andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #530 from samuelattwood/main-source 

CI Updated Charts
pull/535/head
Samuel Attwood 2022-10-11 17:01:03 -04:00 committed by GitHub
parent 5aac1775d0 ca7f766d79
commit 959c351079
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
67 changed files with 10687 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/external-secrets/external-secrets-0.6.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/redpanda/redpanda-2.1.7.tgz Normal file
View File

Binary file not shown.

26
charts/external-secrets/external-secrets/0.6.0/.helmignore Normal file
View File

@ -0,0 +1,26 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
# CRD README.md
templates/crds/README.md

20
charts/external-secrets/external-secrets/0.6.0/Chart.yaml Normal file
View File

@ -0,0 +1,20 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: External Secrets Operator
catalog.cattle.io/kube-version: '>= 1.19.0-0'
catalog.cattle.io/release-name: external-secrets
apiVersion: v2
appVersion: v0.6.0
description: External secret management for Kubernetes
home: https://github.com/external-secrets/external-secrets
icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png
keywords:
- kubernetes-external-secrets
- secrets
kubeVersion: '>= 1.19.0-0'
maintainers:
- email: kellinmcavoy@gmail.com
name: mcavoyk
name: external-secrets
type: application
version: 0.6.0

168
charts/external-secrets/external-secrets/0.6.0/README.md Normal file
View File

@ -0,0 +1,168 @@
# External Secrets
<p align="left"><img src="https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png" width="100x" /></p>
[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square)
External secret management for Kubernetes
## TL;DR
```bash
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets
```
## Installing the Chart
To install the chart with the release name `external-secrets`:
```bash
helm install external-secrets external-secrets/external-secrets
```
### Custom Resources
By default, the chart will install external-secrets CRDs, this can be controlled with `installCRDs` value.
## Uninstalling the Chart
To uninstall the `external-secrets` deployment:
```bash
helm uninstall external-secrets
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | |
| certController.affinity | object | `{}` | |
| certController.create | bool | `true` | Specifies whether a certificate controller deployment be created. |
| certController.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
| certController.extraArgs | object | `{}` | |
| certController.extraEnv | list | `[]` | |
| certController.extraVolumeMounts | list | `[]` | |
| certController.extraVolumes | list | `[]` | |
| certController.fullnameOverride | string | `""` | |
| certController.image.pullPolicy | string | `"IfNotPresent"` | |
| certController.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
| certController.image.tag | string | `""` | |
| certController.imagePullSecrets | list | `[]` | |
| certController.metrics.service.annotations | object | `{}` | Additional service annotations |
| certController.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
| certController.metrics.service.port | int | `8080` | Metrics service port to scrape |
| certController.nameOverride | string | `""` | |
| certController.nodeSelector | object | `{}` | |
| certController.podAnnotations | object | `{}` | Annotations to add to Pod |
| certController.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| certController.podLabels | object | `{}` | |
| certController.podSecurityContext | object | `{}` | |
| certController.priorityClassName | string | `""` | Pod priority class name. |
| certController.prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead |
| certController.prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead |
| certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
| certController.replicaCount | int | `1` | |
| certController.requeueInterval | string | `"5m"` | |
| certController.resources | object | `{}` | |
| certController.securityContext | object | `{}` | |
| certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
| certController.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
| certController.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
| certController.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
| certController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
| certController.serviceMonitor.enabled | bool | `false` | Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
| certController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
| certController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
| certController.tolerations | list | `[]` | |
| concurrent | int | `1` | Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. |
| controllerClass | string | `""` | If set external secrets will filter matching Secret Stores with the appropriate controller values. |
| crds.createClusterExternalSecret | bool | `true` | If true, create CRDs for Cluster External Secret. |
| crds.createClusterSecretStore | bool | `true` | If true, create CRDs for Cluster Secret Store. |
| createOperator | bool | `true` | Specifies whether an external secret operator deployment be created. |
| deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
| dnsConfig | object | `{}` | Specifies `dnsOptions` to deployment |
| extraArgs | object | `{}` | |
| extraEnv | list | `[]` | |
| extraVolumeMounts | list | `[]` | |
| extraVolumes | list | `[]` | |
| fullnameOverride | string | `""` | |
| image.pullPolicy | string | `"IfNotPresent"` | |
| image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default the distroless image is used. |
| imagePullSecrets | list | `[]` | |
| installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. |
| leaderElect | bool | `false` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. |
| metrics.service.annotations | object | `{}` | Additional service annotations |
| metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
| metrics.service.port | int | `8080` | Metrics service port to scrape |
| nameOverride | string | `""` | |
| nodeSelector | object | `{}` | |
| podAnnotations | object | `{}` | Annotations to add to Pod |
| podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| podLabels | object | `{}` | |
| podSecurityContext | object | `{}` | |
| priorityClassName | string | `""` | Pod priority class name. |
| processClusterExternalSecret | bool | `true` | if true, the operator will process cluster external secret. Else, it will ignore them. |
| processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. |
| prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead. |
| prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead. |
| rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
| replicaCount | int | `1` | |
| resources | object | `{}` | |
| scopedNamespace | string | `""` | If set external secrets are only reconciled in the provided namespace |
| scopedRBAC | bool | `false` | Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets |
| securityContext | object | `{}` | |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
| serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
| serviceMonitor.additionalLabels | object | `{}` | Additional labels |
| serviceMonitor.enabled | bool | `false` | Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
| serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
| tolerations | list | `[]` | |
| webhook.affinity | object | `{}` | |
| webhook.certCheckInterval | string | `"5m"` | Specifices the time to check if the cert is valid |
| webhook.certDir | string | `"/tmp/certs"` | |
| webhook.create | bool | `true` | Specifies whether a webhook deployment be created. |
| webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
| webhook.extraArgs | object | `{}` | |
| webhook.extraEnv | list | `[]` | |
| webhook.extraVolumeMounts | list | `[]` | |
| webhook.extraVolumes | list | `[]` | |
| webhook.failurePolicy | string | `"Fail"` | specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore |
| webhook.fullnameOverride | string | `""` | |
| webhook.hostNetwork | bool | `false` | Specifies if webhook pod should use hostNetwork or not. |
| webhook.image.pullPolicy | string | `"IfNotPresent"` | |
| webhook.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
| webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
| webhook.imagePullSecrets | list | `[]` | |
| webhook.lookaheadInterval | string | `""` | Specifices the lookaheadInterval for certificate validity |
| webhook.metrics.service.annotations | object | `{}` | Additional service annotations |
| webhook.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
| webhook.metrics.service.port | int | `8080` | Metrics service port to scrape |
| webhook.nameOverride | string | `""` | |
| webhook.nodeSelector | object | `{}` | |
| webhook.podAnnotations | object | `{}` | Annotations to add to Pod |
| webhook.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| webhook.podLabels | object | `{}` | |
| webhook.podSecurityContext | object | `{}` | |
| webhook.port | int | `10250` | The port the webhook will listen to |
| webhook.priorityClassName | string | `""` | Pod priority class name. |
| webhook.prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead |
| webhook.prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead |
| webhook.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
| webhook.readinessProbe.address | string | `""` | Address for readiness probe |
| webhook.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet |
| webhook.replicaCount | int | `1` | |
| webhook.resources | object | `{}` | |
| webhook.secretAnnotations | object | `{}` | Annotations to add to Secret |
| webhook.securityContext | object | `{}` | |
| webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
| webhook.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
| webhook.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
| webhook.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
| webhook.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
| webhook.serviceMonitor.enabled | bool | `false` | Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
| webhook.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
| webhook.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
| webhook.tolerations | list | `[]` | |

35
charts/external-secrets/external-secrets/0.6.0/README.md.gotmpl Normal file
View File

@ -0,0 +1,35 @@
{{- $chartRepo := "https://charts.external-secrets.io" -}}
{{- $org := "external-secrets" -}}
# External Secrets
<p align="left"><img src="https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png" width="100x" /></p>
[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
{{ template "chart.typeBadge" . }}{{ template "chart.versionBadge" . }}
{{ template "chart.description" . }}
## TL;DR
```bash
helm repo add {{ $org }} {{ $chartRepo }}
helm install external-secrets {{ $org }}/{{ template "chart.name" . }}
```
## Installing the Chart
To install the chart with the release name `{{ template "chart.name" . }}`:
```bash
helm install {{ template "chart.name" . }} {{ $org }}/{{ template "chart.name" . }}
```
### Custom Resources
By default, the chart will install external-secrets CRDs, this can be controlled with `installCRDs` value.
## Uninstalling the Chart
To uninstall the `{{ template "chart.name" . }}` deployment:
```bash
helm uninstall {{ template "chart.name" . }}
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
{{ template "chart.valuesSection" . }}

7
charts/external-secrets/external-secrets/0.6.0/app-readme.md Normal file
View File

@ -0,0 +1,7 @@
**External Secrets Operator** is a Kubernetes operator that integrates external secret management systems like [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/), [HashiCorp Vault](https://www.vaultproject.io/), [Google Secrets Manager](https://cloud.google.com/secret-manager), [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/) and many more.
The operator reads information from external APIs and automatically injects the values into a [Kubernetes Secret](https://kubernetes.io/docs/concepts/configuration/secret/).
### What is the goal of External Secrets Operator?
The goal of External Secrets Operator is to synchronize secrets from external APIs into Kubernetes. ESO is a collection of custom API resources - `ExternalSecret`, `SecretStore` and `ClusterSecretStore` that provide a user-friendly abstraction for the external API that stores and manages the lifecycle of the secrets for you.

2
charts/external-secrets/external-secrets/0.6.0/ci/main-values.yaml Normal file
View File

@ -0,0 +1,2 @@
image:
tag: main

8
charts/external-secrets/external-secrets/0.6.0/questions.yaml Normal file
View File

@ -0,0 +1,8 @@
questions:
- variable: installCRDs
default: false
required: true
description: "If true, Install and upgrade CRDs through helm chart"
type: boolean
label: Install CRDs

13
charts/external-secrets/external-secrets/0.6.0/templates/NOTES.txt Normal file
View File

@ -0,0 +1,13 @@
external-secrets has been deployed successfully!
In order to begin using ExternalSecrets, you will need to set up a SecretStore
or ClusterSecretStore resource (for example, by creating a 'vault' SecretStore).
More information on the different types of SecretStores and how to configure them
can be found in our Github: {{ .Chart.Home }}
{{ if .Values.prometheus.enabled -}}
deprecation warning:
> The flag `prometheus.enabled` is deprecated and will be removed in the next release.
Please migrate to using servicemonitor instead.
{{ end }}

110
charts/external-secrets/external-secrets/0.6.0/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,110 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "external-secrets.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "external-secrets.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "external-secrets.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "external-secrets.labels" -}}
helm.sh/chart: {{ include "external-secrets.chart" . }}
{{ include "external-secrets.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- define "external-secrets-webhook.labels" -}}
helm.sh/chart: {{ include "external-secrets.chart" . }}
{{ include "external-secrets-webhook.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- define "external-secrets-cert-controller.labels" -}}
helm.sh/chart: {{ include "external-secrets.chart" . }}
{{ include "external-secrets-cert-controller.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "external-secrets.selectorLabels" -}}
app.kubernetes.io/name: {{ include "external-secrets.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- define "external-secrets-webhook.selectorLabels" -}}
app.kubernetes.io/name: {{ include "external-secrets.name" . }}-webhook
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- define "external-secrets-cert-controller.selectorLabels" -}}
app.kubernetes.io/name: {{ include "external-secrets.name" . }}-cert-controller
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "external-secrets.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "external-secrets.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "external-secrets-webhook.serviceAccountName" -}}
{{- if .Values.webhook.serviceAccount.create }}
{{- default "external-secrets-webhook" .Values.webhook.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.webhook.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "external-secrets-cert-controller.serviceAccountName" -}}
{{- if .Values.certController.serviceAccount.create }}
{{- default "external-secrets-cert-controller" .Values.certController.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.certController.serviceAccount.name }}
{{- end }}
{{- end }}

102
charts/external-secrets/external-secrets/0.6.0/templates/cert-controller-deployment.yaml Normal file
View File

@ -0,0 +1,102 @@
{{- if .Values.certController.create }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "external-secrets.fullname" . }}-cert-controller
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
{{- with .Values.certController.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.certController.replicaCount }}
selector:
matchLabels:
{{- include "external-secrets-cert-controller.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.certController.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "external-secrets-cert-controller.selectorLabels" . | nindent 8 }}
{{- with .Values.certController.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.certController.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
{{- with .Values.certController.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: cert-controller
{{- with .Values.certController.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.certController.image.repository }}:{{ .Values.certController.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.certController.image.pullPolicy }}
args:
- certcontroller
- --crd-requeue-interval={{ .Values.certController.requeueInterval }}
- --service-name={{ include "external-secrets.fullname" . }}-webhook
- --service-namespace={{ .Release.Namespace }}
- --secret-name={{ include "external-secrets.fullname" . }}-webhook
- --secret-namespace={{ .Release.Namespace }}
{{- range $key, $value := .Values.certController.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
ports:
- containerPort: {{ .Values.certController.prometheus.service.port }}
protocol: TCP
name: metrics
readinessProbe:
httpGet:
port: 8081
path: /readyz
initialDelaySeconds: 20
periodSeconds: 5
{{- with .Values.certController.extraEnv }}
env:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.certController.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.certController.extraVolumeMounts }}
volumeMounts:
{{- toYaml .Values.certController.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- if .Values.certController.extraVolumes }}
volumes:
{{- toYaml .Values.certController.extraVolumes | nindent 8 }}
{{- end }}
{{- with .Values.certController.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.certController.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.certController.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.certController.priorityClassName }}
priorityClassName: {{ .Values.certController.priorityClassName }}
{{- end }}
{{- end }}

