k8s-triliovault-operator +icon: https://www.trilio.io/wp-content/uploads/2021/01/Trilio-2020-logo-RGB-gray-green.png +kubeVersion: '>= 1.18' +maintainers: +- email: prafull.ladha@trilio.io + name: prafull11 +name: k8s-triliovault-operator +sources: +- https://github.com/trilioData/k8s-triliovault-operator +version: 2.1.0 diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/LICENSE b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/LICENSE new file mode 100644 index 000000000..76b559d3b --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/LICENSE @@ -0,0 +1 @@ +# Placeholder for the License if we decide to provide one diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/README.md b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/README.md new file mode 100644 index 000000000..600ce8dfd --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/README.md @@ -0,0 +1,41 @@ +# K8s-TrilioVault-Operator +This operator is to manage the lifecycle of TrilioVault Backup/Recovery solution. This operator install, updates and manage the TrilioVault application. + +## Introduction + +## Prerequisites + +- Kubernetes 1.13+ +- Alpha feature gates should be enabled +- PV provisioner support +- CSI driver should be installed + +## Installation + +To install the chart with the operator name `trilio`: + +```bash +# For helm version 2 +helm install --name trilio k8s-triliovault-operator + +# For helm version 3 +helm install --name-template trilio k8s-triliovault-operator +``` + +The command deploys the K8s-triliovault-operator with the default configuration. + +## Uninstall + +To uninstall/delete the chart `trilio` : + +```bash +# For helm version 2 +helm delete trilio --purge + +# For helm version 3 +helm uninstall trilio +``` + +## Configuration + +TODO: Add possible configuration in helm chart. diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/app-readme.md b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/app-readme.md new file mode 100644 index 000000000..65a2b3495 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/app-readme.md @@ -0,0 +1,37 @@ +# TrilioVault for Kubernetes + +[K8s-TrilioVault-Operator](https://trilio.io) is an operator designed to manage +the K8s-TrilioVault Application Lifecycle. + +This operator is to manage the lifecycle of TrilioVault Backup/Recovery solution. This operator install, updates and manage the TrilioVault application. + +Introduction: + +Prerequisites: + +Kubernetes 1.17+ +Alpha feature gates should be enabled +PV provisioner support +CSI driver should be installed + +Installation: + +To install the chart with the operator name trilio: + +helm install k8s-triliovault-operator triliovault-operator/k8s-triliovault-operator + +# For helm version 3 + +helm install triliovault-operator triliovault-operator/k8s-triliovault-operator + +The command deploys the Triliovault for Kubernetes Operator with the default configuration. + +Uninstall: + +To uninstall/delete the chart trilio : + +# For helm version 3 +helm uninstall k8s-triliovault-operator + +For more information around TVM manager installation, please follow below link: +https://docs.trilio.io/kubernetes/use-triliovault/installing-triliovault diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/crds/triliovault.trilio.io_triliovaultmanagers.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/crds/triliovault.trilio.io_triliovaultmanagers.yaml new file mode 100644 index 000000000..c1e40f2e7 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/crds/triliovault.trilio.io_triliovaultmanagers.yaml @@ -0,0 +1,826 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.3.0 + creationTimestamp: null + name: triliovaultmanagers.triliovault.trilio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.trilioVaultAppVersion + name: TrilioVault-Version + type: string + - JSONPath: .spec.applicationScope + name: Scope + type: string + - JSONPath: .status.conditions.type + name: Status + type: string + - JSONPath: .spec.restoreNamespaces + name: Restore-Namespaces + type: string + group: triliovault.trilio.io + names: + kind: TrilioVaultManager + listKind: TrilioVaultManagerList + plural: triliovaultmanagers + shortNames: + - tvm + singular: triliovaultmanager + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: TrilioVaultManager is the Schema for the triliovaultmanagers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TrilioVaultManagerSpec defines the desired state of TrilioVaultManager + properties: + affinity: + description: The scheduling constraints on application pods. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes + that satisfy the affinity expressions specified by this field, + but it may choose a node that violates one or more of the + expressions. The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node that meets + all of the scheduling requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating through + the elements of this field and adding "weight" to the sum + if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches all + objects with implicit weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches no objects (i.e. is also + a no-op). + properties: + preference: + description: A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the + operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be + empty. If the operator is Gt or Lt, the values + array must have a single element, which will + be interpreted as an integer. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the + operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be + empty. If the operator is Gt or Lt, the values + array must have a single element, which will + be interpreted as an integer. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to an update), the system may or may not try to + eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. The + terms are ORed. + items: + description: A null or empty node selector term matches + no objects. The requirements of them are ANDed. The + TopologySelectorTerm type implements a subset of the + NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the + operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be + empty. If the operator is Gt or Lt, the values + array must have a single element, which will + be interpreted as an integer. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the + operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be + empty. If the operator is Gt or Lt, the values + array must have a single element, which will + be interpreted as an integer. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate + this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes + that satisfy the affinity expressions specified by this field, + but it may choose a node that violates one or more of the + expressions. The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node that meets + all of the scheduling requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating through + the elements of this field and adding "weight" to the sum + if the node has pods which matches the corresponding podAffinityTerm; + the node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies which namespaces + the labelSelector applies to (matches against); + null or empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey matches + that of any node on which any of the selected pods + is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may or may not + try to eventually evict the pod from its node. When there + are multiple elements, the lists of nodes corresponding to + each podAffinityTerm are intersected, i.e. all terms must + be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) that + this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query over a set of resources, in + this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values + array must be non-empty. If the operator is + Exists or DoesNotExist, the values array must + be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies which namespaces the + labelSelector applies to (matches against); null or + empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of any + node on which any of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. + avoid putting this pod in the same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes + that satisfy the anti-affinity expressions specified by this + field, but it may choose a node that violates one or more + of the expressions. The node that is most preferred is the + one with the greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource request, + requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field + and adding "weight" to the sum if the node has pods which + matches the corresponding podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies which namespaces + the labelSelector applies to (matches against); + null or empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey matches + that of any node on which any of the selected pods + is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by + this field are not met at scheduling time, the pod will not + be scheduled onto the node. If the anti-affinity requirements + specified by this field cease to be met at some point during + pod execution (e.g. due to a pod label update), the system + may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, i.e. all terms must + be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) that + this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query over a set of resources, in + this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values + array must be non-empty. If the operator is + Exists or DoesNotExist, the values array must + be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies which namespaces the + labelSelector applies to (matches against); null or + empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of any + node on which any of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + applicationScope: + description: Scope for the application which will be installed in the + cluster NamespaceScope or ClusterScope + enum: + - Cluster + - Namespaced + type: string + dataJobLimits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: DataJobLimits are the resource limits for all the data + processing jobs. + type: object + deploymentLimits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: DeploymentLimits are the resource limits for all the deployments. + type: object + helmValues: + description: HelmValues holds all the additional fields in the values.yaml + of TVK helm chart. + type: object + helmVersion: + description: 'Deprecated: Helm Version' + properties: + tillerNamespace: + type: string + version: + enum: + - v3 + type: string + required: + - version + type: object + metadataJobLimits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: MetadataJobLimits are the resource limits for all the meta + processing jobs. + type: object + nodeSelector: + additionalProperties: + type: string + description: NodeSelector specifies a map of key-value pairs. For the + pod to be eligible to run on a node, the node must have each of the + indicated key-value pairs as labels. + type: object + resources: + description: 'Deprecated: Resources are the resource requirements for + the containers.' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute resources + required. If Requests is omitted for a container, it defaults + to Limits if that is explicitly specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + type: object + restoreNamespaces: + description: 'Deprecated: RestoreNamespaces are the namespace where + you want to restore your applications. Restore Namespaces depends + on your k8s RBAC' + items: + type: string + type: array + tolerations: + description: The toleration of application against the specific taints + on the nodes + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, operator + must be Exists; this combination means to match all values and + all keys. + type: string + operator: + description: Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. Exists + is equivalent to wildcard for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time the + toleration (which must be of effect NoExecute, otherwise this + field is ignored) tolerates the taint. By default, it is not + set, which means tolerate the taint forever (do not evict). + Zero and negative values will be treated as 0 (evict immediately) + by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise + just a regular string. + type: string + type: object + type: array + trilioVaultAppVersion: + description: Helm Chart version + type: string + required: + - applicationScope + type: object + status: + description: TrilioVaultManagerStatus defines the observed state of TrilioVaultManager + properties: + conditions: + properties: + lastTransitionTime: + format: date-time + nullable: true + type: string + message: + minLength: 0 + type: string + reason: + enum: + - InstallSuccessful + - UpdateSuccessful + - UninstallSuccessful + - InstallError + - UpdateError + - ReconcileError + - UninstallError + type: string + status: + enum: + - "True" + - "False" + - Unknown + type: string + type: + enum: + - Initialized + - Deployed + - Updated + - ReleaseFailed + - Irreconcilable + type: string + type: object + deployedRelease: + properties: + manifest: + type: string + name: + type: string + type: object + releaseVersion: + type: string + required: + - conditions + type: object + type: object + version: v1 + versions: + - name: v1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/NOTES.txt b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/NOTES.txt new file mode 100644 index 000000000..19cd282d3 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/NOTES.txt @@ -0,0 +1,3 @@ +To verify that TrilioVault Operator has started, run: + + kubectl --namespace={{ .Release.Namespace }} get deployments -l "release={{ .Release.Name }}" \ No newline at end of file diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/_helpers.tpl b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/_helpers.tpl new file mode 100644 index 000000000..7cea76a18 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/_helpers.tpl @@ -0,0 +1,33 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "k8s-triliovault-operator.name" -}} +{{- default .Release.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "k8s-triliovault-operator.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper TrilioVault Operator image name +*/}} +{{- define "k8s-triliovault-operator.image" -}} +{{- $registryName := .Values.image.registry -}} +{{- $repositoryName := .Values.image.repository -}} +{{- $tag := .Values.image.tag | toString -}} +{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/clusterrole.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/clusterrole.yaml new file mode 100644 index 000000000..c8c3852e6 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/clusterrole.yaml @@ -0,0 +1,106 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{template "k8s-triliovault-operator.name" .}}-{{.Release.Namespace}}-manager-role +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - update + - delete + - patch + - apiGroups: + - "" + resources: + - serviceaccounts + - services + - services/finalizers + - secrets + - events + - pods + - endpoints + - configmaps + verbs: + - create + - update + - delete + - patch + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - create + - update + - delete + - patch + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - update + - delete + - patch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: + - create + - update + - delete + - patch + - bind + - escalate + - apiGroups: + - triliovault.trilio.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - "" + resources: + - namespaces + verbs: + - update + - apiGroups: + - batch + resources: + - cronjobs + verbs: + - delete + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - update + - patch + - delete + - apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - delete diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/clusterrole_binding.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/clusterrole_binding.yaml new file mode 100644 index 000000000..2646923b3 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/clusterrole_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "k8s-triliovault-operator.name" . }}-{{ .Release.Namespace }}-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "k8s-triliovault-operator.name" . }}-{{ .Release.Namespace }}-manager-role +subjects: +- kind: ServiceAccount + name: k8s-triliovault-operator + namespace: {{ .Release.Namespace }} diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/deployment.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/deployment.yaml new file mode 100644 index 000000000..ca17659f1 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/deployment.yaml @@ -0,0 +1,110 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "k8s-triliovault-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: k8s-triliovault-operator + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + selector: + matchLabels: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ template "k8s-triliovault-operator.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + spec: + containers: + - name: k8s-triliovault-operator + image: {{ .Values.registry }}/{{ index .Values "k8s-triliovault-operator" "repository" }}:{{ .Values.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + env: + - name: TVK_ENV + value: {{ .Values.tvkEnv }} + - name: TVK_HELM_REPO + value: {{ .Values.tvkHelmRepo }} + - name: REGISTRY + value: {{ .Values.registry }} + - name: ADMISSION_MUTATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-mutating-webhook-configuration + - name: ADMISSION_VALIDATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-validating-webhook-configuration + - name: NAMESPACE_VALIDATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-ns-validating-webhook-configuration + volumeMounts: + {{- if .Values.tls.enable }} + - name: helm-tls-certs + mountPath: /root/.helm + readOnly: true + {{- if .Values.tls.verify }} + - name: helm-tls-ca + mountPath: /root/.helm/ca.crt + readOnly: true + {{- end }} + {{- end }} + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: webhook-certs + readOnly: true + resources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 10m + memory: 10Mi + initContainers: + - name: webhook-init + image: {{ .Values.registry }}/{{ index .Values "operator-webhook-init" "repository" }}:{{ .Values.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + env: + - name: TVK_ENV + value: {{ .Values.tvkEnv }} + - name: TVK_HELM_REPO + value: {{ .Values.tvkHelmRepo }} + - name: RELEASE_VERSION + value: {{ .Chart.Version }} + - name: ADMISSION_MUTATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-mutating-webhook-configuration + - name: ADMISSION_VALIDATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-validating-webhook-configuration + - name: NAMESPACE_VALIDATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-ns-validating-webhook-configuration + - name: WEBHOOK_SERVICE + value: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + - name: WEBHOOK_NAMESPACE + value: {{ .Release.Namespace }} + - name: SECRET_NAME + value: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-certs + serviceAccountName: k8s-triliovault-operator + {{- if .Values.nodeSelector }} + nodeSelector: {{- .Values.nodeSelector | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + volumes: + {{- if .Values.tls.enable }} + - name: helm-tls-certs + secret: + secretName: {{ .Values.tls.secretName }} + defaultMode: 0400 + {{- if .Values.tls.verify }} + - name: helm-tls-ca + configMap: + name: {{ template "helm-operator.fullname" . }}-helm-tls-ca-config + defaultMode: 0600 + {{- end }} + {{- end }} + - name: webhook-certs + secret: + defaultMode: 420 + secretName: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-certs diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/mutating-webhook.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/mutating-webhook.yaml new file mode 100644 index 000000000..6a17a0e1e --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/mutating-webhook.yaml @@ -0,0 +1,24 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "k8s-triliovault-operator.name" . }}-mutating-webhook-configuration +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /mutate-triliovault-trilio-io-v1-triliovaultmanager + failurePolicy: Fail + name: v1-tvm-mutation.trilio.io + rules: + - apiGroups: + - triliovault.trilio.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - triliovaultmanagers + sideEffects: None diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/ns-validating-webhook.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/ns-validating-webhook.yaml new file mode 100644 index 000000000..a51d3f375 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/ns-validating-webhook.yaml @@ -0,0 +1,30 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ template "k8s-triliovault-operator.name" . }}-ns-validating-webhook-configuration +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-core-v1-namespace + failurePolicy: Fail + name: v1-tvm-ns-validation.trilio.io + namespaceSelector: + matchExpressions: + - key: trilio-operator-label + operator: In + values: + - {{ .Release.Namespace }} + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - DELETE + resources: + - namespaces + scope: '*' + sideEffects: None diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/secret.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/secret.yaml new file mode 100644 index 000000000..ea1faf3e1 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/secret.