19
charts/external-secrets/external-secrets/0.6.0/templates/cert-controller-poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if and .Values.certController.create .Values.certController.podDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "external-secrets.fullname" . }}-cert-controller-pdb
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
spec:
{{- if .Values.certController.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.certController.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.certController.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.certController.podDisruptionBudget.maxUnavailable }}
{{- end }}
selector:
matchLabels:
{{- include "external-secrets-cert-controller.selectorLabels" . | nindent 6 }}
{{- end }}

69
charts/external-secrets/external-secrets/0.6.0/templates/cert-controller-rbac.yaml Normal file
View File

@ -0,0 +1,69 @@
{{- if and .Values.certController.create .Values.certController.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "external-secrets.fullname" . }}-cert-controller
labels:
{{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
rules:
- apiGroups:
- "apiextensions.k8s.io"
resources:
- "customresourcedefinitions"
verbs:
- "get"
- "list"
- "watch"
- "update"
- "patch"
- apiGroups:
- "admissionregistration.k8s.io"
resources:
- "validatingwebhookconfigurations"
verbs:
- "get"
- "list"
- "watch"
- "update"
- "patch"
- apiGroups:
- ""
resources:
- "endpoints"
verbs:
- "list"
- "get"
- "watch"
- apiGroups:
- ""
resources:
- "events"
verbs:
- "create"
- "patch"
- apiGroups:
- ""
resources:
- "secrets"
verbs:
- "get"
- "list"
- "watch"
- "update"
- "patch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "external-secrets.fullname" . }}-cert-controller
labels:
{{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "external-secrets.fullname" . }}-cert-controller
subjects:
- name: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
kind: ServiceAccount
{{- end }}

31
charts/external-secrets/external-secrets/0.6.0/templates/cert-controller-service.yaml Normal file
View File

@ -0,0 +1,31 @@
{{- if or (and .Values.certController.create .Values.certController.prometheus.enabled) (and .Values.certController.create .Values.certController.metrics.service.enabled) }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
{{- if .Values.certController.prometheus.enabled }}
annotations:
prometheus.io/path: "/metrics"
prometheus.io/scrape: "true"
prometheus.io/port: {{ .Values.certController.prometheus.service.port | quote }}
{{- else }}
{{- with .Values.metrics.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: ClusterIP
ports:
{{- if .Values.certController.prometheus.enabled }}
- port: {{ .Values.certController.prometheus.service.port }}
{{- else }}
- port: {{ .Values.certController.metrics.service.port }}
{{- end }}
protocol: TCP
name: metrics
selector:
{{- include "external-secrets-cert-controller.selectorLabels" . | nindent 4 }}
{{- end }}

16
charts/external-secrets/external-secrets/0.6.0/templates/cert-controller-serviceaccount.yaml Normal file
View File

@ -0,0 +1,16 @@
{{- if and .Values.certController.create .Values.certController.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
{{- with .Values.certController.serviceAccount.extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.certController.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

38
charts/external-secrets/external-secrets/0.6.0/templates/cert-controller-servicemonitor.yaml Normal file
View File

@ -0,0 +1,38 @@
{{- if and .Values.certController.create .Values.certController.serviceMonitor.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics
labels:
{{- include "external-secrets-cert-controller.selectorLabels" . | nindent 4 }}
spec:
type: ClusterIP
ports:
- port: 8080
protocol: TCP
name: metrics
selector:
{{- include "external-secrets-cert-controller.selectorLabels" . | nindent 4 }}
---
apiVersion: "monitoring.coreos.com/v1"
kind: ServiceMonitor
metadata:
labels:
{{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
{{- if .Values.certController.serviceMonitor.additionalLabels }}
{{ toYaml .Values.certController.serviceMonitor.additionalLabels | indent 4 }}
{{- end }}
name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics
namespace: {{ .Release.Namespace | quote }}
spec:
selector:
matchLabels:
{{- include "external-secrets-cert-controller.selectorLabels" . | nindent 6 }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace | quote }}
endpoints:
- port: metrics
interval: {{ .Values.certController.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.certController.serviceMonitor.scrapeTimeout }}
{{- end }}

379
charts/external-secrets/external-secrets/0.6.0/templates/crds/clusterexternalsecret.yaml Normal file
View File

@ -0,0 +1,379 @@
{{- if and (.Values.installCRDs) (.Values.crds.createClusterExternalSecret) }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
creationTimestamp: null
name: clusterexternalsecrets.external-secrets.io
spec:
group: external-secrets.io
names:
categories:
- externalsecrets
kind: ClusterExternalSecret
listKind: ClusterExternalSecretList
plural: clusterexternalsecrets
shortNames:
- ces
singular: clusterexternalsecret
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.secretStoreRef.name
name: Store
type: string
- jsonPath: .spec.refreshInterval
name: Refresh Interval
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].reason
name: Status
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
properties:
externalSecretName:
description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
type: string
externalSecretSpec:
description: The spec for the ExternalSecrets to be created
properties:
data:
description: Data defines the connection between the Kubernetes Secret keys and the Provider data
items:
description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
properties:
remoteRef:
description: ExternalSecretDataRemoteRef defines Provider data location.
properties:
conversionStrategy:
default: Default
description: Used to define a conversion Strategy
type: string
decodingStrategy:
default: None
description: Used to define a decoding Strategy
type: string
key:
description: Key is the key used in the Provider, mandatory
type: string
metadataPolicy:
description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
type: string
property:
description: Used to select a specific property of the Provider value (if a map), if supported
type: string
version:
description: Used to select a specific version of the Provider value, if supported
type: string
required:
- key
type: object
secretKey:
type: string
required:
- remoteRef
- secretKey
type: object
type: array
dataFrom:
description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
items:
properties:
extract:
description: Used to extract multiple key/value pairs from one secret
properties:
conversionStrategy:
default: Default
description: Used to define a conversion Strategy
type: string
decodingStrategy:
default: None
description: Used to define a decoding Strategy
type: string
key:
description: Key is the key used in the Provider, mandatory
type: string
metadataPolicy:
description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
type: string
property:
description: Used to select a specific property of the Provider value (if a map), if supported
type: string
version:
description: Used to select a specific version of the Provider value, if supported
type: string
required:
- key
type: object
find:
description: Used to find secrets based on tags or regular expressions
properties:
conversionStrategy:
default: Default
description: Used to define a conversion Strategy
type: string
decodingStrategy:
default: None
description: Used to define a decoding Strategy
type: string
name:
description: Finds secrets based on the name.
properties:
regexp:
description: Finds secrets base
type: string
type: object
path:
description: A root path to start the find operations.
type: string
tags:
additionalProperties:
type: string
description: Find secrets based on tags.
type: object
type: object
rewrite:
description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
items:
properties:
regexp:
description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
properties:
source:
description: Used to define the regular expression of a re.Compiler.
type: string
target:
description: Used to define the target pattern of a ReplaceAll operation.
type: string
required:
- source
- target
type: object
type: object
type: array
type: object
type: array
refreshInterval:
default: 1h
description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
type: string
secretStoreRef:
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
properties:
kind:
description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
type: string
name:
description: Name of the SecretStore resource
type: string
required:
- name
type: object
target:
default:
creationPolicy: Owner
deletionPolicy: Retain
description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
properties:
creationPolicy:
default: Owner
description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
enum:
- Owner
- Orphan
- Merge
- None
type: string
deletionPolicy:
default: Retain
description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
enum:
- Delete
- Merge
- Retain
type: string
immutable:
description: Immutable defines if the final secret will be immutable
type: boolean
name:
description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
type: string
template:
description: Template defines a blueprint for the created Secret resource.
properties:
data:
additionalProperties:
type: string
type: object
engineVersion:
default: v2
type: string
metadata:
description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
templateFrom:
items:
maxProperties: 1
minProperties: 1
properties:
configMap:
properties:
items:
items:
properties:
key:
type: string
required:
- key
type: object
type: array
name:
type: string
required:
- items
- name
type: object
secret:
properties:
items:
items:
properties:
key:
type: string
required:
- key
type: object
type: array
name:
type: string
required:
- items
- name
type: object
type: object
type: array
type:
type: string
type: object
type: object
required:
- secretStoreRef
type: object
namespaceSelector:
description: The labels to select by to find the Namespaces to create the ExternalSecrets in.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
refreshTime:
description: The time in which the controller should reconcile it's objects and recheck namespaces for labels.
type: string
required:
- externalSecretSpec
- namespaceSelector
type: object
status:
description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
properties:
conditions:
items:
properties:
message:
type: string
status:
type: string
type:
type: string
required:
- status
- type
type: object
type: array
failedNamespaces:
description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
items:
description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
properties:
namespace:
description: Namespace is the namespace that failed when trying to apply an ExternalSecret
type: string
reason:
description: Reason is why the ExternalSecret failed to apply to the namespace
type: string
required:
- namespace
type: object
type: array
provisionedNamespaces:
description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
items:
type: string
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}
conversion:
strategy: Webhook
webhook:
conversionReviewVersions:
- v1
clientConfig:
service:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ .Release.Namespace | quote }}
path: /convert
{{- end }}

2387
charts/external-secrets/external-secrets/0.6.0/templates/crds/clustersecretstore.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

543
charts/external-secrets/external-secrets/0.6.0/templates/crds/externalsecret.yaml Normal file
View File

@ -0,0 +1,543 @@
{{- if .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
creationTimestamp: null
name: externalsecrets.external-secrets.io
spec:
group: external-secrets.io
names:
categories:
- externalsecrets
kind: ExternalSecret
listKind: ExternalSecretList
plural: externalsecrets
shortNames:
- es
singular: externalsecret
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.secretStoreRef.name
name: Store
type: string
- jsonPath: .spec.refreshInterval
name: Refresh Interval
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].reason
name: Status
type: string
deprecated: true
name: v1alpha1
schema:
openAPIV3Schema:
description: ExternalSecret is the Schema for the external-secrets API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ExternalSecretSpec defines the desired state of ExternalSecret.
properties:
data:
description: Data defines the connection between the Kubernetes Secret keys and the Provider data
items:
description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
properties:
remoteRef:
description: ExternalSecretDataRemoteRef defines Provider data location.
properties:
conversionStrategy:
default: Default
description: Used to define a conversion Strategy
type: string
key:
description: Key is the key used in the Provider, mandatory
type: string
property:
description: Used to select a specific property of the Provider value (if a map), if supported
type: string
version:
description: Used to select a specific version of the Provider value, if supported
type: string
required:
- key
type: object
secretKey:
type: string
required:
- remoteRef
- secretKey
type: object
type: array
dataFrom:
description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
items:
description: ExternalSecretDataRemoteRef defines Provider data location.
properties:
conversionStrategy:
default: Default
description: Used to define a conversion Strategy
type: string
key:
description: Key is the key used in the Provider, mandatory
type: string
property:
description: Used to select a specific property of the Provider value (if a map), if supported
type: string
version:
description: Used to select a specific version of the Provider value, if supported
type: string
required:
- key
type: object
type: array
refreshInterval:
default: 1h
description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
type: string
secretStoreRef:
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
properties:
kind:
description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
type: string
name:
description: Name of the SecretStore resource
type: string
required:
- name
type: object
target:
description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
properties:
creationPolicy:
default: Owner
description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
type: string
immutable:
description: Immutable defines if the final secret will be immutable
type: boolean
name:
description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
type: string
template:
description: Template defines a blueprint for the created Secret resource.
properties:
data:
additionalProperties:
type: string
type: object
engineVersion:
default: v1
description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
type: string
metadata:
description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
templateFrom:
items:
maxProperties: 1
minProperties: 1
properties:
configMap:
properties:
items:
items:
properties:
key:
type: string
required:
- key
type: object
type: array
name:
type: string
required:
- items
- name
type: object
secret:
properties:
items:
items:
properties:
key:
type: string
required:
- key
type: object
type: array
name:
type: string
required:
- items
- name
type: object
type: object
type: array
type:
type: string
type: object
type: object
required:
- secretStoreRef
- target
type: object
status:
properties:
conditions:
items:
properties:
lastTransitionTime:
format: date-time
type: string
message:
type: string
reason:
type: string
status:
type: string
type:
type: string
required:
- status
- type
type: object
type: array
refreshTime:
description: refreshTime is the time and date the external secret was fetched and the target secret updated
format: date-time
nullable: true
type: string
syncedResourceVersion:
description: SyncedResourceVersion keeps track of the last synced version
type: string
type: object
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.secretStoreRef.name
name: Store
type: string
- jsonPath: .spec.refreshInterval
name: Refresh Interval
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].reason
name: Status
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: ExternalSecret is the Schema for the external-secrets API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ExternalSecretSpec defines the desired state of ExternalSecret.
properties:
data:
description: Data defines the connection between the Kubernetes Secret keys and the Provider data
items:
description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
properties:
remoteRef:
description: ExternalSecretDataRemoteRef defines Provider data location.
properties:
conversionStrategy:
default: Default
description: Used to define a conversion Strategy
type: string
decodingStrategy:
default: None
description: Used to define a decoding Strategy
type: string
key:
description: Key is the key used in the Provider, mandatory
type: string
metadataPolicy:
description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
type: string
property:
description: Used to select a specific property of the Provider value (if a map), if supported
type: string
version:
description: Used to select a specific version of the Provider value, if supported
type: string
required:
- key
type: object
secretKey:
type: string
required:
- remoteRef
- secretKey
type: object
type: array
dataFrom:
description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
items:
properties:
extract:
description: Used to extract multiple key/value pairs from one secret
properties:
conversionStrategy:
default: Default
description: Used to define a conversion Strategy
type: string
decodingStrategy:
default: None
description: Used to define a decoding Strategy
type: string
key:
description: Key is the key used in the Provider, mandatory
type: string
metadataPolicy:
description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
type: string
property:
description: Used to select a specific property of the Provider value (if a map), if supported
type: string
version:
description: Used to select a specific version of the Provider value, if supported
type: string
required:
- key
type: object
find:
description: Used to find secrets based on tags or regular expressions
properties:
conversionStrategy:
default: Default
description: Used to define a conversion Strategy
type: string
decodingStrategy:
default: None
description: Used to define a decoding Strategy
type: string
name:
description: Finds secrets based on the name.
properties:
regexp:
description: Finds secrets base
type: string
type: object
path:
description: A root path to start the find operations.
type: string
tags:
additionalProperties:
type: string
description: Find secrets based on tags.
type: object
type: object
rewrite:
description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
items:
properties:
regexp:
description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
properties:
source:
description: Used to define the regular expression of a re.Compiler.
type: string
target:
description: Used to define the target pattern of a ReplaceAll operation.
type: string
required:
- source
- target
type: object
type: object
type: array
type: object
type: array
refreshInterval:
default: 1h
description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
type: string
secretStoreRef:
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
properties:
kind:
description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
type: string
name:
description: Name of the SecretStore resource
type: string
required:
- name
type: object
target:
default:
creationPolicy: Owner
deletionPolicy: Retain
description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
properties:
creationPolicy:
default: Owner
description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
enum:
- Owner
- Orphan
- Merge
- None
type: string
deletionPolicy:
default: Retain
description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
enum:
- Delete
- Merge
- Retain
type: string
immutable:
description: Immutable defines if the final secret will be immutable
type: boolean
name:
description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
type: string
template:
description: Template defines a blueprint for the created Secret resource.
properties:
data:
additionalProperties:
type: string
type: object
engineVersion:
default: v2
type: string
metadata:
description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
templateFrom:
items:
maxProperties: 1
minProperties: 1
properties:
configMap:
properties:
items:
items:
properties:
key:
type: string
required:
- key
type: object
type: array
name:
type: string
required:
- items
- name
type: object
secret:
properties:
items:
items:
properties:
key:
type: string
required:
- key
type: object
type: array
name:
type: string
required:
- items
- name
type: object
type: object
type: array
type:
type: string
type: object
type: object
required:
- secretStoreRef
type: object
status:
properties:
conditions:
items:
properties:
lastTransitionTime:
format: date-time
type: string
message:
type: string
reason:
type: string
status:
type: string
type:
type: string
required:
- status
- type
type: object
type: array
refreshTime:
description: refreshTime is the time and date the external secret was fetched and the target secret updated
format: date-time
nullable: true
type: string
syncedResourceVersion:
description: SyncedResourceVersion keeps track of the last synced version
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
conversion:
strategy: Webhook
webhook:
conversionReviewVersions:
- v1
clientConfig:
service:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ .Release.Namespace | quote }}
path: /convert
{{- end }}

2387
charts/external-secrets/external-secrets/0.6.0/templates/crds/secretstore.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

119
charts/external-secrets/external-secrets/0.6.0/templates/deployment.yaml Normal file
View File

@ -0,0 +1,119 @@
{{- if .Values.createOperator }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "external-secrets.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
{{- with .Values.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "external-secrets.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "external-secrets.selectorLabels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "external-secrets.serviceAccountName" . }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
{{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if or (.Values.leaderElect) (.Values.scopedNamespace) (.Values.processClusterStore) (.Values.processClusterExternalSecret) (.Values.concurrent) (.Values.extraArgs) }}
args:
{{- if .Values.leaderElect }}
- --enable-leader-election=true
{{- end }}
{{- if .Values.scopedNamespace }}
- --namespace={{ .Values.scopedNamespace }}
{{- end }}
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
- --enable-cluster-store-reconciler=false
- --enable-cluster-external-secret-reconciler=false
{{- else }}
{{- if not .Values.processClusterStore }}
- --enable-cluster-store-reconciler=false
{{- end }}
{{- if not .Values.processClusterExternalSecret }}
- --enable-cluster-external-secret-reconciler=false
{{- end }}
{{- end }}
{{- if .Values.controllerClass }}
- --controller-class={{ .Values.controllerClass }}
{{- end }}
{{- if .Values.concurrent }}
- --concurrent={{ .Values.concurrent }}
{{- end }}
{{- range $key, $value := .Values.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
{{- end }}
ports:
- containerPort: {{ .Values.prometheus.service.port }}
protocol: TCP
name: metrics
{{- with .Values.extraEnv }}
env:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.extraVolumeMounts }}
volumeMounts:
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- if .Values.dnsConfig }}
dnsConfig:
{{- toYaml .Values.dnsConfig | nindent 8 }}
{{- end }}
{{- if .Values.extraVolumes }}
volumes:
{{- toYaml .Values.extraVolumes | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- end }}

19
charts/external-secrets/external-secrets/0.6.0/templates/poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.podDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "external-secrets.fullname" . }}-pdb
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
spec:
{{- if .Values.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{- end }}
selector:
matchLabels:
{{- include "external-secrets.selectorLabels" . | nindent 6 }}
{{- end }}

227
charts/external-secrets/external-secrets/0.6.0/templates/rbac.yaml Normal file
View File

@ -0,0 +1,227 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ include "external-secrets.fullname" . }}-controller
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
rules:
- apiGroups:
- "external-secrets.io"
resources:
- "secretstores"
- "clustersecretstores"
- "externalsecrets"
- "clusterexternalsecrets"
verbs:
- "get"
- "list"
- "watch"
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
- "externalsecrets/status"
- "externalsecrets/finalizers"
- "secretstores"
- "secretstores/status"
- "secretstores/finalizers"
- "clustersecretstores"
- "clustersecretstores/status"
- "clustersecretstores/finalizers"
- "clusterexternalsecrets"
- "clusterexternalsecrets/status"
- "clusterexternalsecrets/finalizers"
verbs:
- "update"
- "patch"
- apiGroups:
- ""
resources:
- "serviceaccounts"
- "namespaces"
verbs:
- "get"
- "list"
- "watch"
- apiGroups:
- ""
resources:
- "configmaps"
verbs:
- "get"
- "list"
- "watch"
- apiGroups:
- ""
resources:
- "secrets"
verbs:
- "get"
- "list"
- "watch"
- "create"
- "update"
- "delete"
- "patch"
- apiGroups:
- ""
resources:
- "serviceaccounts/token"
verbs:
- "create"
- apiGroups:
- ""
resources:
- "events"
verbs:
- "create"
- "patch"
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
verbs:
- "create"
- "update"
---
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ include "external-secrets.fullname" . }}-view
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
- "secretstores"
- "clustersecretstores"
verbs:
- "get"
- "watch"
- "list"
---
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ include "external-secrets.fullname" . }}-edit
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
- "secretstores"
- "clustersecretstores"
verbs:
- "create"
- "delete"
- "deletecollection"
- "patch"
- "update"
---
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: RoleBinding
{{- else }}
kind: ClusterRoleBinding
{{- end }}
metadata:
name: {{ include "external-secrets.fullname" . }}-controller
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
name: {{ include "external-secrets.fullname" . }}-controller
subjects:
- name: {{ include "external-secrets.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "external-secrets.fullname" . }}-leaderelection
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- "configmaps"
resourceNames:
- "external-secrets-controller"
verbs:
- "get"
- "update"
- "patch"
- apiGroups:
- ""
resources:
- "configmaps"
verbs:
- "create"
- apiGroups:
- "coordination.k8s.io"
resources:
- "leases"
verbs:
- "get"
- "create"
- "update"
- "patch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "external-secrets.fullname" . }}-leaderelection
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "external-secrets.fullname" . }}-leaderelection
subjects:
- kind: ServiceAccount
name: {{ include "external-secrets.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

32
charts/external-secrets/external-secrets/0.6.0/templates/service.yaml Normal file
View File

@ -0,0 +1,32 @@
{{- if or .Values.prometheus.enabled .Values.metrics.service.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "external-secrets.fullname" . }}-metrics
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
{{- if .Values.prometheus.enabled }}
annotations:
prometheus.io/path: "/metrics"
prometheus.io/scrape: "true"
prometheus.io/port: {{ .Values.prometheus.service.port | quote }}
{{- else }}
{{- with .Values.metrics.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: ClusterIP
ports:
{{- if .Values.prometheus.enabled }}
- port: {{ .Values.prometheus.service.port }}
{{- else }}
- port: {{ .Values.metrics.service.port }}
{{- end }}
protocol: TCP
name: metrics
selector:
{{- include "external-secrets.selectorLabels" . | nindent 4 }}
{{- end }}

16
charts/external-secrets/external-secrets/0.6.0/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,16 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "external-secrets.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

39
charts/external-secrets/external-secrets/0.6.0/templates/servicemonitor.yaml Normal file
View File

@ -0,0 +1,39 @@
{{- if .Values.serviceMonitor.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "external-secrets.fullname" . }}-metrics
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets.selectorLabels" . | nindent 4 }}
spec:
type: ClusterIP
ports:
- port: 8080
protocol: TCP
name: metrics
selector:
{{- include "external-secrets.selectorLabels" . | nindent 4 }}
---
apiVersion: "monitoring.coreos.com/v1"
kind: ServiceMonitor
metadata:
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
{{- if .Values.serviceMonitor.additionalLabels }}
{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
{{- end }}
name: {{ include "external-secrets.fullname" . }}-metrics
namespace: {{ .Release.Namespace | quote }}
spec:
selector:
matchLabels:
{{- include "external-secrets.selectorLabels" . | nindent 6 }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace | quote }}
endpoints:
- port: metrics
interval: {{ .Values.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
{{- end }}

64
charts/external-secrets/external-secrets/0.6.0/templates/validatingwebhook.yaml Normal file
View File

@ -0,0 +1,64 @@
{{- if .Values.webhook.create }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: secretstore-validate
labels:
external-secrets.io/component: webhook
webhooks:
- name: "validate.secretstore.external-secrets.io"
rules:
- apiGroups: ["external-secrets.io"]
apiVersions: ["v1beta1"]
operations: ["CREATE", "UPDATE", "DELETE"]
resources: ["secretstores"]
scope: "Namespaced"
clientConfig:
service:
namespace: {{ .Release.Namespace | quote }}
name: {{ include "external-secrets.fullname" . }}-webhook
path: /validate-external-secrets-io-v1beta1-secretstore
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
- name: "validate.clustersecretstore.external-secrets.io"
rules:
- apiGroups: ["external-secrets.io"]
apiVersions: ["v1beta1"]
operations: ["CREATE", "UPDATE", "DELETE"]
resources: ["clustersecretstores"]
scope: "Cluster"
clientConfig:
service:
namespace: {{ .Release.Namespace | quote }}
name: {{ include "external-secrets.fullname" . }}-webhook
path: /validate-external-secrets-io-v1beta1-clustersecretstore
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: externalsecret-validate
labels:
external-secrets.io/component: webhook
webhooks:
- name: "validate.externalsecret.external-secrets.io"
rules:
- apiGroups: ["external-secrets.io"]
apiVersions: ["v1beta1"]
operations: ["CREATE", "UPDATE", "DELETE"]
resources: ["externalsecrets"]
scope: "Namespaced"
clientConfig:
service:
namespace: {{ .Release.Namespace | quote }}
name: {{ include "external-secrets.fullname" . }}-webhook
path: /validate-external-secrets-io-v1beta1-externalsecret
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
failurePolicy: {{ .Values.webhook.failurePolicy}}
{{- end }}

115
charts/external-secrets/external-secrets/0.6.0/templates/webhook-deployment.yaml Normal file
View File