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-certs + namespace: {{ .Release.Namespace }} +type: Opaque diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/serviceAccount.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/serviceAccount.yaml new file mode 100644 index 000000000..4f164b120 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/serviceAccount.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: k8s-triliovault-operator + namespace: {{ .Release.Namespace }} + labels: + app: k8s-triliovault-operator + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/validating-webhook.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/validating-webhook.yaml new file mode 100644 index 000000000..fe001ffe9 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/validating-webhook.yaml @@ -0,0 +1,24 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ template "k8s-triliovault-operator.name" . }}-validating-webhook-configuration +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-triliovault-trilio-io-v1-triliovaultmanager + failurePolicy: Fail + name: v1-tvm-validation.trilio.io + rules: + - apiGroups: + - triliovault.trilio.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - triliovaultmanagers + sideEffects: None diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/webhook-service.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/webhook-service.yaml new file mode 100644 index 000000000..68f7a53c6 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/templates/webhook-service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" \ No newline at end of file diff --git a/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/values.yaml b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/values.yaml new file mode 100644 index 000000000..be2498769 --- /dev/null +++ b/charts/k8s-triliovault-operator/k8s-triliovault-operator/2.1.0/values.yaml @@ -0,0 +1,35 @@ +## TrilioVault Operator +registry: "eu.gcr.io/amazing-chalice-243510" + +operator-webhook-init: + repository: operator-webhook-init + +k8s-triliovault-operator: + repository: k8s-triliovault-operator + +tag: "v2.1.0" + +tvkHelmRepo: "" + +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + +image: + pullPolicy: Always +tls: + secretName: "helm-client-certs" + verify: false + enable: false + keyFile: "tls.key" + certFile: "tls.crt" + caContent: "" + hostname: "" + +nameOverride: "" diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/.helmignore b/charts/universal-crossplane/universal-crossplane/1.2.300200/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/Chart.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/Chart.yaml new file mode 100644 index 000000000..2df1583f6 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/Chart.yaml @@ -0,0 +1,43 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Upbound Universal Crossplane + catalog.cattle.io/release-name: universal-crossplane +apiVersion: v1 +appVersion: 1.2.3002 +description: 'Upbound Universal Crossplane (UXP) is Upbound''s official enterprise-grade + distribution of Crossplane. It''s fully compatible with upstream Crossplane, open + source, capable of connecting to Upbound Cloud for real-time dashboard visibility, + and maintained by Upbound. It''s the easiest way for both individual community members + and enterprises to build their production control planes. ' +home: https://upbound.io +icon: https://raw.githubusercontent.com/upbound/universal-crossplane/66ce9eb2c5a0c3af8ed7d19551a2c4d743b933b9/docs/media/logo.png +keywords: +- cloud +- infrastructure +- services +- application +- database +- cache +- bucket +- infra +- app +- ops +- oam +- gcp +- azure +- aws +- alibaba +- cloudsql +- rds +- s3 +- azuredatabase +- asparadb +- gke +- aks +- eks +kubeVersion: '>= 1.15' +maintainers: +- email: info@upbound.io + name: Upbound Inc. +name: universal-crossplane +version: 1.2.300200 diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/app-readme.md b/charts/universal-crossplane/universal-crossplane/1.2.300200/app-readme.md new file mode 100644 index 000000000..c6d8ecfe0 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/app-readme.md @@ -0,0 +1,36 @@ +# Upbound Universal Crossplane (UXP) + +Upbound Universal Crossplane (UXP) is [Upbound's](https://upbound.io) official enterprise-grade distribution of [Crossplane](https://crossplane.io). It's fully compatible with upstream Crossplane, [open source](https://github.com/upbound/universal-crossplane), capable of connecting to [Upbound Cloud](https://cloud.upbound.io) for real-time dashboard visibility, and maintained by Upbound. It's the easiest way for both individual community members and enterprises to build their production control planes. + +## Connecting to Upbound Cloud + +You can optionally connect your Universal Crossplane instance to Upbound Cloud. +Follow the steps below to connect your Universal Crossplane cluster to your Upbound Cloud Console. + +1. Install Upbound CLI + + You will need to make sure you have the Upbound CLI installed before you continue. If you need more information on how to install the Upbound CLI, you can read the [Installing Upbound CLI Documentation](https://cloud.upbound.io/docs/cli). + + ``` + curl -sL https://cli.upbound.io | sh + ``` + +2. Log in to Upbound Cloud + + ``` + up cloud login --profile=rancher --account=$UPBOUND_ACCOUNT + ``` + + Or, to log in using an Upbound [API token](https://cloud.upbound.io/account/settings/tokens): + + ``` + up cloud login --profile=rancher --account=$UPBOUND_ACCOUNT --token=$API_TOKEN + ``` + +3. Create a Self-Hosted Control Plane + + ``` + up cloud controlplane attach $CONTROL_PLANE_NAME --profile=rancher + ``` + +4. Provide the token obtained in the previous step as `upbound.controlPlane.token` under `Upbound Cloud` section \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/questions.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/questions.yaml new file mode 100644 index 000000000..c5cb628bf --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/questions.yaml @@ -0,0 +1,184 @@ +questions: +# Upbound Cloud configuration +- variable: upbound.controlPlane.token + label: upbound.controlPlane.token + required: false + type: password + description: Token used to connect Upbound Cloud + group: "Upbound Cloud" +- variable: upbound.controlPlane.permission + label: upbound.controlPlane.permission + required: false + type: enum + default: "edit" + options: + - "edit" + - "view" + description: Cluster permissions for Upbound Cloud + group: "Upbound Cloud" +# Basic Crossplane configuration +- variable: replicas + label: replicas + description: Number of replicas to run for Crossplane pods + type: int + default: 1 + required: true + group: "Crossplane" +# Advanced Crossplane configuration +- variable: advancedCrossplaneConfiguration + description: View advanced configuration settings + label: View advanced configuration + type: boolean + default: false + show_subquestion_if: true + group: "Crossplane" + subquestions: + - variable: leaderElection + label: leaderElection + description: "Enable leader election for Crossplane Managers pod" + type: boolean + default: true + required: false + group: "Crossplane" + - variable: deploymentStrategy + label: deploymentStrategy + description: "The deployment strategy for the Crossplane and RBAC Manager (if enabled) pods" + type: enum + default: "RollingUpdate" + options: + - "RollingUpdate" + - "Recreate" + required: true + group: "Crossplane" + - variable: priorityClassName + label: priorityClassName + description: "Priority class name for Crossplane and RBAC Manager (if enabled) pods" + type: string + required: false + group: "Crossplane" + - variable: metrics.enabled + label: metrics.enabled + description: "Expose Crossplane and RBAC Manager metrics endpoint" + type: boolean + required: false + group: "Crossplane" +# Basic Crossplane RBAC Manager configuration +- variable: rbacManager.deploy + label: rbacManager.deploy + description: "Deploy RBAC Manager" + type: boolean + default: true + required: true + group: "Crossplane RBAC Manager" +- variable: rbacManager.replicas + label: rbacManager.replicas + description: "The number of replicas to run for the RBAC Manager pods" + type: int + default: 1 + required: true + group: "Crossplane RBAC Manager" +# Advanced Crossplane RBAC Manager configuration +- variable: advancedRBACManagerConfiguration + description: View advanced configuration settings + label: View advanced configuration + type: boolean + default: false + show_subquestion_if: true + group: "Crossplane RBAC Manager" + subquestions: + - variable: rbacManager.leaderElection + label: rbacManager.leaderElection + description: "Enable leader election for RBAC Managers pod" + type: boolean + default: true + group: "Crossplane RBAC Manager" + - variable: rbacManager.managementPolicy + label: rbacManager.managementPolicy + description: RBAC manager permissions. 'All' enables management for every Crossplane controller and user role. 'Basic' enables management just for Crossplane controller roles and the crossplane-admin, crossplane-edit, and crossplane-view user roles. + type: enum + default: "Basic" + options: + - "Basic" + - "All" + required: true + group: "Crossplane RBAC Manager" + - variable: rbacManager.skipAggregatedClusterRoles + label: rbacManager.skipAggregatedClusterRoles + description: "Opt out of deploying aggregated ClusterRoles" + type: boolean + default: true + group: "Crossplane RBAC Manager" +# Basic Package configuration +- variable: provider.packages + label: provider.packages + description: List of Provider packages to install with Crossplane. Select 'Edit as YAML' for the best editing experience. + type: string + required: false + group: "Packages" +- variable: configuration.packages + label: configuration.packages + description: List of Configuration packages to install with Crossplane. Select 'Edit as YAML' for the best editing experience. + type: string + required: false + group: "Packages" +# Advanced Package configuration +- variable: advancedPackageConfiguration + description: View advanced configuration settings + label: View advanced configuration + type: boolean + default: false + show_subquestion_if: true + group: "Packages" + subquestions: + - variable: packageCache.sizeLimit + label: packageCache.sizeLimit + description: "Size limit for package cache. If medium is Memory then maximum usage would be the minimum of this value the sum of all memory limits on containers in the Crossplane pod" + type: string + default: "5Mi" + group: "Packages" + - variable: packageCache.medium + label: packageCache.medium + description: "Storage medium for package cache. Memory means volume will be backed by tmpfs, which can be useful for development" + type: string + group: "Packages" + - variable: packageCache.pvc + label: packageCache.pvc + description: "Name of the PersistentVolumeClaim to be used as the package cache. Providing a value will cause the default emptyDir volume to not be mounted" + type: string + group: "Packages" +# Basic XGQL configuration +- variable: xgql.config.debugMode + label: xgql.config.debugMode + description: "Enable debug mode for XGQL" + type: boolean + default: false + group: "XGQL" +# Advanced Crossplane configuration +- variable: advancedXGQLConfiguration + description: View advanced configuration settings + label: View advanced configuration + type: boolean + default: false + show_subquestion_if: true + group: "XGQL" + subquestions: + - variable: xgql.metrics.enabled + label: xgql.metrics.enabled + description: "Expose XGQL metrics endpoint" + type: boolean + required: false + group: "XGQL" +# Basic Agent configuration +- variable: agent.config.debugMode + label: agent.config.debugMode + description: "Enable debug mode for Upbound Agent" + type: boolean + default: false + group: "Upbound Agent" +# Basic Bootstrapper configuration +- variable: bootstrapper.config.debugMode + label: bootstrapper.config.debugMode + description: "Enable debug mode for Bootstrapper" + type: boolean + default: false + group: "Bootstrapper" \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/NOTES.txt b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/NOTES.txt new file mode 100644 index 000000000..33260c04f --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/NOTES.txt @@ -0,0 +1,15 @@ +By proceeding, you are accepting to comply with terms and conditions in https://licenses.upbound.io/upbound-software-license.html + +✨ Thank you for installing Universal Crossplane! +{{- if or (eq .Values.upbound.controlPlane.permission "view") (eq .Values.upbound.controlPlane.permission "edit") }} +🚀 You can now connect your cluster to Upbound Cloud! + +Example command: +{{ if eq .Values.upbound.controlPlane.permission "edit" }} +$ up cloud controlplane attach | \ +up uxp connect --token-secret-name {{ .Values.upbound.controlPlane.tokenSecretName }} --namespace {{ .Release.Namespace }} - +{{- else if eq .Values.upbound.controlPlane.permission "view" }} +$ up cloud controlplane attach --view-only | \ +up uxp connect --token-secret-name {{ .Values.upbound.controlPlane.tokenSecretName }} --namespace {{ .Release.Namespace }} - +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/_helpers.tpl b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/_helpers.tpl new file mode 100644 index 000000000..7ba5d8058 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/_helpers.tpl @@ -0,0 +1,21 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Common labels +*/}} +{{- define "labels" -}} +helm.sh/chart: {{ include "chart" . }} +{{ include "selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "selectorLabels" -}} +app.kubernetes.io/name: {{ include "name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/_helpers.tpl b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/_helpers.tpl new file mode 100644 index 000000000..bdca1ae09 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/_helpers.tpl @@ -0,0 +1,21 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "bootstrapper-name" -}} +{{- "upbound-bootstrapper" -}} +{{- end -}} + +{{/* +Labels - bootstrapper +*/}} +{{- define "labelsBootstrapper" -}} +{{ include "labels" . }} +app.kubernetes.io/component: bootstrapper +{{- end }} + +{{/* +Selector labels - bootstrapper +*/}} +{{- define "selectorLabelsBootstrapper" -}} +{{ include "selectorLabels" . }} +app.kubernetes.io/component: bootstrapper +{{- end }} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/clusterrole.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/clusterrole.yaml new file mode 100644 index 000000000..162abdd7a --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/clusterrole.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "bootstrapper-name" . }} + labels: + {{- include "labelsBootstrapper" . | nindent 4 }} +rules: + # Bootstrapper needs to identify the cluster uniquely and it does that by using + # UID of kube-system namespace. + - apiGroups: + - "" + resources: + - namespaces + resourceNames: + - "kube-system" + verbs: + - "get" + # Controller-runtime requires watch and list permissions to build its resource + # cache of the kind that any client query is made for. + - apiGroups: + - "" + resources: + - namespaces + verbs: + - "list" + - "watch" diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/clusterrolebinding.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/clusterrolebinding.yaml new file mode 100644 index 000000000..33fd634cd --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "bootstrapper-name" . }} + labels: + {{- include "labelsBootstrapper" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "bootstrapper-name" . }} +subjects: + - kind: ServiceAccount + name: {{ template "bootstrapper-name" . }} + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/deployment.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/deployment.yaml new file mode 100644 index 000000000..de8acd5db --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/deployment.yaml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "bootstrapper-name" . }} + labels: + {{- include "labelsBootstrapper" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "selectorLabelsBootstrapper" . | nindent 6 }} + template: + metadata: + labels: + {{- include "selectorLabelsBootstrapper" . | nindent 8 }} + spec: + serviceAccountName: {{ template "bootstrapper-name" . }} + {{- if .Values.billing.awsMarketplace.enabled }} + securityContext: + # Providing this is not required for 1.19 or later clusters. + # See https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html + fsGroup: 1337 + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range $index, $secret := .Values.imagePullSecrets }} + - name: {{ $secret }} + {{- end }} + {{ end }} + containers: + - name: bootstrapper + image: "{{ .Values.bootstrapper.image.repository }}:{{ .Values.bootstrapper.image.tag }}" + args: + - start + - --namespace + - {{ .Release.Namespace }} + - --upbound-api-url + - {{ .Values.upbound.apiURL }} + - --upbound-token-secret + - {{ .Values.upbound.controlPlane.tokenSecretName }} + - --agent-manifest + - {{ include "agent-spec" . | b64enc }} + - --controller + - upbound-agent + - --controller + - tls-secrets + {{- if .Values.billing.awsMarketplace.enabled }} + - --controller + - aws-marketplace + {{- end }} + {{- if .Values.bootstrapper.config.debugMode }} + - "--debug" + {{- end }} + {{- range $arg := .Values.bootstrapper.config.args }} + - {{ $arg }} + {{- end }} + imagePullPolicy: {{ .Values.bootstrapper.image.pullPolicy }} + resources: + {{- toYaml .Values.bootstrapper.resources | nindent 12 }} diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/role.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/role.yaml new file mode 100644 index 000000000..cb19df19f --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/role.yaml @@ -0,0 +1,28 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "bootstrapper-name" . }} + labels: + {{- include "labelsBootstrapper" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["watch", "list"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "update", "patch"] + resourceNames: + - uxp-ca + - upbound-agent-public-certs + - upbound-agent-tls + - xgql-tls + - {{ .Values.upbound.controlPlane.tokenSecretName }} + {{- if .Values.billing.awsMarketplace.enabled }} + - upbound-entitlement + {{- end}} + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["create", "update", "watch", "list"] diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/rolebinding.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/rolebinding.yaml new file mode 100644 index 000000000..aa41bb33a --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/rolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "bootstrapper-name" . }} + labels: + {{- include "labelsBootstrapper" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "bootstrapper-name" . }} +subjects: + - kind: ServiceAccount + name: {{ template "bootstrapper-name" . }} + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/secret-entitlement.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/secret-entitlement.yaml new file mode 100644 index 000000000..7e311b629 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/secret-entitlement.yaml @@ -0,0 +1,9 @@ +{{- if .Values.billing.awsMarketplace.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: upbound-entitlement + labels: + {{- include "labelsBootstrapper" . | nindent 4 }} +type: Opaque +{{- end }} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/serviceaccount.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/serviceaccount.yaml new file mode 100644 index 000000000..1768272a3 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/serviceaccount.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "bootstrapper-name" . }} + {{- if and .Values.billing.awsMarketplace.enabled .Values.billing.awsMarketplace.iamRoleARN }} + annotations: + eks.amazonaws.com/role-arn: {{ .Values.billing.awsMarketplace.iamRoleARN | quote }} + {{- end }} + labels: + {{- include "labelsBootstrapper" . | nindent 4 }} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/uxp-ca-tls-secret.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/uxp-ca-tls-secret.yaml new file mode 100644 index 000000000..07163971e --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/uxp-ca-tls-secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: uxp-ca + labels: + {{- include "labels" . | nindent 4 }} +type: Opaque diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/versions-configmap.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/versions-configmap.yaml new file mode 100644 index 000000000..008b62988 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/bootstrapper/versions-configmap.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: universal-crossplane-config + labels: + {{- include "labelsBootstrapper" . | nindent 4 }} +data: + crossplaneVersion: {{ (trimPrefix "v" .Values.image.tag) }} + xgqlVersion: {{ (trimPrefix "v" .Values.xgql.image.tag) }} + agentVersion: {{ (trimPrefix "v" .Values.agent.image.tag) }} + uxpVersion: {{ .Chart.Version }} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/NOTES.txt b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/NOTES.txt new file mode 100644 index 000000000..f1c8a0c63 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/NOTES.txt @@ -0,0 +1,8 @@ +Release: {{.Release.Name}} + +Chart Name: {{.Chart.Name}} +Chart Description: {{.Chart.Description}} +Chart Version: {{.Chart.Version}} +Chart Application Version: {{.Chart.AppVersion}} + +Kube Version: {{.Capabilities.KubeVersion}} diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/_helpers.tpl b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/_helpers.tpl new file mode 100644 index 000000000..921e9df26 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/_helpers.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/clusterrole.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/clusterrole.yaml new file mode 100644 index 000000000..8a6b573cc --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/clusterrole.yaml @@ -0,0 +1,93 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.crossplane.io/aggregate-to-crossplane: "true" +rules: [] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}:system:aggregate-to-crossplane + labels: + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + crossplane.io/scope: "system" + rbac.crossplane.io/aggregate-to-crossplane: "true" +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - update + - patch + - delete +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - "*" +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - "*" +- apiGroups: + - apiextensions.crossplane.io + - pkg.crossplane.io + resources: + - "*" + verbs: + - "*" +- apiGroups: + - extensions + - apps + resources: + - deployments + verbs: + - get + - list + - create + - update + - patch + - delete + - watch +- apiGroups: + - "" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - create + - update + - patch + - watch + - delete diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/clusterrolebinding.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/clusterrolebinding.yaml new file mode 100644 index 000000000..d0fb877c2 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/deployment.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/deployment.yaml new file mode 100644 index 000000000..b51ab99ad --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/deployment.yaml @@ -0,0 +1,104 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + strategy: + type: {{ .Values.deploymentStrategy }} + template: + metadata: + {{- if .Values.metrics.enabled }} + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + {{- end }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + serviceAccountName: {{ template "name" . }} + initContainers: + - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + args: + - core + - init + {{- range $arg := .Values.provider.packages }} + - --provider + - "{{ $arg }}" + {{- end }} + {{- range $arg := .Values.configuration.packages }} + - --configuration + - "{{ $arg }}" + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: {{ .Chart.Name }}-init + resources: + {{- toYaml .Values.resourcesCrossplane | nindent 12 }} + securityContext: + {{- toYaml .Values.securityContextCrossplane | nindent 12 }} + containers: + - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + args: + - core + - start + {{- range $arg := .Values.args }} + - {{ $arg }} + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: {{ .Chart.Name }} + resources: + {{- toYaml .Values.resourcesCrossplane | nindent 12 }} + {{- if .Values.metrics.enabled }} + ports: + - name: metrics + containerPort: 8080 + {{- end }} + securityContext: + {{- toYaml .Values.securityContextCrossplane | nindent 12 }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LEADER_ELECTION + value: "{{ .Values.leaderElection }}" + {{- range $key, $value := .Values.extraEnvVarsCrossplane }} + - name: {{ $key | replace "." "_" }} + value: {{ $value | quote }} + {{- end}} + volumeMounts: + - mountPath: /cache + name: package-cache + volumes: + - name: package-cache + {{- if .Values.packageCache.pvc }} + persistentVolumeClaim: + claimName: {{ .Values.packageCache.pvc }} + {{- else }} + emptyDir: + medium: {{ .Values.packageCache.medium }} + sizeLimit: {{ .Values.packageCache.sizeLimit }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{ toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | nindent 8 }} + {{- end }} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/rbac-manager-allowed-provider-permissions.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/rbac-manager-allowed-provider-permissions.yaml new file mode 100644 index 000000000..3b6ce2270 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/rbac-manager-allowed-provider-permissions.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbacManager.deploy }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}:allowed-provider-permissions + labels: + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.crossplane.io/aggregate-to-allowed-provider-permissions: "true" +{{- end}} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/rbac-manager-clusterrole.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/rbac-manager-clusterrole.yaml new file mode 100644 index 000000000..de8478697 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/rbac-manager-clusterrole.yaml @@ -0,0 +1,94 @@ +{{- if .Values.rbacManager.deploy }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-rbac-manager + labels: + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - namespaces + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - apiextensions.crossplane.io + resources: + - compositeresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - pkg.crossplane.io + resources: + - providerrevisions + verbs: + - get + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - roles + verbs: + - get + - list + - watch + - create + - update + - patch + # The RBAC manager may grant access it does not have. + - escalate +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - bind +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + verbs: + - "*" +- apiGroups: + - "" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - create + - update + - patch + - watch + - delete +{{- end}} diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/rbac-manager-clusterrolebinding.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/rbac-manager-clusterrolebinding.yaml new file mode 100644 index 000000000..bda467f24 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/rbac-manager-clusterrolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbacManager.deploy }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-rbac-manager + labels: + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-rbac-manager +subjects: +- kind: ServiceAccount + name: rbac-manager + namespace: {{ .Release.Namespace }} +{{- end}} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/rbac-manager-deployment.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/rbac-manager-deployment.yaml new file mode 100644 index 000000000..110a5285d --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/rbac-manager-deployment.yaml @@ -0,0 +1,85 @@ +{{- if .Values.rbacManager.deploy }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "name" . }}-rbac-manager + labels: + app: {{ template "name" . }}-rbac-manager + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.rbacManager.replicas }} + selector: + matchLabels: + app: {{ template "name" . }}-rbac-manager + release: {{ .Release.Name }} + strategy: + type: {{ .Values.deploymentStrategy }} + template: + metadata: + {{- if .Values.metrics.enabled }} + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + {{- end }} + labels: + app: {{ template "name" . }}-rbac-manager + release: {{ .Release.Name }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + serviceAccountName: rbac-manager + initContainers: + - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + args: + - rbac + - init + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: {{ .Chart.Name }}-init + resources: + {{- toYaml .Values.resourcesRBACManager | nindent 12 }} + securityContext: + {{- toYaml .Values.securityContextRBACManager | nindent 12 }} + containers: + - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + args: + - rbac + - start + {{- if .Values.rbacManager.managementPolicy }} + - --manage={{ .Values.rbacManager.managementPolicy }} + {{- end }} + {{- range $arg := .Values.rbacManager.args }} + - {{ $arg }} + {{- end }} + - --provider-clusterrole={{ template "name" .}}:allowed-provider-permissions + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: {{ .Chart.Name }} + resources: + {{- toYaml .Values.resourcesRBACManager | nindent 12 }} + {{- if .Values.metrics.enabled }} + ports: + - name: metrics + containerPort: 8080 + {{- end }} + securityContext: + {{- toYaml .Values.securityContextRBACManager | nindent 12 }} + env: + - name: LEADER_ELECTION + value: "{{ .Values.rbacManager.leaderElection }}" + {{- range $key, $value := .Values.extraEnvVarsRBACManager }} + - name: {{ $key | replace "." "_" }} + value: {{ $value | quote }} + {{- end}} + {{- if .Values.rbacManager.nodeSelector }} + nodeSelector: {{ toYaml .Values.rbacManager.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.rbacManager.tolerations }} + tolerations: {{ toYaml .Values.rbacManager.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.rbacManager.affinity }} + affinity: {{ toYaml .Values.rbacManager.affinity | nindent 8 }} + {{- end }} +{{- end}} diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/rbac-manager-managed-clusterroles.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/rbac-manager-managed-clusterroles.yaml new file mode 100644 index 000000000..3d41fb9b5 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/rbac-manager-managed-clusterroles.yaml @@ -0,0 +1,279 @@ +{{- if .Values.rbacManager.deploy }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: {{ template "name" . }}:masters +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-admin + labels: + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.crossplane.io/aggregate-to-admin: "true" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-edit + labels: + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.crossplane.io/aggregate-to-edit: "true" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-view + labels: + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.crossplane.io/aggregate-to-view: "true" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-browse + labels: + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.crossplane.io/aggregate-to-browse: "true" +{{- if not .Values.rbacManager.skipAggregatedClusterRoles }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}:aggregate-to-admin + labels: + rbac.crossplane.io/aggregate-to-admin: "true" + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +# Crossplane administrators have access to view events. +- apiGroups: [""] + resources: [events] + verbs: [get, list, watch] +# Crossplane administrators must create provider credential secrets, and may +# need to read or otherwise interact with connection secrets. They may also need +# to create or annotate namespaces. +- apiGroups: [""] + resources: [secrets, namespaces] + verbs: ["*"] +# Crossplane administrators have access to view the roles that they may be able +# to grant to other subjects. +- apiGroups: [rbac.authorization.k8s.io] + resources: [clusterroles, roles] + verbs: [get, list, watch] +# Crossplane administrators have access to grant the access they have to other +# subjects. +- apiGroups: [rbac.authorization.k8s.io] + resources: [clusterrolebindings, rolebindings] + verbs: ["*"] +# Crossplane administrators have full access to built in Crossplane types. +- apiGroups: + - apiextensions.crossplane.io + resources: ["*"] + verbs: ["*"] +- apiGroups: + - pkg.crossplane.io + resources: [providers, configurations, providerrevisions, configurationrevisions] + verbs: ["*"] +# Crossplane administrators have access to view CRDs in order to debug XRDs. +- apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, list, watch] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}:aggregate-to-edit + labels: + rbac.crossplane.io/aggregate-to-edit: "true" + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +# Crossplane editors have access to view events. +- apiGroups: [""] + resources: [events] + verbs: [get, list, watch] +# Crossplane editors must create provider credential secrets, and may need to +# read or otherwise interact with connection secrets. +- apiGroups: [""] + resources: [secrets] + verbs: ["*"] +# Crossplane editors may see which namespaces exist, but not edit them. +- apiGroups: [""] + resources: [namespaces] + verbs: [get, list, watch] +# Crossplane editors have full access to built in Crossplane types. +- apiGroups: + - apiextensions.crossplane.io + resources: ["*"] + verbs: ["*"] +- apiGroups: + - pkg.crossplane.io + resources: [providers, configurations, providerrevisions, configurationrevisions] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}:aggregate-to-view + labels: + rbac.crossplane.io/aggregate-to-view: "true" + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +# Crossplane viewers have access to view events. +- apiGroups: [""] + resources: [events] + verbs: [get, list, watch] +# Crossplane viewers may see which namespaces exist. +- apiGroups: [""] + resources: [namespaces] + verbs: [get, list, watch] +# Crossplane viewers have read-only access to built in Crossplane types. +- apiGroups: + - apiextensions.crossplane.io + resources: ["*"] + verbs: [get, list, watch] +- apiGroups: + - pkg.crossplane.io + resources: [providers, configurations, providerrevisions, configurationrevisions] + verbs: [get, list, watch] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}:aggregate-to-browse + labels: + rbac.crossplane.io/aggregate-to-browse: "true" + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +# Crossplane browsers have access to view events. +- apiGroups: [""] + resources: [events] + verbs: [get, list, watch] +# Crossplane browsers have read-only access to compositions and XRDs. This +# allows them to discover and select an appropriate composition when creating a +# resource claim. +- apiGroups: + - apiextensions.crossplane.io + resources: ["*"] + verbs: [get, list, watch] +{{- if .Values.rbacManager.managementPolicy }} +--- +# The below ClusterRoles are aggregated to the namespaced RBAC roles created by +# the Crossplane RBAC manager when it is running in --manage=All mode. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}:aggregate-to-ns-admin + labels: + rbac.crossplane.io/aggregate-to-ns-admin: "true" + rbac.crossplane.io/base-of-ns-admin: "true" + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +# Crossplane namespace admins have access to view events. +- apiGroups: [""] + resources: [events] + verbs: [get, list, watch] +# Crossplane namespace admins may need to read or otherwise interact with +# resource claim connection secrets. +- apiGroups: [""] + resources: [secrets] + verbs: ["*"] +# Crossplane namespace admins have access to view the roles that they may be +# able to grant to other subjects. +- apiGroups: [rbac.authorization.k8s.io] + resources: [roles] + verbs: [get, list, watch] +# Crossplane namespace admins have access to grant the access they have to other +# subjects. +- apiGroups: [rbac.authorization.k8s.io] + resources: [rolebindings] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}:aggregate-to-ns-edit + labels: + rbac.crossplane.io/aggregate-to-ns-edit: "true" + rbac.crossplane.io/base-of-ns-edit: "true" + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +# Crossplane namespace editors have access to view events. +- apiGroups: [""] + resources: [events] + verbs: [get, list, watch] +# Crossplane namespace editors may need to read or otherwise interact with +# resource claim connection secrets. +- apiGroups: [""] + resources: [secrets] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}:aggregate-to-ns-view + labels: + rbac.crossplane.io/aggregate-to-ns-view: "true" + rbac.crossplane.io/base-of-ns-view: "true" + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +# Crossplane namespace viewers have access to view events. +- apiGroups: [""] + resources: [events] + verbs: [get, list, watch] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/rbac-manager-serviceaccount.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/rbac-manager-serviceaccount.yaml new file mode 100644 index 000000000..dfefe4050 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/rbac-manager-serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if .Values.rbacManager.deploy }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rbac-manager + labels: + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- end}} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/serviceaccount.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/serviceaccount.yaml new file mode 100644 index 000000000..d3d47223c --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/crossplane/serviceaccount.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + chart: {{ template "chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range $index, $secret := .Values.imagePullSecrets }} +- name: {{ $secret }} +{{- end }} +{{ end }} diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/_deployment-spec.tpl b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/_deployment-spec.tpl new file mode 100644 index 000000000..938ba5ddd --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/_deployment-spec.tpl @@ -0,0 +1,83 @@ +{{- define "agent-spec" -}} +replicas: 1 +selector: + matchLabels: + {{- include "selectorLabelsAgent" . | nindent 8 }} +template: + metadata: + labels: + {{- include "selectorLabelsAgent" . | nindent 10 }} + spec: + serviceAccountName: {{ template "agent-name" . }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range $index, $secret := .Values.imagePullSecrets }} + - name: {{ $secret }} + {{- end }} + {{ end }} + containers: + - name: agent + image: "{{ .Values.agent.image.repository }}:{{ .Values.agent.image.tag }}" + args: + - agent + - --tls-cert-file + - /etc/certs/upbound-agent/tls.crt + - --tls-key-file + - /etc/certs/upbound-agent/tls.key + - --xgql-ca-bundle-file + - /etc/certs/upbound-agent/ca.crt + - --nats-endpoint + - nats://{{ .Values.upbound.connectHost }}:{{ .Values.upbound.connectPort | default "443" }} + - --upbound-api-endpoint + - {{ .Values.upbound.apiURL }} + {{- if .Values.agent.config.debugMode }} + - "--debug" + {{- end }} + {{- range $arg := .Values.agent.config.args }} + - {{ $arg }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CONTROL_PLANE_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.upbound.controlPlane.tokenSecretName }} + key: token + imagePullPolicy: {{ .Values.agent.image.pullPolicy }} + ports: + - name: agent + containerPort: 6443 + protocol: TCP + resources: + {{- toYaml .Values.agent.resources | nindent 14 }} + readinessProbe: + httpGet: + scheme: HTTPS + path: /readyz + port: 6443 + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 5 + failureThreshold: 3 + livenessProbe: + httpGet: + scheme: HTTPS + path: /livez + port: 6443 + initialDelaySeconds: 10 + timeoutSeconds: 5 + periodSeconds: 30 + failureThreshold: 5 + volumeMounts: + - mountPath: /etc/certs/upbound-agent + name: certs + readOnly: true + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: upbound-agent-tls +{{- end }} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/_helpers.tpl b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/_helpers.tpl new file mode 100644 index 000000000..4db04bfaa --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/_helpers.tpl @@ -0,0 +1,22 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "agent-name" -}} +{{- "upbound-agent" -}} +{{- end -}} + +{{/* +Labels - agent +*/}} +{{- define "labelsAgent" -}} +{{ include "labels" . }} +app.kubernetes.io/component: agent +{{- end }} + +{{/* +Selector labels - agent +*/}} +{{- define "selectorLabelsAgent" -}} +{{ include "selectorLabels" . }} +app.kubernetes.io/component: agent +{{- end }} + diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/clusterrole.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/clusterrole.yaml new file mode 100644 index 000000000..9dc24441e --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/clusterrole.yaml @@ -0,0 +1,40 @@ +{{- if or (eq .Values.upbound.controlPlane.permission "view") (eq .Values.upbound.controlPlane.permission "edit") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "agent-name" . }} + labels: + {{- include "labelsAgent" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["namespaces"] + resourceNames: ["kube-system"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "agent-name" . }}-impersonator + labels: + {{- include "labelsAgent" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["users"] + verbs: ["impersonate"] + resourceNames: ["upbound-cloud-impersonator"] + - apiGroups: ["authentication.k8s.io"] + resources: ["userextras/upbound-id"] + verbs: ["impersonate"] + - apiGroups: [""] + resources: ["groups"] + resourceNames: + # system:authenticated is required for calls to discovery API. Some Kubernetes + # clients like kubectl use it to figure out exactly which endpoints to call + # for given arguments. + - "system:authenticated" + - "upbound:view" +{{- if eq .Values.upbound.controlPlane.permission "edit" }} + - "upbound:edit" +{{- end }} + verbs: ["impersonate"] +{{- end }} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/clusterrolebindings-managed.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/clusterrolebindings-managed.yaml new file mode 100644 index 000000000..66e157620 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/clusterrolebindings-managed.yaml @@ -0,0 +1,34 @@ +{{- if or (eq .Values.upbound.controlPlane.permission "view") (eq .Values.upbound.controlPlane.permission "edit") }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-view + labels: + {{- include "labelsAgent" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-view +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: upbound:view +{{- if eq .Values.upbound.controlPlane.permission "edit" }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-edit + labels: + {{- include "labelsAgent" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-edit +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: upbound:edit +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/clusterrolebindings.