@ -0,0 +1,115 @@
{{- if .Values.webhook.create }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
{{- with .Values.webhook.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.webhook.replicaCount }}
selector:
matchLabels:
{{- include "external-secrets-webhook.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.webhook.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "external-secrets-webhook.selectorLabels" . | nindent 8 }}
{{- with .Values.webhook.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.webhook.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
hostNetwork: {{ .Values.webhook.hostNetwork}}
serviceAccountName: {{ include "external-secrets-webhook.serviceAccountName" . }}
{{- with .Values.webhook.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: webhook
{{- with .Values.webhook.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.webhook.image.repository }}:{{ .Values.webhook.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
args:
- webhook
- --port={{ .Values.webhook.port }}
- --dns-name={{ include "external-secrets.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
- --cert-dir={{ .Values.webhook.certDir }}
- --check-interval={{ .Values.webhook.certCheckInterval }}
- --healthz-addr={{ .Values.webhook.readinessProbe.address }}:{{ .Values.webhook.readinessProbe.port }}
{{- if .Values.webhook.lookaheadInterval }}
- --lookahead-interval={{ .Values.webhook.lookaheadInterval }}
{{- end }}
{{- range $key, $value := .Values.webhook.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
ports:
- containerPort: {{ .Values.webhook.prometheus.service.port }}
protocol: TCP
name: metrics
- containerPort: {{ .Values.webhook.port }}
protocol: TCP
name: webhook
readinessProbe:
httpGet:
port: {{ .Values.webhook.readinessProbe.port }}
path: /readyz
initialDelaySeconds: 20
periodSeconds: 5
{{- with .Values.webhook.extraEnv }}
env:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.webhook.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- name: certs
mountPath: {{ .Values.webhook.certDir }}
readOnly: true
{{- if .Values.webhook.extraVolumeMounts }}
{{- toYaml .Values.webhook.extraVolumeMounts | nindent 12 }}
{{- end }}
volumes:
- name: certs
secret:
secretName: {{ include "external-secrets.fullname" . }}-webhook
{{- if .Values.webhook.extraVolumes }}
{{- toYaml .Values.webhook.extraVolumes | nindent 8 }}
{{- end }}
{{- with .Values.webhook.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.webhook.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.webhook.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.webhook.priorityClassName }}
priorityClassName: {{ .Values.webhook.priorityClassName }}
{{- end }}
{{- end }}

20
charts/external-secrets/external-secrets/0.6.0/templates/webhook-poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if and .Values.webhook.create .Values.webhook.podDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "external-secrets.fullname" . }}-webhook-pdb
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
external-secrets.io/component : webhook
spec:
{{- if .Values.webhook.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.webhook.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }}
{{- end }}
selector:
matchLabels:
{{- include "external-secrets-webhook.selectorLabels" . | nindent 6 }}
{{- end }}

14
charts/external-secrets/external-secrets/0.6.0/templates/webhook-secret.yaml Normal file
View File

@ -0,0 +1,14 @@
{{- if .Values.webhook.create }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
external-secrets.io/component: webhook
{{- with .Values.webhook.secretAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

41
charts/external-secrets/external-secrets/0.6.0/templates/webhook-service.yaml Normal file
View File

@ -0,0 +1,41 @@
{{- if .Values.webhook.create }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
external-secrets.io/component: webhook
{{- if .Values.webhook.prometheus.enabled}}
annotations:
prometheus.io/path: "/metrics"
prometheus.io/scrape: "true"
prometheus.io/port: {{ .Values.prometheus.service.port | quote }}
{{- else }}
{{- with .Values.metrics.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: ClusterIP
ports:
- port: 443
targetPort: {{ .Values.webhook.port }}
protocol: TCP
name: webhook
{{- if or .Values.webhook.prometheus.enabled .Values.webhook.metrics.service.enabled }}
{{- if .Values.webhook.prometheus.enabled }}
- port: {{ .Values.webhook.prometheus.service.port }}
targetPort: {{ .Values.webhook.prometheus.service.port }}
{{- else }}
- port: {{ .Values.webhook.metrics.service.port }}
targetPort: {{ .Values.webhook.metrics.service.port }}
{{- end }}
protocol: TCP
name: metrics
{{- end }}
selector:
{{- include "external-secrets-webhook.selectorLabels" . | nindent 4 }}
{{- end }}

16
charts/external-secrets/external-secrets/0.6.0/templates/webhook-serviceaccount.yaml Normal file
View File

@ -0,0 +1,16 @@
{{- if and .Values.webhook.create .Values.webhook.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "external-secrets-webhook.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
{{- with .Values.webhook.serviceAccount.extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

38
charts/external-secrets/external-secrets/0.6.0/templates/webhook-servicemonitor.yaml Normal file
View File

@ -0,0 +1,38 @@
{{- if and .Values.webhook.create .Values.webhook.serviceMonitor.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "external-secrets.fullname" . }}-webhook-metrics
labels:
{{- include "external-secrets-webhook.selectorLabels" . | nindent 4 }}
spec:
type: ClusterIP
ports:
- port: 8080
protocol: TCP
name: metrics
selector:
{{- include "external-secrets-webhook.selectorLabels" . | nindent 4 }}
---
apiVersion: "monitoring.coreos.com/v1"
kind: ServiceMonitor
metadata:
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
{{- if .Values.webhook.serviceMonitor.additionalLabels }}
{{ toYaml .Values.webhook.serviceMonitor.additionalLabels | indent 4 }}
{{- end }}
name: {{ include "external-secrets.fullname" . }}-webhook-metrics
namespace: {{ .Release.Namespace | quote }}
spec:
selector:
matchLabels:
{{- include "external-secrets-webhook.selectorLabels" . | nindent 6 }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace | quote }}
endpoints:
- port: metrics
interval: {{ .Values.webhook.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.webhook.serviceMonitor.scrapeTimeout }}
{{- end }}

388
charts/external-secrets/external-secrets/0.6.0/values.yaml Normal file
View File

@ -0,0 +1,388 @@
replicaCount: 1
image:
repository: ghcr.io/external-secrets/external-secrets
pullPolicy: IfNotPresent
# -- The image tag to use. The default is the chart appVersion.
# There are different image flavours available, like distroless and ubi.
# Please see GitHub release notes for image tags for these flavors.
# By default the distroless image is used.
tag: ""
# -- If set, install and upgrade CRDs through helm chart.
installCRDs: true
crds:
# -- If true, create CRDs for Cluster External Secret.
createClusterExternalSecret: true
# -- If true, create CRDs for Cluster Secret Store.
createClusterSecretStore: true
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
# -- If true, external-secrets will perform leader election between instances to ensure no more
# than one instance of external-secrets operates at a time.
leaderElect: false
# -- If set external secrets will filter matching
# Secret Stores with the appropriate controller values.
controllerClass: ""
# -- If set external secrets are only reconciled in the
# provided namespace
scopedNamespace: ""
# -- Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace
# and implicitly disable cluster stores and cluster external secrets
scopedRBAC: false
# -- if true, the operator will process cluster external secret. Else, it will ignore them.
processClusterExternalSecret: true
# -- if true, the operator will process cluster store. Else, it will ignore them.
processClusterStore: true
# -- Specifies whether an external secret operator deployment be created.
createOperator: true
# -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at
# a time.
concurrent: 1
serviceAccount:
# -- Specifies whether a service account should be created.
create: true
# -- Annotations to add to the service account.
annotations: {}
# -- Extra Labels to add to the service account.
extraLabels: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
rbac:
# -- Specifies whether role and rolebinding resources should be created.
create: true
## -- Extra environment variables to add to container.
extraEnv: []
## -- Map of extra arguments to pass to container.
extraArgs: {}
## -- Extra volumes to pass to pod.
extraVolumes: []
## -- Extra volumes to mount to the container.
extraVolumeMounts: []
# -- Annotations to add to Deployment
deploymentAnnotations: {}
# -- Annotations to add to Pod
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
prometheus:
# -- deprecated. will be removed with 0.7.0, use serviceMonitor instead.
enabled: false
service:
# -- deprecated. will be removed with 0.7.0, use serviceMonitor instead.
port: 8080
serviceMonitor:
# -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
enabled: false
# -- Additional labels
additionalLabels: {}
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
scrapeTimeout: 25s
metrics:
service:
# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
enabled: false
# -- Metrics service port to scrape
port: 8080
# -- Additional service annotations
annotations: {}
nodeSelector: {}
tolerations: []
affinity: {}
# -- Pod priority class name.
priorityClassName: ""
# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
enabled: false
minAvailable: 1
# maxUnavailable: 1
webhook:
# -- Specifies whether a webhook deployment be created.
create: true
# -- Specifices the time to check if the cert is valid
certCheckInterval: "5m"
# -- Specifices the lookaheadInterval for certificate validity
lookaheadInterval: ""
replicaCount: 1
certDir: /tmp/certs
# -- specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore
failurePolicy: Fail
# -- Specifies if webhook pod should use hostNetwork or not.
hostNetwork: false
image:
repository: ghcr.io/external-secrets/external-secrets
pullPolicy: IfNotPresent
# -- The image tag to use. The default is the chart appVersion.
tag: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
# -- The port the webhook will listen to
port: 10250
rbac:
# -- Specifies whether role and rolebinding resources should be created.
create: true
serviceAccount:
# -- Specifies whether a service account should be created.
create: true
# -- Annotations to add to the service account.
annotations: {}
# -- Extra Labels to add to the service account.
extraLabels: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
nodeSelector: {}
tolerations: []
affinity: {}
# -- Pod priority class name.
priorityClassName: ""
# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
enabled: false
minAvailable: 1
# maxUnavailable: 1
prometheus:
# -- deprecated. will be removed with 0.7.0, use serviceMonitor instead
enabled: false
service:
# -- deprecated. will be removed with 0.7.0, use serviceMonitor instead
port: 8080
serviceMonitor:
# -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
enabled: false
# -- Additional labels
additionalLabels: {}
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
scrapeTimeout: 25s
metrics:
service:
# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
enabled: false
# -- Metrics service port to scrape
port: 8080
# -- Additional service annotations
annotations: {}
readinessProbe:
# -- Address for readiness probe
address: ""
# -- ReadinessProbe port for kubelet
port: 8081
## -- Extra environment variables to add to container.
extraEnv: []
## -- Map of extra arguments to pass to container.
extraArgs: {}
## -- Extra volumes to pass to pod.
extraVolumes: []
## -- Extra volumes to mount to the container.
extraVolumeMounts: []
# -- Annotations to add to Secret
secretAnnotations: {}
# -- Annotations to add to Deployment
deploymentAnnotations: {}
# -- Annotations to add to Pod
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
certController:
# -- Specifies whether a certificate controller deployment be created.
create: true
requeueInterval: "5m"
replicaCount: 1
image:
repository: ghcr.io/external-secrets/external-secrets
pullPolicy: IfNotPresent
tag: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
rbac:
# -- Specifies whether role and rolebinding resources should be created.
create: true
serviceAccount:
# -- Specifies whether a service account should be created.
create: true
# -- Annotations to add to the service account.
annotations: {}
# -- Extra Labels to add to the service account.
extraLabels: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
nodeSelector: {}
tolerations: []
affinity: {}
# -- Pod priority class name.
priorityClassName: ""
# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
enabled: false
minAvailable: 1
# maxUnavailable: 1
prometheus:
# -- deprecated. will be removed with 0.7.0, use serviceMonitor instead
enabled: false
service:
# -- deprecated. will be removed with 0.7.0, use serviceMonitor instead
port: 8080
serviceMonitor:
# -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
enabled: false
# -- Additional labels
additionalLabels: {}
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
scrapeTimeout: 25s
metrics:
service:
# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
enabled: false
# -- Metrics service port to scrape
port: 8080
# -- Additional service annotations
annotations: {}
## -- Extra environment variables to add to container.
extraEnv: []
## -- Map of extra arguments to pass to container.
extraArgs: {}
## -- Extra volumes to pass to pod.
extraVolumes: []
## -- Extra volumes to mount to the container.
extraVolumeMounts: []
# -- Annotations to add to Deployment
deploymentAnnotations: {}
# -- Annotations to add to Pod
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
# -- Specifies `dnsOptions` to deployment
dnsConfig: {}

23
charts/redpanda/redpanda/2.1.7/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

26
charts/redpanda/redpanda/2.1.7/Chart.yaml Normal file
View File

@ -0,0 +1,26 @@
annotations:
artifacthub.io/images: |
- name: redpanda
image: vectorized/redpanda:v22.2.4
- name: busybox
image: busybox:latest
artifacthub.io/license: Apache-2.0
artifacthub.io/links: |
- name: Documentation
url: https://docs.redpanda.com
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Redpanda
catalog.cattle.io/kube-version: '>=1.21-0'
catalog.cattle.io/release-name: redpanda
apiVersion: v2
appVersion: 22.2.5
description: Redpanda is the real-time engine for modern apps.
icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg
maintainers:
- name: redpanda-data
url: https://github.com/orgs/redpanda-data/people
name: redpanda
sources:
- https://github.com/redpanda-data/helm-charts
type: application
version: 2.1.7

201
charts/redpanda/redpanda/2.1.7/LICENSE Normal file
View File

@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

40
charts/redpanda/redpanda/2.1.7/README.md Normal file
View File

@ -0,0 +1,40 @@
# Redpanda Helm Chart
[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/redpanda-data)](https://artifacthub.io/packages/search?repo=redpanda-data)
This Helm chart (`redpanda`) deploys a Redpanda cluster.
Once deployed, you continue to use the Helm command and override values to change and/or upgrade your Redpanda deployment.
The defaults are in [values.yaml][values].
## Overview
This is the Helm Chart for [Redpanda](https://redpanda.com). It provides the ability to set up a multi node redpanda cluster with the following optional features:
- Schema registry (enabled by default)
- REST (aka PandaProxy, enabled by default)
- TLS
- SASL
- External access
See the [examples folder][examples] with more details on how to use this helm chart.
Each example focuses on specific features like the ones listed above.
We recommend completing the instructions in the [60-Second Guide for Kubernetes][kubernetes-qs-dev] before continuing steps in any of these examples.
The [values.yaml][values] file is documented throughout.
Please see this file for more details.
## Installation
See the [60-Second Guide for Kubernetes][kubernetes-qs-dev]
## Contributing
If you have improvements that can be made to this Helm chart, please consider becoming a contributor.
See our [Contributing][contributing] document for more details.
[values]: https://github.com/redpanda-data/helm-charts/blob/main/redpanda/values.yaml
[examples]: https://github.com/redpanda-data/helm-charts/blob/main/examples/README.md
[contributing]: https://github.com/redpanda-data/helm-charts/blob/main/CONTRIBUTING.md
[kubernetes-qs-dev]: https://docs.redpanda.com/docs/quickstart/kubernetes-qs-dev/

21
charts/redpanda/redpanda/2.1.7/ci/01-one-node-cluster-no-tls-no-sasl.yaml Normal file
View File

@ -0,0 +1,21 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
statefulset:
replicas: 1
tls:
enabled: false
auth:
sasl:
enabled: false

21
charts/redpanda/redpanda/2.1.7/ci/02-one-node-cluster-tls-no-sasl.yaml Normal file
View File

@ -0,0 +1,21 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
statefulset:
replicas: 1
tls:
enabled: true
auth:
sasl:
enabled: false

21
charts/redpanda/redpanda/2.1.7/ci/03-one-node-cluster-no-tls-sasl.yaml Normal file
View File

@ -0,0 +1,21 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
statefulset:
replicas: 1
tls:
enabled: false
auth:
sasl:
enabled: true

21
charts/redpanda/redpanda/2.1.7/ci/04-one-node-cluster-tls-sasl.yaml Normal file
View File

@ -0,0 +1,21 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
statefulset:
replicas: 1
tls:
enabled: true
auth:
sasl:
enabled: true

19
charts/redpanda/redpanda/2.1.7/ci/ct.yaml Normal file
View File

@ -0,0 +1,19 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
charts:
- redpanda
target-branch: main
helm-extra-args: --timeout 600s
remote: origin

76
charts/redpanda/redpanda/2.1.7/templates/NOTES.txt Normal file
View File

@ -0,0 +1,76 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
Congratulations on installing {{ .Chart.Name }}!
The pods will rollout in a few seconds. To check the status:
kubectl -n {{ .Release.Namespace }} rollout status statefulset {{ template "redpanda.fullname" . }} --watch
Try some sample commands, like creating a topic called test-topic:
{{- $anyTLS := (include "tls-enabled" . | fromJson).bool -}}
{{- $anySASL := (include "sasl-enabled" . | fromJson).bool }}
{{- $brokers := printf "%s-0.%s:%d"
(include "redpanda.fullname" .)
(include "redpanda.internal.domain" .)
(int .Values.listeners.kafka.port)
-}}
{{- $rpk :=
printf "kubectl -n %s exec -ti %s-0 -c redpanda -- rpk --brokers=%s"
.Release.Namespace
(include "redpanda.fullname" .)
$brokers
}}
{{- $rpkAdmin := "" }}
{{- if $anyTLS }}
{{ $rpk = printf "%s --tls-enabled --tls-truststore=/etc/tls/certs/%s/ca.crt" $rpk .Values.listeners.kafka.tls.cert }}
{{ $rpkAdmin = printf "%s --admin-api-tls-enabled --admin-api-tls-truststore=/etc/tls/certs/%s/ca.crt --api-urls=%s-0.%s:%d"
$rpk
.Values.listeners.admin.tls.cert
(include "redpanda.fullname" .)
(include "redpanda.internal.domain" .)
(int .Values.listeners.admin.port)
}}
{{- else }}
{{ $rpkAdmin = $rpk }}
{{- end }}
{{- if $anySASL }}
{{ $rpk = printf "%s --user %s --password $YOUR_PASSWORD --sasl-mechanism SCRAM-SHA-256" $rpk (.Values.auth.sasl.users | first).name }}
{{ $rpkAdmin = printf "%s --user %s --password $YOUR_PASSWORD --sasl-mechanism SCRAM-SHA-256" $rpkAdmin (.Values.auth.sasl.users | first).name }}
{{- end }}
{{- if and $anySASL }}
Create a user:
{{ $rpkAdmin }} acl user create myuser -p changeme
{{- end }}
Get the api status:
{{ $rpk }} cluster info
Create a topic
{{ $rpk }} topic create test-topic
Describe the topic:
{{ $rpk }} topic describe test-topic
Delete the topic:
{{ $rpk }} topic delete test-topic

390
charts/redpanda/redpanda/2.1.7/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,390 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
Expand the name of the chart.
*/}}
{{- define "redpanda.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "redpanda.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s" .Release.Name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "redpanda.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Get the version of redpanda being used as an image
*/}}
{{- define "redpanda.semver" -}}
{{ .Values.image.tag | trimPrefix "v" }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "redpanda.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "redpanda.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Generate configuration needed for rpk
*/}}
{{- define "listen.address" -}}
{{- "$(POD_IP)" -}}
{{- end -}}
{{- define "nodeport.listen.address" -}}
{{- "$(HOST_IP)" -}}
{{- end -}}
{{- define "redpanda.internal.domain" -}}
{{- $service := include "redpanda.fullname" . -}}
{{- $ns := .Release.Namespace -}}
{{- $domain := .Values.clusterDomain | trimSuffix "." -}}
{{- printf "%s.%s.svc.%s." $service $ns $domain -}}
{{- end -}}
{{- define "redpanda.kafka.internal.advertise.address" -}}
{{- $host := "$(SERVICE_NAME)" -}}
{{- $domain := include "redpanda.internal.domain" . -}}
{{- printf "%s.%s" $host $domain -}}
{{- end -}}
{{/*
The external advertised address can change depending on the externalisation method.
If the method is to expose via load balancer this must be provided through the values
load balancers configuration for parent zone. If the load balancer is not enabled
then then services are externalised using NodePorts, in which case the external node
IP is required for the advertised address.
*/}}
{{- define "redpanda.kafka.external.domain-lb-bkp" -}}
{{- .Values.loadBalancer.parentZone | trimSuffix "." -}}
{{- end -}}
{{- define "redpanda.kafka.external.domain" -}}
{{- .Values.external.domain | trimSuffix "." | default "$(HOST_IP)" -}}
{{- end -}}
{{- define "redpanda.kafka.external.advertise.address" -}}
{{- $host := "$(SERVICE_NAME)" -}}
{{- $domain := include "redpanda.kafka.external.domain" . -}}
{{- printf "%s.%s" $host $domain -}}
{{- end -}}
{{- define "redpanda.rpc.advertise.address" -}}
{{- $host := "$(SERVICE_NAME)" -}}
{{- $domain := include "redpanda.internal.domain" . -}}
{{- printf "%s.%s" $host $domain -}}
{{- end -}}
{{- define "redpanda.pandaproxy.internal.advertise.address" -}}
{{- $host := "$(SERVICE_NAME)" -}}
{{- $domain := include "redpanda.internal.domain" . -}}
{{- printf "%s.%s" $host $domain -}}
{{- end -}}
{{- define "redpanda.pandaproxy.external.advertise.address" -}}
{{- $host := "$(SERVICE_NAME)" -}}
{{- $domain := include "redpanda.kafka.external.domain" . -}}
{{- printf "%s.%s" $host $domain -}}
{{- end -}}
{{/* ConfigMap variables */}}
{{- define "admin-internal-tls-enabled" -}}
{{- $listener := .Values.listeners.admin -}}
{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}}
{{- end -}}
{{- define "kafka-internal-tls-enabled" -}}
{{- $listener := .Values.listeners.kafka -}}
{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}}
{{- end -}}
{{- define "kafka-external-tls-enabled" -}}
{{- toJson (dict "bool" (and (dig "tls" "enabled" (include "kafka-internal-tls-enabled" . | fromJson).bool .listener) (not (empty (include "kafka-external-tls-cert" .))))) -}}
{{- end -}}
{{- define "kafka-external-tls-cert" -}}
{{- dig "tls" "cert" .Values.listeners.kafka.tls.cert .listener -}}
{{- end -}}
{{- define "http-internal-tls-enabled" -}}
{{- $listener := .Values.listeners.http -}}
{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}}
{{- end -}}
{{- define "http-external-tls-enabled" -}}
{{- $tlsEnabled := dig "tls" "enabled" (include "http-internal-tls-enabled" . | fromJson).bool .listener -}}
{{- toJson (dict "bool" (and $tlsEnabled (not (empty (include "http-external-tls-cert" .))))) -}}
{{- end -}}
{{- define "http-external-tls-cert" -}}
{{- dig "tls" "cert" .Values.listeners.http.tls.cert .listener -}}
{{- end -}}
{{- define "rpc-tls-enabled" -}}
{{- $listener := .Values.listeners.rpc -}}
{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}}
{{- end -}}
{{- define "schemaRegistry-internal-tls-enabled" -}}
{{- $listener := .Values.listeners.schemaRegistry -}}
{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}}
{{- end -}}
{{- define "schemaRegistry-external-tls-enabled" -}}
{{- $tlsEnabled := dig "tls" "enabled" (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool .listener -}}
{{- toJson (dict "bool" (and $tlsEnabled (not (empty (include "schemaRegistry-external-tls-cert" .))))) -}}
{{- end -}}
{{- define "schemaRegistry-external-tls-cert" -}}
{{- dig "tls" "cert" .Values.listeners.schemaRegistry.tls.cert .listener -}}
{{- end -}}
{{- define "tls-enabled" -}}
{{- $tlsenabled := .Values.tls.enabled -}}
{{- if not $tlsenabled -}}
{{- range $listener := .Values.listeners -}}
{{- if and
(dig "tls" "enabled" false $listener)
(not (empty (dig "tls" "cert" "" $listener )))
-}}
{{- $tlsenabled = true -}}
{{- end -}}
{{- if not $tlsenabled -}}
{{- range $external := $listener.external -}}
{{- if and
(dig "tls" "enabled" false $external)
(not (empty (dig "tls" "cert" "" $external)))
-}}
{{- $tlsenabled = true -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- toJson (dict "bool" $tlsenabled) -}}
{{- end -}}
{{- define "sasl-enabled" -}}
{{- toJson (dict "bool" (dig "enabled" false .Values.auth.sasl)) -}}
{{- end -}}
{{- define "external-nodeport-enabled" -}}
{{- $values := .Values -}}
{{- $enabled := and .Values.external.enabled (eq .Values.external.type "NodePort") -}}
{{- range $listener := .Values.listeners -}}
{{- range $external := $listener.external -}}
{{- if and (dig "enabled" false $external) (eq (dig "type" $values.external.type $external) "NodePort") -}}
{{- $enabled = true -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- toJson (dict "bool" $enabled) -}}
{{- end -}}
{{/* Resource variables */}}
{{- define "redpanda-memoryToMi" -}}
{{/*
This template converts the incoming memory value to whole number mebibytes.
Input can be: k | K | m | M | g | G | Ki | Mi | Gi
*/}}
{{- $mem := . -}}
{{- $result := 0 -}}
{{- if or (hasSuffix "K" $mem) (hasSuffix "k" $mem) -}}
{{- $rawmem := $mem | trimSuffix "K" | trimSuffix "k" -}}
{{- if contains "." $rawmem -}}
{{- $rawmem = $rawmem | float64 -}}
{{- $result = divf (mulf $rawmem (mul 8 1000)) (mul 8 1024 1024) -}}
{{- else -}}
{{- $rawmem = $rawmem | int64 -}}
{{- $result = divf (mul $rawmem (mul 8 1000)) (mul 8 1024 1024) -}}
{{- end -}}
{{- $result = floor $result -}}
{{- else if or (hasSuffix "M" $mem) (hasSuffix "m" $mem) -}}
{{- $rawmem := $mem | trimSuffix "M" | trimSuffix "m" -}}
{{- if contains "." $rawmem -}}
{{- $rawmem = $rawmem | float64 -}}
{{- $result = divf (mulf $rawmem (mul 8 1000 1000)) (mul 8 1024 1024) -}}
{{- else -}}
{{- $rawmem = $rawmem | int64 -}}
{{- $result = divf (mul $rawmem (mul 8 1000 1000)) (mul 8 1024 1024) -}}
{{- end -}}
{{- $result = floor $result -}}
{{- else if or (hasSuffix "G" $mem) (hasSuffix "g" $mem) -}}
{{- $rawmem := $mem | trimSuffix "G" | trimSuffix "g" -}}
{{- if contains "." $rawmem -}}
{{- $rawmem = $rawmem | float64 -}}
{{- $result = divf (mulf $rawmem (mul 8 1000 1000 1000)) (mul 8 1024 1024) -}}
{{- else -}}
{{- $rawmem = $rawmem | int64 -}}
{{- $result = divf (mul $rawmem (mul 8 1000 1000 1000)) (mul 8 1024 1024) -}}
{{- end -}}
{{- $result = floor $result -}}
{{- else if hasSuffix "Ki" $mem }}
{{- $rawmem := $mem | trimSuffix "Ki" -}}
{{- if contains "." $rawmem -}}
{{- $rawmem = $rawmem | float64 -}}
{{- $result = divf (mulf $rawmem (mul 8 1024)) (mul 8 1024 1024) -}}
{{- else -}}
{{- $rawmem = $rawmem | int64 -}}
{{- $result = divf (mul $rawmem (mul 8 1024)) (mul 8 1024 1024) -}}
{{- end -}}
{{- $result = floor $result -}}
{{- else if hasSuffix "Mi" $mem -}}
{{- $result = $mem | trimSuffix "Mi" -}}
{{- if contains "." $result -}}
{{- $result = $result | float64 -}}
{{- else -}}
{{- $result = $result | int64 -}}
{{- end -}}
{{- else if hasSuffix "Gi" $mem -}}
{{- $rawmem := $mem | trimSuffix "Gi" -}}
{{- if contains "." $rawmem -}}
{{- $rawmem = $rawmem | float64 -}}
{{- $result = (mulf $rawmem 1024) | floor -}}
{{- else -}}
{{- $rawmem = $rawmem | int64 -}}
{{- $result = (mul $rawmem 1024) -}}
{{- end -}}
{{- else }}
{{- printf "\n%s is invalid memory amount\nSuffixes can be: k | K | m | M | g | G | Ki | Mi | Gi" $mem | fail -}}
{{- end }}
{{- $result -}}
{{- end -}}
{{- define "container-memory" -}}
{{- $result := "" -}}
{{- if (hasKey .Values.resources.memory.container "min") -}}
{{- $result = .Values.resources.memory.container.min | include "redpanda-memoryToMi" -}}
{{- else -}}
{{- $result = .Values.resources.memory.container.max | include "redpanda-memoryToMi" -}}
{{- end -}}
{{- if eq $result "" -}}
{{- "unable to get memory value" | fail -}}
{{- end -}}
{{- $result -}}
{{- end -}}
{{- define "redpanda-reserve-memory" -}}
{{/*
Determines the value of --reserve-memory flag (in mebibytes with M suffix, per Seastar).
This template looks at all locations where memory could be set.
These locations, in order of priority, are:
- .Values.resources.memory.redpanda.reserveMemory (commented out by default, users could uncomment)
- .Values.resources.memory.container.min (commented out by default, users could uncomment and
change to something lower than .Values.resources.memory.container.max)
- .Values.resources.memory.container.max (set by default)
*/}}
{{- $result := 0 -}}
{{- if (hasKey .Values.resources.memory "redpanda") -}}
{{- $result = .Values.resources.memory.redpanda.reserveMemory | include "redpanda-memoryToMi" | int64 -}}
{{- else if (hasKey .Values.resources.memory.container "min") -}}
{{- $result = add (mulf (include "container-memory" .) 0.002) 200 -}}
{{- if gt $result 1000 -}}
{{- $result = 1000 -}}
{{- end -}}
{{- else -}}
{{- $result = add (mulf (include "container-memory" .) 0.002) 200 -}}
{{- if gt $result 1000 -}}
{{- $result = 1000 -}}
{{- end -}}
{{- end -}}
{{- if eq $result 0 -}}
{{- "unable to get memory value" | fail -}}
{{- end -}}
{{- $result -}}
{{- end -}}
{{- define "redpanda-memory" -}}
{{/*
Determines the value of --memory flag (in mebibytes with M suffix, per Seastar).
This template looks at all locations where memory could be set.
These locations, in order of priority, are:
- .Values.resources.memory.redpanda.memory (commented out by default, users could uncomment)
- .Values.resources.memory.container.min (commented out by default, users could uncomment and
change to something lower than .Values.resources.memory.container.max)
- .Values.resources.memory.container.max (set by default)
*/}}
{{- $result := 0 -}}
{{- if (hasKey .Values.resources.memory "redpanda") -}}
{{- $result = .Values.resources.memory.redpanda.memory | include "redpanda-memoryToMi" | int64 -}}
{{- else -}}
{{- $result = mulf (include "container-memory" .) 0.8 | int64 -}}
{{- end -}}
{{- if eq $result 0 -}}
{{- "unable to get memory value" | fail -}}
{{- end -}}
{{- if lt $result 2000 -}}
{{- printf "\n%d is below the minimum recommended value for Redpanda" $result | fail -}}
{{- end -}}
{{- if gt (add $result (include "redpanda-reserve-memory" .)) (include "container-memory" . | int64) -}}
{{- printf "\nNot enough container memory for Redpanda memory values\nredpanda: %d, reserve: %d, container: %d" $result (include "redpanda-reserve-memory" . | int64) (include "container-memory" . | int64) | fail -}}
{{- end -}}
{{- $result -}}
{{- end -}}
{{- define "api-urls" -}}
{{ template "redpanda.fullname" . }}-0.{{ include "redpanda.internal.domain" .}}:{{ .Values.listeners.admin.port }}
{{- end -}}
{{- define "rpk-flags" -}}
{{- $command := list -}}
{{- $command = concat $command (list "--api-urls" (include "api-urls" . )) -}}
{{- if (include "admin-internal-tls-enabled" . | fromJson).bool -}}
{{- $command = concat $command (list
"--admin-api-tls-enabled"
"--admin-api-tls-truststore"
(printf "/etc/tls/certs/%s/ca.crt" .Values.listeners.admin.tls.cert))
-}}
{{- end -}}
{{- if (include "kafka-internal-tls-enabled" . | fromJson).bool -}}
{{- $command = concat $command (list
"--tls-enabled"
"--tls-truststore"
(printf "/etc/tls/certs/%s/ca.crt" .Values.listeners.kafka.tls.cert))
-}}
{{- end -}}
{{- if (include "sasl-enabled" . | fromJson).bool -}}
{{- $command = concat $command (list
"--user" (first .Values.auth.sasl.users).name
"--password" (first .Values.auth.sasl.users).password
"--sasl-mechanism SCRAM-SHA-256")
-}}
{{- end -}}
{{ $command | join " " }}
{{- end -}}