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/clusterrolebindings.yaml new file mode 100644 index 000000000..ec99faf43 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/clusterrolebindings.yaml @@ -0,0 +1,31 @@ +{{- if or (eq .Values.upbound.controlPlane.permission "view") (eq .Values.upbound.controlPlane.permission "edit") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "agent-name" . }} + labels: + {{- include "labelsAgent" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "agent-name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "agent-name" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "agent-name" . }}-impersonator + labels: + {{- include "labelsAgent" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "agent-name" . }}-impersonator +subjects: + - kind: ServiceAccount + name: {{ template "agent-name" . }} + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/clusterroles-managed.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/clusterroles-managed.yaml new file mode 100644 index 000000000..fcca427a0 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/clusterroles-managed.yaml @@ -0,0 +1,66 @@ +{{- if or (eq .Values.upbound.controlPlane.permission "view") (eq .Values.upbound.controlPlane.permission "edit") }} +# There are more permissions in upstream aggregated ClusterRoles than we'd like +# to have, so, we have our own ClusterRoles with only the permissions we need. +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}:aggregate-to-view + labels: + rbac.crossplane.io/aggregate-to-view: "true" + {{- include "labelsAgent" . | nindent 4 }} +rules: + # Universal Crossplane viewers have access to view events. + - apiGroups: [""] + resources: [events] + verbs: [get, list, watch] + # Universal Crossplane viewers may see which namespaces exist. + - apiGroups: [""] + resources: [namespaces] + verbs: [get, list, watch] + # Universal Crossplane viewers may see CRDs installed in the cluster. + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, list, watch] + # Universal Crossplane viewers have read-only access to built in Crossplane types. + - apiGroups: + - apiextensions.crossplane.io + resources: ["*"] + verbs: [get, list, watch] + - apiGroups: + - pkg.crossplane.io + resources: [providers, configurations, providerrevisions, configurationrevisions] + verbs: [get, list, watch] +{{- if eq .Values.upbound.controlPlane.permission "edit" }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}:aggregate-to-edit + labels: + rbac.crossplane.io/aggregate-to-edit: "true" + {{- include "labelsAgent" . | nindent 4 }} +rules: + # Universal Crossplane editors have access to view events. + - apiGroups: [""] + resources: [events] + verbs: [get, list, watch] + # Universal Crossplane editors may see which namespaces exist, but not edit them. + - apiGroups: [""] + resources: [namespaces] + verbs: [get, list, watch] + # Universal Crossplane editors may see CRDs installed in the cluster. + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, list, watch] + # Universal Crossplane editors have full access to built in Crossplane types. + - apiGroups: + - apiextensions.crossplane.io + resources: ["*"] + verbs: ["*"] + - apiGroups: + - pkg.crossplane.io + resources: [providers, configurations, providerrevisions, configurationrevisions] + verbs: ["*"] +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/control-plane-token-secret.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/control-plane-token-secret.yaml new file mode 100644 index 000000000..897846ae7 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/control-plane-token-secret.yaml @@ -0,0 +1,11 @@ +{{- if .Values.upbound.controlPlane.token }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.upbound.controlPlane.tokenSecretName }} + labels: + {{- include "labels" . | nindent 4 }} +type: Opaque +data: + token: {{ .Values.upbound.controlPlane.token | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/role.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/role.yaml new file mode 100644 index 000000000..960bc4d48 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/role.yaml @@ -0,0 +1,66 @@ +{{- if or (eq .Values.upbound.controlPlane.permission "view") (eq .Values.upbound.controlPlane.permission "edit") }} +--- +# We need to be able to read universal-crossplane-config configmap in the namespace +# where UXP is deployed to provide version/configuration information. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "agent-name" . }}-uxp-config + labels: + {{- include "labelsAgent" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["universal-crossplane-config"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "agent-name" . }}-uxp-config + labels: + {{- include "labelsAgent" . | nindent 4 }} +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: upbound:view +{{- if eq .Values.upbound.controlPlane.permission "edit" }} + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: upbound:edit +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "agent-name" . }}-uxp-config +{{- end }} +{{- if eq .Values.upbound.controlPlane.permission "edit" }} +--- +# We need to be able to manage Secrets in the namespace where UXP is deployed +# so that Secrets pointed by ProviderConfig objects can be created by the agent. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "agent-name" . }}-secret + labels: + {{- include "labelsAgent" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "agent-name" . }}-secret + labels: + {{- include "labelsAgent" . | nindent 4 }} +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: upbound:edit +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "agent-name" . }}-secret +{{- end }} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/service.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/service.yaml new file mode 100644 index 000000000..7e22879a3 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/service.yaml @@ -0,0 +1,16 @@ +{{- if or (eq .Values.upbound.controlPlane.permission "view") (eq .Values.upbound.controlPlane.permission "edit") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "agent-name" . }} + labels: + {{- include "labelsAgent" . | nindent 4 }} +spec: + selector: + {{- include "selectorLabelsAgent" . | nindent 4 }} + ports: + - port: 6443 + targetPort: 6443 + protocol: TCP + name: https +{{- end }} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/serviceaccount.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/serviceaccount.yaml new file mode 100644 index 000000000..fe136d5c0 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/serviceaccount.yaml @@ -0,0 +1,8 @@ +{{- if or (eq .Values.upbound.controlPlane.permission "view") (eq .Values.upbound.controlPlane.permission "edit") }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "agent-name" . }} + labels: + {{- include "labelsAgent" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/tls-secret.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/tls-secret.yaml new file mode 100644 index 000000000..19a5c9748 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/upbound-agent/tls-secret.yaml @@ -0,0 +1,9 @@ +{{- if or (eq .Values.upbound.controlPlane.permission "view") (eq .Values.upbound.controlPlane.permission "edit") }} +apiVersion: v1 +kind: Secret +metadata: + name: upbound-agent-tls + labels: + {{- include "labelsAgent" . | nindent 4 }} +type: Opaque +{{- end }} \ No newline at end of file diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/xgql/_helpers.tpl b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/xgql/_helpers.tpl new file mode 100644 index 000000000..bd1141516 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/xgql/_helpers.tpl @@ -0,0 +1,22 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "xgql-name" -}} +{{- "xgql" -}} +{{- end -}} + +{{/* +Labels - xgql +*/}} +{{- define "labelsXgql" -}} +{{ include "labels" . }} +app.kubernetes.io/component: xgql +{{- end }} + +{{/* +Selector labels - xgql +*/}} +{{- define "selectorLabelsXgql" -}} +{{ include "selectorLabels" . }} +app.kubernetes.io/component: xgql +{{- end }} + diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/xgql/deployment.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/xgql/deployment.yaml new file mode 100644 index 000000000..520345385 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/xgql/deployment.yaml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "xgql-name" . }} + labels: + {{- include "labelsXgql" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "selectorLabelsXgql" . | nindent 6 }} + template: + metadata: + labels: + {{- include "selectorLabelsXgql" . | nindent 8 }} + spec: + serviceAccountName: {{ template "xgql-name" . }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range $index, $secret := .Values.imagePullSecrets }} + - name: {{ $secret }} + {{- end }} + {{ end }} + containers: + - name: xgql + image: "{{ .Values.xgql.image.repository }}:{{ .Values.xgql.image.tag }}" + imagePullPolicy: {{ .Values.xgql.image.pullPolicy }} + resources: + {{- toYaml .Values.xgql.resources | nindent 12 }} + ports: + - name: https + containerPort: 8443 + protocol: TCP + {{- if .Values.xgql.metrics.enabled }} + - name: metrics + containerPort: 8080 + {{- end }} + args: + - --tls-key=/etc/certs/xgql/tls.key + - --tls-cert=/etc/certs/xgql/tls.crt + {{- if .Values.xgql.config.debugMode }} + - "--debug" + {{- end }} + {{- range $arg := .Values.xgql.config.args }} + - {{ $arg }} + {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - mountPath: /etc/certs/xgql + name: certs + readOnly: true + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: xgql-tls diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/xgql/service.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/xgql/service.yaml new file mode 100644 index 000000000..80f822d3c --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/xgql/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "xgql-name" . }} + labels: + {{- include "labelsXgql" . | nindent 4 }} +spec: + selector: + {{- include "selectorLabelsXgql" . | nindent 4 }} + ports: + - port: 443 + targetPort: https + protocol: TCP + name: https diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/xgql/serviceaccount.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/xgql/serviceaccount.yaml new file mode 100644 index 000000000..88e8bbdb7 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/xgql/serviceaccount.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "xgql-name" . }} + labels: + {{- include "labelsXgql" . | nindent 4 }} diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/xgql/tls-secret.