91
charts/redpanda/redpanda/2.1.7/templates/cert-issuers.yaml Normal file
View File

@ -0,0 +1,91 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if (include "tls-enabled" . | fromJson).bool }}
{{- $release := .Release }}
{{- $values := .Values }}
{{- range $name, $data := $values.tls.certs }}
{{/* If issuerRef is defined, use the specified issuer for the certs
If it's not defined, create and use our own issuer. */}}
{{- $r := $data.issuerRef }}
{{- if not $r }}
---
# The self-signed issuer is used to create the self-signed CA
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ template "redpanda.fullname" $ }}-{{ $name }}-selfsigned-issuer
namespace: {{ $release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" $ }}
app.kubernetes.io/name: {{ template "redpanda.name" $ }}
app.kubernetes.io/instance: {{ $release.Name | quote }}
app.kubernetes.io/managed-by: {{ $release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" $ }}
{{- with $values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selfSigned: {}
{{- end }}
---
# This is the self-signed CA used to issue certs
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ template "redpanda.fullname" $ }}-{{ $name }}-root-issuer
namespace: {{ $release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" $ }}
app.kubernetes.io/name: {{ template "redpanda.name" $ }}
app.kubernetes.io/instance: {{ $release.Name | quote }}
app.kubernetes.io/managed-by: {{ $release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" $ }}
{{- with $values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ca:
secretName: {{ template "redpanda.fullname" $ }}-{{ $name }}-root-certificate
---
# This is the root CA certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ template "redpanda.fullname" $ }}-{{ $name }}-root-certificate
namespace: {{ $release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" $ }}
app.kubernetes.io/name: {{ template "redpanda.name" $ }}
app.kubernetes.io/instance: {{ $release.Name | quote }}
app.kubernetes.io/managed-by: {{ $release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" $ }}
{{- with $values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
isCA: true
commonName: {{ template "redpanda.fullname" $ }}-{{ $name }}-root-certificate
secretName: {{ template "redpanda.fullname" $ }}-{{ $name }}-root-certificate
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: {{ template "redpanda.fullname" $ }}-{{ $name }}-selfsigned-issuer
kind: Issuer
group: cert-manager.io
{{- end }}
{{- end }}

45
charts/redpanda/redpanda/2.1.7/templates/certs.yaml Normal file
View File

@ -0,0 +1,45 @@
{{- if (include "tls-enabled" . | fromJson).bool }}
{{- $service := include "redpanda.fullname" . -}}
{{- $ns := .Release.Namespace -}}
{{- $domain := .Values.clusterDomain | trimSuffix "." -}}
{{- $listeners := .Values.listeners -}}
{{- range $name, $data := .Values.tls.certs }}
{{- $d := $data.duration }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ template "redpanda.fullname" $ }}-{{ $name }}-cert
spec:
dnsNames:
- {{ template "redpanda.fullname" $ }}-cluster.{{ printf "%s.%s.svc.%s" $service $ns $domain }}
- {{ template "redpanda.fullname" $ }}-cluster.{{ printf "%s.%s.svc" $service $ns }}
- {{ template "redpanda.fullname" $ }}-cluster.{{ printf "%s.%s" $service $ns }}
- "*.{{ template "redpanda.fullname" $ }}-cluster.{{ printf "%s.%s.svc.%s" $service $ns $domain }}"
- "*.{{ template "redpanda.fullname" $ }}-cluster.{{ printf "%s.%s.svc" $service $ns }}"
- "*.{{ template "redpanda.fullname" $ }}-cluster.{{ printf "%s.%s" $service $ns }}"
- {{ printf "%s.%s.svc.%s" $service $ns $domain }}
- {{ printf "%s.%s.svc" $service $ns }}
- {{ printf "%s.%s" $service $ns }}
- {{ printf "*.%s.%s.svc.%s" $service $ns $domain | quote }}
- {{ printf "*.%s.%s.svc" $service $ns | quote }}
- {{ printf "*.%s.%s" $service $ns | quote }}
duration: {{ $d | default "43800h" }}
isCA: false
commonName: {{ template "redpanda.fullname" $ }}-{{ $name }}-cert
secretName: {{ template "redpanda.fullname" $ }}-{{ $name }}-cert
privateKey:
algorithm: ECDSA
size: 256
{{- if not (empty $data.issuerRef) }}
issuerRef:
{{- toYaml $data.issuerRef | nindent 4 }}
group: cert-manager.io
{{- else }}
issuerRef:
name: {{ template "redpanda.fullname" $ }}-{{ $name }}-root-issuer
kind: Issuer
group: cert-manager.io
{{- end }}
{{- end }}
{{- end }}

224
charts/redpanda/redpanda/2.1.7/templates/configmap.yaml Normal file
View File

@ -0,0 +1,224 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $values := .Values }}
{{- $users := list -}}
{{- if .Values.auth.sasl.enabled -}}
{{- range $user := .Values.auth.sasl.users -}}
{{- $users = append $users $user.name -}}
{{- end -}}
{{- end -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "redpanda.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" . }}
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
data:
{{- if (include "redpanda.semver" . | semverCompare ">=22.1.1") }}
bootstrap.yaml: |
enable_sasl: {{ dig "sasl" "enabled" false .Values.auth }}
{{- if $users }}
superusers: {{ toJson $users }}
{{- end }}
{{- with (dig "cluster" dict .Values.config) }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with (dig "tunable" dict .Values.config) }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
redpanda.yaml: |
config_file: /etc/redpanda/redpanda.yaml
{{- if .Values.logging.usageStats.enabled }}
{{- with (dig "usageStats" "organization" "" .Values.logging) }}
organization: {{ . }}
{{- end }}
{{- with (dig "usageStats" "clusterId" "" .Values.logging) }}
cluster_id: {{ . }}
{{- end }}
{{- end }}
redpanda:
{{- if not (include "redpanda.semver" . | semverCompare ">=22.1.1") }}
enable_sasl: {{ dig "sasl" "enabled" false .Values.auth }}
{{- if $users }}
superusers: {{ toJson $users }}
{{- end }}
{{- with (dig "cluster" dict .Values.config) }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- with (dig "tunable" dict .Values.config) }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}
{{- with dig "node" dict .Values.config }}
{{- . | toYaml | nindent 6 }}
{{- end }}
admin:
name: admin
address: 0.0.0.0
port: {{ .Values.listeners.admin.port }}
{{- if (include "admin-internal-tls-enabled" . | fromJson).bool }}
admin_api_tls:
- name: admin
enabled: true
cert_file: /etc/tls/certs/{{ .Values.listeners.admin.tls.cert }}/tls.crt
key_file: /etc/tls/certs/{{ .Values.listeners.admin.tls.cert }}/tls.key
truststore_file: /etc/tls/certs/{{ .Values.listeners.admin.tls.cert }}/ca.crt
require_client_auth: {{ .Values.listeners.admin.tls.requireClientAuth }}
{{- end }}
kafka_api:
- name: internal
address: 0.0.0.0
port: {{ .Values.listeners.kafka.port }}
{{- range $name, $listener := .Values.listeners.kafka.external }}
- name: {{ $name }}
address: 0.0.0.0
port: {{ $listener.port }}
{{- end }}
kafka_api_tls:
{{- $service := .Values.listeners.kafka }}
{{- if (include "kafka-internal-tls-enabled" . | fromJson).bool }}
- name: internal
enabled: true
cert_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.crt
key_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.key
truststore_file: /etc/tls/certs/{{ $service.tls.cert }}/ca.crt
require_client_auth: {{ $service.tls.requireClientAuth }}
{{- end }}
{{- range $name, $listener := $service.external }}
{{- $k := dict "Values" $values "listener" $listener }}
{{- if (include "kafka-external-tls-enabled" $k | fromJson).bool }}
- name: {{ $name }}
enabled: true
cert_file: /etc/tls/certs/{{ template "kafka-external-tls-cert" $k}}/tls.crt
key_file: /etc/tls/certs/{{ template "kafka-external-tls-cert" $k}}/tls.key
truststore_file: /etc/tls/certs/{{ template "kafka-external-tls-cert" $k}}/ca.crt
require_client_auth: {{ dig "tls" "requireClientAuth" false $listener }}
{{- end }}
{{- end }}
rpc_server:
address: 0.0.0.0
port: {{ .Values.listeners.rpc.port }}
{{- if (include "rpc-tls-enabled" . | fromJson).bool }}
rpc_server_tls:
enabled: true
require_client_auth: {{ .Values.listeners.rpc.tls.requireClientAuth }}
cert_file: /etc/tls/certs/{{ .Values.listeners.rpc.tls.cert }}/tls.crt
key_file: /etc/tls/certs/{{ .Values.listeners.rpc.tls.cert }}/tls.key
truststore_file: /etc/tls/certs/{{ .Values.listeners.rpc.tls.cert }}/ca.crt
{{- end }}
seed_servers:
{{- range untilStep 0 (.Values.statefulset.replicas|int) 1 }}
- host:
address: "{{ template "redpanda.fullname" $ }}-{{ . }}.{{ template "redpanda.internal.domain" $ }}"
port: {{ $values.listeners.rpc.port }}
{{- end }}
{{- if .Values.listeners.http.enabled }}
{{- if .Values.listeners.schemaRegistry.enabled }}
schema_registry:
schema_registry:
- name: internal
address: 0.0.0.0
port: {{ .Values.listeners.schemaRegistry.port }}
{{- range $name, $listener := .Values.listeners.schemaRegistry.external }}
- name: {{ $name }}
address: 0.0.0.0
port: {{ $listener.port }}
{{- end }}
schema_registry_api_tls:
{{- if (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool }}
- name: internal
enabled: true
cert_file: /etc/tls/certs/{{ .Values.listeners.schemaRegistry.tls.cert }}/tls.crt
key_file: /etc/tls/certs/{{ .Values.listeners.schemaRegistry.tls.cert }}/tls.key
truststore_file: /etc/tls/certs/{{ .Values.listeners.schemaRegistry.tls.cert }}/ca.crt
require_client_auth: {{ .Values.listeners.schemaRegistry.tls.requireClientAuth }}
{{- end }}
{{- range $i, $listener := .Values.listeners.schemaRegistry.external }}
{{- $k := dict "Values" $values "listener" $listener }}
{{- if (include "schemaRegistry-external-tls-enabled" $k | fromJson).bool }}
- name: {{ $listener.name }}
enabled: true
cert_file: /etc/tls/certs/{{ template "schemaRegistry-external-tls-cert" $k }}/tls.crt
key_file: /etc/tls/certs/{{ template "schemaRegistry-external-tls-cert" $k }}/tls.key
truststore_file: /etc/tls/certs/{{ template "schemaRegistry-external-tls-cert" $k }}/ca.crt
require_client_auth: {{ dig "tls" "requireClientAuth" false $listener}}
{{- end }}
{{- end }}
{{- end }}
pandaproxy:
pandaproxy_api:
- name: internal
address: 0.0.0.0
port: {{ .Values.listeners.http.port }}
{{- range $name, $listener := .Values.listeners.http.external }}
- name: {{ $name }}
address: 0.0.0.0
port: {{ $listener.port }}
{{- end }}
pandaproxy_api_tls:
{{- if (include "http-internal-tls-enabled" . | fromJson).bool }}
- name: internal
enabled: true
cert_file: /etc/tls/certs/{{ .Values.listeners.http.tls.cert }}/tls.crt
key_file: /etc/tls/certs/{{ .Values.listeners.http.tls.cert }}/tls.key
truststore_file: /etc/tls/certs/{{ .Values.listeners.http.tls.cert }}/ca.crt
require_client_auth: {{ .Values.listeners.http.tls.requireClientAuth }}
{{- end }}
{{- range $name, $listener := .Values.listeners.http.external }}
{{- $k := dict "Values" $values "listener" $listener }}
{{- if (include "http-external-tls-enabled" $k | fromJson).bool }}
- name: {{ $name }}
enabled: true
cert_file: /etc/tls/certs/{{ template "kafka-external-tls-cert" $k }}/tls.crt
key_file: /etc/tls/certs/{{ template "kafka-external-tls-cert" $k }}/tls.key
truststore_file: /etc/tls/certs/{{ template "kafka-external-tls-cert" $k}}/ca.crt
require_client_auth: {{ dig "tls" "requireClientAuth" false $listener }}
{{- end }}
{{- end }}
{{- end }}
rpk:
enable_usage_stats: {{ .Values.logging.usageStats.enabled }}
overprovisioned: {{ dig "cpu" "overprovisioned" false .Values.resources }}
enable_memory_locking: {{ dig "memory" "enable_memory_locking" false .Values.resources }}
{{- if hasKey .Values.tuning "tune_aio_events" }}
tune_aio_events: {{ .Values.tuning.tune_aio_events }}
{{- end }}
{{- if hasKey .Values.tuning "tune_clocksource" }}
tune_clocksource: {{ .Values.tuning.tune_clocksource }}
{{- end }}
{{- if hasKey .Values.tuning "tune_ballast_file" }}
tune_ballast_file: {{ .Values.tuning.tune_ballast_file }}
{{- end }}
{{- if hasKey .Values.tuning "ballast_file_path" }}
ballast_file_path: {{ .Values.tuning.ballast_file_path }}
{{- end }}
{{- if hasKey .Values.tuning "ballast_file_size" }}
ballast_file_size: {{ .Values.tuning.ballast_file_size }}
{{- end }}
{{- if hasKey .Values.tuning "well_known_io" }}
well_known_io: {{ .Values.tuning.well_known_io }}
{{- end }}

37
charts/redpanda/redpanda/2.1.7/templates/poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,37 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "redpanda.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" . }}
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
maxUnavailable: {{ .Values.statefulset.budget.maxUnavailable | int64 }}

102
charts/redpanda/redpanda/2.1.7/templates/post-install-upgrade-job.yaml Normal file
View File

@ -0,0 +1,102 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "redpanda.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" . }}
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
"helm.sh/hook-weight": "-10"
spec:
template:
metadata:
name: "{{ .Release.Name }}"
labels:
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
restartPolicy: Never
containers:
- name: {{ template "redpanda.name" . }}-post-install
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
command:
- bash
- -c
args:
- >
{{- if .Values.auth.sasl.enabled }}
{{- range $user := .Values.auth.sasl.users }}
rpk acl user create {{ $user.name }} -p {{ $user.password | quote }} {{ template "rpk-flags" $ }}
;
{{- end }}
{{- end }}
{{- if and (include "redpanda.semver" . | semverCompare ">=22.2.0") (not (empty .Values.license_key)) }}
rpk cluster license set {{ .Values.license_key | quote }} {{ template "rpk-flags" $ }}
;
{{- end }}
volumeMounts:
- name: {{ template "redpanda.fullname" . }}
mountPath: /tmp/base-config
- name: config
mountPath: /etc/redpanda
{{- if (include "tls-enabled" . | fromJson).bool }}
{{- range $name, $cert := .Values.tls.certs }}
- name: redpanda-{{ $name }}-cert
mountPath: {{ printf "/etc/tls/certs/%s" $name }}
{{- end }}
{{- end }}
volumes:
- name: {{ template "redpanda.fullname" . }}
configMap:
name: {{ template "redpanda.fullname" . }}
- name: config
emptyDir: {}
{{- if (include "tls-enabled" . | fromJson).bool }}
{{- range $name, $cert := .Values.tls.certs }}
- name: redpanda-{{ $name }}-cert
secret:
defaultMode: 420
items:
- key: tls.key
path: tls.key
- key: tls.crt
path: tls.crt
{{- if $cert.caEnabled }}
- key: ca.crt
path: ca.crt
{{- end }}
secretName: {{ template "redpanda.fullname" $ }}-{{ $name }}-cert
{{- end }}
{{- end -}}

89
charts/redpanda/redpanda/2.1.7/templates/post-upgrade.yaml Normal file
View File

@ -0,0 +1,89 @@
{{- if (include "redpanda.semver" . | semverCompare ">=22.1.1") }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "redpanda.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" . }}
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": post-upgrade
"helm.sh/hook-weight": "-5"
spec:
template:
metadata:
name: "{{ .Release.Name }}"
labels:
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
restartPolicy: Never
containers:
- name: {{ template "redpanda.name" . }}-post-upgrade
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
command: ["/bin/sh", "-c"]
args:
- >
rpk cluster config import -f /tmp/base-config/bootstrap.yaml
--api-urls {{ template "redpanda.fullname" . }}-0.{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}
{{- if (include "admin-internal-tls-enabled" . | fromJson).bool }}
--admin-api-tls-enabled
--admin-api-tls-truststore /etc/tls/certs/{{ .Values.listeners.admin.tls.cert }}/ca.crt
{{- end }}
{{- if (include "kafka-internal-tls-enabled" . | fromJson).bool }}
--tls-enabled
--tls-truststore /etc/tls/certs/{{ .Values.listeners.kafka.tls.cert }}/ca.crt
{{- end }}
{{- if (include "sasl-enabled" . | fromJson).bool }}
--user {{ (first .Values.auth.sasl.users).name }}
--password {{ (first .Values.auth.sasl.users).password }}
--sasl-mechanism SCRAM-SHA-256
{{- end }}
volumeMounts:
- name: {{ template "redpanda.fullname" . }}
mountPath: /tmp/base-config
- name: config
mountPath: /etc/redpanda
{{- if (include "tls-enabled" . | fromJson).bool }}
{{- range $name, $cert := .Values.tls.certs }}
- name: redpanda-{{ $name }}-cert
mountPath: {{ printf "/etc/tls/certs/%s" $name }}
{{- end }}
{{- end }}
volumes:
- name: {{ template "redpanda.fullname" . }}
configMap:
name: {{ template "redpanda.fullname" . }}
- name: config
emptyDir: {}
{{- if (include "tls-enabled" . | fromJson).bool }}
{{- range $name, $cert := .Values.tls.certs }}
- name: redpanda-{{ $name }}-cert
secret:
defaultMode: 420
items:
- key: tls.key
path: tls.key
- key: tls.crt
path: tls.crt
{{- if $cert.caEnabled }}
- key: ca.crt
path: ca.crt
{{- end }}
secretName: {{ template "redpanda.fullname" $ }}-{{ $name }}-cert
{{- end }}
{{- end -}}
{{- end }}

41
charts/redpanda/redpanda/2.1.7/templates/service.internal.yaml Normal file
View File

@ -0,0 +1,41 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
---
# This service is only used to create the DNS enteries for each pod in
# the stateful set. This service should not be used by any client
# application
apiVersion: v1
kind: Service
metadata:
name: {{ include "redpanda.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" . }}
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
publishNotReadyAddresses: true
type: ClusterIP
clusterIP: None
selector:
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}

37
charts/redpanda/redpanda/2.1.7/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,37 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
---
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "redpanda.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" . }}
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

82
charts/redpanda/redpanda/2.1.7/templates/services.nodeport.yaml Normal file
View File

@ -0,0 +1,82 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $values := .Values }}
{{- if (include "external-nodeport-enabled" . | fromJson).bool }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "redpanda.fullname" . }}-external
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" . }}
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: NodePort
externalTrafficPolicy: Local
sessionAffinity: None
ports:
{{- range $name, $listener := $values.listeners.admin.external }}
{{- $enabled := dig "enabled" $values.external.enabled $listener }}
{{- $type := dig "type" $values.external.type $listener }}
{{- if and $enabled (eq $type "NodePort") }}
- name: admin-{{ $name }}
protocol: TCP
port: {{ $listener.port }}
nodePort: {{ $listener.nodePort }}
{{- end }}
{{- end }}
{{- range $name, $listener := $values.listeners.kafka.external }}
{{- $enabled := dig "enabled" $values.external.enabled $listener }}
{{- $type := dig "type" $values.external.type $listener }}
{{- if and $enabled (eq $type "NodePort") }}
- name: kafka-{{ $name }}
protocol: TCP
port: {{ $listener.port }}
nodePort: {{ $listener.nodePort }}
{{- end }}
{{- end }}
{{- range $name, $listener := $values.listeners.http.external }}
{{- $enabled := dig "enabled" $values.external.enabled $listener }}
{{- $type := dig "type" $values.external.type $listener }}
{{- if and $enabled (eq $type "NodePort") }}
- name: http-{{ $name }}
protocol: TCP
port: {{ $listener.port }}
nodePort: {{ $listener.nodePort }}
{{- end }}
{{- end }}
{{- range $name, $listener := $values.listeners.schemaRegistry.external }}
{{- $enabled := dig "enabled" $values.external.enabled $listener }}
{{- $type := dig "type" $values.external.type $listener }}
{{- if and $enabled (eq $type "NodePort") }}
- name: schema-{{ $name }}
protocol: TCP
port: {{ $listener.port }}
nodePort: {{ $listener.nodePort }}
{{- end }}
{{- end }}
selector:
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- end }}