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/xgql/tls-secret.yaml new file mode 100644 index 000000000..4b06ca735 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/templates/xgql/tls-secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: xgql-tls + labels: + {{- include "labelsXgql" . | nindent 4 }} +type: Opaque diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/values.yaml b/charts/universal-crossplane/universal-crossplane/1.2.300200/values.yaml new file mode 100644 index 000000000..2056ed41e --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/values.yaml @@ -0,0 +1,152 @@ +nameOverride: "crossplane" + +replicas: 1 + +deploymentStrategy: RollingUpdate + +image: + repository: crossplane/crossplane + tag: v1.2.3 + pullPolicy: IfNotPresent + +nodeSelector: {} +tolerations: {} +affinity: {} + +leaderElection: true +args: {} + +provider: + packages: [] + +configuration: + packages: [] + +imagePullSecrets: + - dockerhub + +rbacManager: + deploy: true + skipAggregatedClusterRoles: true + replicas: 1 + managementPolicy: Basic + leaderElection: true + args: {} + nodeSelector: {} + tolerations: {} + affinity: {} + +priorityClassName: "" + +resourcesCrossplane: + limits: + cpu: 100m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + +securityContextCrossplane: + runAsUser: 65532 + runAsGroup: 65532 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + +packageCache: + medium: "" + sizeLimit: 5Mi + pvc: "" + +resourcesRBACManager: + limits: + cpu: 100m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + +securityContextRBACManager: + runAsUser: 65532 + runAsGroup: 65532 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + +alpha: + oam: + enabled: false + +metrics: + enabled: false + +# List of extra environment variables to set in the crossplane deployment. +# EXAMPLE +# extraEnvironmentVars: +# sample.key=value1 +# ANOTHER.KEY=value2 +# RESULT +# - name: sample_key +# value: "value1" +# - name: ANOTHER_KEY +# value: "value2" +extraEnvVarsCrossplane: {} + +# List of extra environment variables to set in the crossplane rbac manager deployment. +# EXAMPLE +# extraEnvironmentVars: +# sample.key=value1 +# ANOTHER.KEY=value2 +# RESULT +# - name: sample_key +# value: "value1" +# - name: ANOTHER_KEY +# value: "value2" +extraEnvVarsRBACManager: {} + +### Agent Values + +upbound: + apiURL: "https://api.upbound.io" + connectHost: "connect.upbound.io" + controlPlane: + permission: edit + tokenSecretName: upbound-control-plane-token + token: "" + +xgql: + image: + repository: upbound/xgql + tag: v0.1.4 + pullPolicy: IfNotPresent + resources: {} + metrics: + enabled: false + config: + debugMode: false + args: [] + +agent: + image: + repository: upbound/upbound-agent + tag: v1.2.3-up.2 + pullPolicy: IfNotPresent + resources: {} + config: + debugMode: false + args: [] + +### Bootstrapper Values + +bootstrapper: + image: + repository: upbound/uxp-bootstrapper + tag: v1.2.3-up.2 + pullPolicy: IfNotPresent + resources: {} + config: + debugMode: false + args: [] + +billing: + awsMarketplace: + enabled: false + iamRoleARN: arn:aws:iam:::role/ diff --git a/charts/universal-crossplane/universal-crossplane/1.2.300200/values.yaml.tmpl b/charts/universal-crossplane/universal-crossplane/1.2.300200/values.yaml.tmpl new file mode 100644 index 000000000..a9a0a3389 --- /dev/null +++ b/charts/universal-crossplane/universal-crossplane/1.2.300200/values.yaml.tmpl @@ -0,0 +1,152 @@ +nameOverride: "crossplane" + +replicas: 1 + +deploymentStrategy: RollingUpdate + +image: + repository: crossplane/crossplane + tag: %%CROSSPLANE_TAG%% + pullPolicy: IfNotPresent + +nodeSelector: {} +tolerations: {} +affinity: {} + +leaderElection: true +args: {} + +provider: + packages: [] + +configuration: + packages: [] + +imagePullSecrets: + - dockerhub + +rbacManager: + deploy: true + skipAggregatedClusterRoles: true + replicas: 1 + managementPolicy: Basic + leaderElection: true + args: {} + nodeSelector: {} + tolerations: {} + affinity: {} + +priorityClassName: "" + +resourcesCrossplane: + limits: + cpu: 100m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + +securityContextCrossplane: + runAsUser: 65532 + runAsGroup: 65532 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + +packageCache: + medium: "" + sizeLimit: 5Mi + pvc: "" + +resourcesRBACManager: + limits: + cpu: 100m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + +securityContextRBACManager: + runAsUser: 65532 + runAsGroup: 65532 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + +alpha: + oam: + enabled: false + +metrics: + enabled: false + +# List of extra environment variables to set in the crossplane deployment. +# EXAMPLE +# extraEnvironmentVars: +# sample.key=value1 +# ANOTHER.KEY=value2 +# RESULT +# - name: sample_key +# value: "value1" +# - name: ANOTHER_KEY +# value: "value2" +extraEnvVarsCrossplane: {} + +# List of extra environment variables to set in the crossplane rbac manager deployment. +# EXAMPLE +# extraEnvironmentVars: +# sample.key=value1 +# ANOTHER.KEY=value2 +# RESULT +# - name: sample_key +# value: "value1" +# - name: ANOTHER_KEY +# value: "value2" +extraEnvVarsRBACManager: {} + +### Agent Values + +upbound: + apiURL: "https://api.upbound.io" + connectHost: "connect.upbound.io" + controlPlane: + permission: edit + tokenSecretName: upbound-control-plane-token + token: "" + +xgql: + image: + repository: upbound/xgql + tag: %%XGQL_TAG%% + pullPolicy: IfNotPresent + resources: {} + metrics: + enabled: false + config: + debugMode: false + args: [] + +agent: + image: + repository: upbound/upbound-agent + tag: %%AGENT_TAG%% + pullPolicy: IfNotPresent + resources: {} + config: + debugMode: false + args: [] + +### Bootstrapper Values + +bootstrapper: + image: + repository: upbound/uxp-bootstrapper + tag: %%BOOTSTRAPPER_TAG%% + pullPolicy: IfNotPresent + resources: {} + config: + debugMode: false + args: [] + +billing: + awsMarketplace: + enabled: false + iamRoleARN: arn:aws:iam:::role/ diff --git a/index.yaml b/index.yaml index 4a222499f..7253e8fc2 100755 --- a/index.yaml +++ b/index.yaml @@ -259,6 +259,37 @@ entries: urls: - assets/artifactory-jcr/artifactory-jcr-2.5.100.tgz version: 2.5.100 + aws-event-sources: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Sources for Amazon Web Services + catalog.cattle.io/release-name: aws-event-sources + apiVersion: v2 + appVersion: 1.7.0 + created: "2021-08-23T11:24:51.230234+05:30" + description: AWS Event Sources controller for Kubernetes + digest: 3b5cb9e51589262bff329d41439ff65863757448f6f35fd982aa096b4a3cc3b7 + home: https://github.com/triggermesh/aws-event-sources + icon: https://global-uploads.webflow.com/5f683649f57c927210b6707e/5f683649f57c9261bab67097_logo.svg + keywords: + - knative-eventing + - sources + - aws + - triggermesh + - serverless + kubeVersion: '>=1.18.0' + maintainers: + - email: sameer@triggermesh.com + name: sameersbn + - email: antoine@triggermesh.com + name: antoineco + name: aws-event-sources + sources: + - https://github.com/triggermesh/aws-event-sources + type: application + urls: + - assets/aws-event-sources/aws-event-sources-0.1.901.tgz + version: 0.1.901 citrix-adc-istio-ingress-gateway: - annotations: catalog.cattle.io/certified: partner @@ -682,6 +713,34 @@ entries: - assets/federatorai/federatorai-4.5.100.tgz version: 4.5.100 haproxy: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/release-name: haproxy + apiVersion: v1 + appVersion: 1.6.5 + created: "2021-08-24T05:25:21.3795971Z" + description: A Helm chart for HAProxy Kubernetes Ingress Controller + digest: a4d21d80e0c625959fa8dbe47334173c27283c5d9296ef323cde638794d85275 + home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + icon: http://www.haproxy.org/img/HAProxyCommunityEdition_60px.png + keywords: + - ingress + - haproxy + kubeVersion: '>=1.12.0-0' + maintainers: + - email: mmhedhbi@haproxy.com + name: Moemen Mhedhbi + - email: bassmann@haproxy.com + name: Baptiste Assmann + - email: dkorunic@haproxy.com + name: Dinko Korunic + name: haproxy + sources: + - https://github.com/haproxytech/kubernetes-ingress + urls: + - assets/haproxy/haproxy-1.16.100.tgz + version: 1.16.100 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/release-name: haproxy @@ -932,6 +991,28 @@ entries: - assets/instana-agent/instana-agent-1.0.2900.tgz version: 1.0.2900 k8s-triliovault-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: TrilioVault for Kubernetes Operator + catalog.cattle.io/release-name: k8s-triliovault-operator + apiVersion: v1 + appVersion: v2.1.0 + created: "2021-08-23T10:18:02.335921701Z" + description: K8s-TrilioVault-Operator is an operator designed to manage the K8s-TrilioVault + Application Lifecycle. + digest: 1567e3162767c366f546572d705de274a149f95dbc5c01026ad3d3f16121f089 + home: https://github.com/trilioData/k8s-triliovault-operator + icon: https://www.trilio.io/wp-content/uploads/2021/01/Trilio-2020-logo-RGB-gray-green.png + kubeVersion: '>= 1.18' + maintainers: + - email: prafull.ladha@trilio.io + name: prafull11 + name: k8s-triliovault-operator + sources: + - https://github.com/trilioData/k8s-triliovault-operator + urls: + - assets/k8s-triliovault-operator/k8s-triliovault-operator-2.1.0.tgz + version: 2.1.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: TrilioVault for Kubernetes Operator @@ -1187,6 +1268,53 @@ entries: - assets/sysdig/sysdig-1.9.200.tgz version: 1.9.200 universal-crossplane: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Upbound Universal Crossplane + catalog.cattle.io/release-name: universal-crossplane + apiVersion: v1 + appVersion: 1.2.3002 + created: "2021-08-22T23:25:13.440694+03:00" + description: 'Upbound Universal Crossplane (UXP) is Upbound''s official enterprise-grade + distribution of Crossplane. It''s fully compatible with upstream Crossplane, + open source, capable of connecting to Upbound Cloud for real-time dashboard + visibility, and maintained by Upbound. It''s the easiest way for both individual + community members and enterprises to build their production control planes. ' + digest: ff073b35aa28d9ead9470c4c559cf30e42ec118a8194ade18077421c31f24153 + home: https://upbound.io + icon: https://raw.githubusercontent.com/upbound/universal-crossplane/66ce9eb2c5a0c3af8ed7d19551a2c4d743b933b9/docs/media/logo.png + keywords: + - cloud + - infrastructure + - services + - application + - database + - cache + - bucket + - infra + - app + - ops + - oam + - gcp + - azure + - aws + - alibaba + - cloudsql + - rds + - s3 + - azuredatabase + - asparadb + - gke + - aks + - eks + kubeVersion: '>= 1.15' + maintainers: + - email: info@upbound.io + name: Upbound Inc. + name: universal-crossplane + urls: + - assets/universal-crossplane/universal-crossplane-1.2.300200.tgz + version: 1.2.300200 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Upbound Universal Crossplane