362
charts/redpanda/redpanda/2.1.7/templates/statefulset.yaml Normal file
View File

@ -0,0 +1,362 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $values := .Values }}
{{- $advertiseAddress := include "redpanda.kafka.internal.advertise.address" . -}}
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "redpanda.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" . }}
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
serviceName: {{ template "redpanda.fullname" . }}
replicas: {{ .Values.statefulset.replicas | int64 }}
updateStrategy:
{{- toYaml .Values.statefulset.updateStrategy | nindent 4 }}
podManagementPolicy: {{ .Values.statefulset.podManagementPolicy }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{- toYaml . | nindent 8 }}
{{- end }}
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- with $.Values.statefulset.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
securityContext:
{{- toYaml .Values.statefulset.podSecurityContext | nindent 8 }}
initContainers:
- name: set-datadir-ownership
image: busybox:latest
command: ["/bin/sh", "-c", "chown 101:101 -R /var/lib/redpanda/data"]
volumeMounts:
- name: datadir
mountPath: /var/lib/redpanda/data
- name: {{ template "redpanda.name" . }}-configurator
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
command: ["/bin/sh", "-c"]
env:
- name: SERVICE_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
args:
- >
CONFIG=/etc/redpanda/redpanda.yaml;
NODE_ID=${SERVICE_NAME##*-};
cp /tmp/base-config/redpanda.yaml "$CONFIG";
{{- if (include "redpanda.semver" . | semverCompare ">=22.1.1") }}
cp /tmp/base-config/bootstrap.yaml /etc/redpanda/.bootstrap.yaml;
{{- end }}
rpk --config "$CONFIG" config set redpanda.node_id $NODE_ID;
if [ "$NODE_ID" = "0" ]; then
rpk --config "$CONFIG" config set redpanda.seed_servers '[]' --format yaml;
fi;
volumeMounts:
- name: {{ template "redpanda.fullname" . }}
mountPath: /tmp/base-config
- name: config
mountPath: /etc/redpanda
resources:
{{- toYaml .Values.statefulset.resources | nindent 12 }}
containers:
- name: {{ template "redpanda.name" . }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
env:
- name: SERVICE_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
startupProbe:
exec:
command:
- /bin/sh
- -c
{{- if (include "admin-internal-tls-enabled" . |fromJson).bool }}
- >
curl https://localhost:{{ .Values.listeners.admin.port }}/v1/cluster/health_overview
-svk --cacert /etc/tls/certs/{{ .Values.listeners.admin.tls.cert }}/ca.crt |
awk '{
id = $0; gsub(/.*"controller_id": /, "", id); gsub(/,.*/, "", id)
nd_str = $0; gsub(/.*"nodes_down": \[/, "", nd_str); gsub(/\].*/, "", nd_str)
FS=","
split(nd_str, nd_list)
for (i in nd_list) nodes_down[nd_list[i]]=""
exit (id in nodes_down)
}'
{{- else }}
- >
curl -sv http://localhost:{{ .Values.listeners.admin.port }}/v1/cluster/health_overview |
awk '{
id = $0; gsub(/.*"controller_id": /, "", id); gsub(/,.*/, "", id)
nd_str = $0; gsub(/.*"nodes_down": \[/, "", nd_str); gsub(/\].*/, "", nd_str)
FS=","
split(nd_str, nd_list)
for (i in nd_list) nodes_down[nd_list[i]]=""
exit (id in nodes_down)
}'
{{- end }}
initialDelaySeconds: {{ .Values.statefulset.startupProbe.initialDelaySeconds }}
failureThreshold: {{ .Values.statefulset.startupProbe.failureThreshold }}
periodSeconds: {{ .Values.statefulset.startupProbe.periodSeconds }}
livenessProbe:
exec:
command:
- /bin/sh
- -c
{{- if (include "admin-internal-tls-enabled" . |fromJson).bool }}
- >
curl https://localhost:{{ .Values.listeners.admin.port }}/v1/cluster/health_overview
-svk --cacert /etc/tls/certs/{{ .Values.listeners.admin.tls.cert }}/ca.crt
{{- else }}
- >
curl -sv http://localhost:{{ .Values.listeners.admin.port }}/v1/cluster/health_overview
{{- end }}
initialDelaySeconds: {{ .Values.statefulset.livenessProbe.initialDelaySeconds }}
failureThreshold: {{ .Values.statefulset.livenessProbe.failureThreshold }}
periodSeconds: {{ .Values.statefulset.livenessProbe.periodSeconds }}
readinessProbe:
exec:
command:
- /bin/sh
- -c
{{- if (include "admin-internal-tls-enabled" . |fromJson).bool }}
- >
curl https://localhost:{{ .Values.listeners.admin.port }}/v1/cluster/health_overview
-svk --cacert /etc/tls/certs/{{ .Values.listeners.admin.tls.cert }}/ca.crt |
awk '{
id = $0; gsub(/.*"controller_id": /, "", id); gsub(/,.*/, "", id)
nd_str = $0; gsub(/.*"nodes_down": \[/, "", nd_str); gsub(/\].*/, "", nd_str)
FS=","
split(nd_str, nd_list)
for (i in nd_list) nodes_down[nd_list[i]]=""
exit (id in nodes_down)
}'
{{- else }}
- >
curl -sv http://localhost:{{ .Values.listeners.admin.port }}/v1/cluster/health_overview |
awk '{
id = $0; gsub(/.*"controller_id": /, "", id); gsub(/,.*/, "", id)
nd_str = $0; gsub(/.*"nodes_down": \[/, "", nd_str); gsub(/\].*/, "", nd_str)
FS=","
split(nd_str, nd_list)
for (i in nd_list) nodes_down[nd_list[i]]=""
exit (id in nodes_down)
}'
{{- end }}
initialDelaySeconds: {{ .Values.statefulset.readinessProbe.initialDelaySeconds }}
failureThreshold: {{ .Values.statefulset.readinessProbe.failureThreshold }}
periodSeconds: {{ .Values.statefulset.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.statefulset.readinessProbe.initialDelaySeconds }}
command:
- rpk
- redpanda
- start
- --smp={{ .Values.resources.cpu.cores }}
- --memory={{ template "redpanda-memory" . }}M
- --reserve-memory={{ template "redpanda-reserve-memory" . }}
- --default-log-level={{ .Values.logging.logLevel }}
- --advertise-kafka-addr=internal://{{ $advertiseAddress }}:{{ .Values.listeners.kafka.port }},
{{- range $name, $listener := .Values.listeners.kafka.external -}}
{{- $enabled := dig "enabled" $values.external.enabled $listener -}}
{{- $listenerNodePortEnabled := and $enabled (eq (dig "type" $values.external.type $listener) "NodePort") -}}
{{- $advertiseKafkaHost := $advertiseAddress -}}
{{- $advertiseKafkaPort := $listener.nodePort -}}
{{- if $listenerNodePortEnabled -}}
{{- $advertiseKafkaHost = printf "$(SERVICE_NAME).%s" $values.external.domain -}}
{{- end -}}
{{ $name }}://{{ $advertiseKafkaHost }}:{{ $advertiseKafkaPort }},
{{- end }}
- --advertise-rpc-addr={{ $advertiseAddress }}:{{ .Values.listeners.rpc.port }}
- --advertise-pandaproxy-addr=internal://{{ $advertiseAddress }}:{{ .Values.listeners.http.port }},
{{- range $name, $listener := .Values.listeners.http.external -}}
{{ $name}}://{{ $advertiseAddress }}:{{ $listener.nodePort }},
{{- end }}
ports:
{{- range $name, $listener := .Values.listeners }}
- name: {{ lower $name }}
containerPort: {{ $listener.port }}
{{- range $externalName, $external := $listener.external }}
- name: {{ lower $name | trunc 6 }}-{{ lower $externalName | trunc 8}}
containerPort: {{ $external.port }}
{{- end }}
{{- end }}
volumeMounts:
- name: datadir
mountPath: /var/lib/redpanda/data
- name: config
mountPath: /etc/redpanda
{{- if (include "tls-enabled" . | fromJson).bool }}
{{- range $name, $cert := .Values.tls.certs }}
- name: redpanda-{{ $name }}-cert
mountPath: {{ printf "/etc/tls/certs/%s" $name }}
{{- end }}
{{- end }}
resources:
{{- if hasKey .Values.resources.memory "min" }}
requests:
cpu: {{ .Values.resources.cpu.cores }}
memory: {{ .Values.resources.memory.container.min }}
{{- end }}
limits:
cpu: {{ .Values.resources.cpu.cores }}
memory: {{ .Values.resources.memory.container.max }}
volumes:
- name: datadir
{{- if .Values.storage.persistentVolume.enabled }}
persistentVolumeClaim:
claimName: datadir
{{- else if .Values.storage.hostPath }}
hostPath:
path: {{ .Values.storage.hostPath | quote }}
{{- else }}
emptyDir: {}
{{- end }}
- name: {{ template "redpanda.fullname" . }}
configMap:
name: {{ template "redpanda.fullname" . }}
- name: config
emptyDir: {}
{{- if (include "tls-enabled" . | fromJson).bool }}
{{- range $name, $cert := .Values.tls.certs }}
- name: redpanda-{{ $name }}-cert
secret:
defaultMode: 420
items:
- key: tls.key
path: tls.key
- key: tls.crt
path: tls.crt
{{- if $cert.caEnabled }}
- key: ca.crt
path: ca.crt
{{- end }}
secretName: {{ template "redpanda.fullname" $ }}-{{ $name }}-cert
{{- end }}
{{- end -}}
{{- if or .Values.statefulset.nodeAffinity .Values.statefulset.podAffinity .Values.statefulset.podAntiAffinity }}
affinity:
{{- with .Values.statefulset.nodeAffinity }}
nodeAffinity: {{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.statefulset.podAffinity }}
podAffinity: {{- toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.statefulset.podAntiAffinity }}
podAntiAffinity:
{{- if .Values.statefulset.podAntiAffinity.type }}
{{- if eq .Values.statefulset.podAntiAffinity.type "hard" }}
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: {{ .Values.statefulset.podAntiAffinity.topologyKey }}
labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- else if eq .Values.statefulset.podAntiAffinity.type "soft" }}
preferredDuringSchedulingIgnoredDuringExecution:
- weight: {{ .Values.statefulset.podAntiAffinity.weight | int64 }}
podAffinityTerm:
topologyKey: {{ .Values.statefulset.podAntiAffinity.topologyKey }}
labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- end }}
{{- else }}
{{- toYaml .Values.statefulset.podAntiAffinity | nindent 10 }}
{{- end }}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.16-0" .Capabilities.KubeVersion.GitVersion }}
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- with .Values.statefulset.topologySpreadConstraints }}
maxSkew: {{ .maxSkew }}
topologyKey: {{ .topologyKey }}
whenUnsatisfiable: {{ .whenUnsatisfiable }}
{{- end }}
{{- end }}
{{- with .Values.statefulset.nodeSelector }}
nodeSelector: {{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.statefulset.priorityClassName }}
priorityClassName: {{ .Values.statefulset.priorityClassName }}
{{- end }}
{{- with .Values.statefulset.tolerations }}
tolerations: {{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.storage.persistentVolume.enabled }}
volumeClaimTemplates:
- metadata:
name: datadir
labels:
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.storage.persistentVolume.labels }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.storage.persistentVolume.annotations }}
annotations: {{- toYaml . | nindent 10 }}
{{- end }}
spec:
accessModes: ["ReadWriteOnce"]
{{- if .Values.storage.persistentVolume.storageClass }}
{{- if (eq "-" .Values.storage.persistentVolume.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: {{ .Values.storage.persistentVolume.storageClass | quote }}
{{- end }}
{{- end }}
resources:
requests:
storage: {{ .Values.storage.persistentVolume.size | quote }}
{{- end }}

55
charts/redpanda/redpanda/2.1.7/templates/tests/test-api-status.yaml Normal file
View File

@ -0,0 +1,55 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if not (or (include "tls-enabled" . | fromJson).bool (include "sasl-enabled" . | fromJson).bool) -}}
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "redpanda.fullname" . }}-test-api-status"
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" . }}
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
restartPolicy: Never
containers:
- name: {{ template "redpanda.name" . }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
command:
- /bin/bash
- -c
- >
rpk cluster info
--brokers {{ include "redpanda.fullname" . }}-0.{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }}
volumeMounts:
- name: {{ template "redpanda.fullname" . }}
mountPath: /tmp/base-config
volumes:
- name: {{ template "redpanda.fullname" . }}
configMap:
name: {{ template "redpanda.fullname" . }}
- name: config
emptyDir: {}
{{- end }}

79
charts/redpanda/redpanda/2.1.7/templates/tests/test-kafka-internal-tls-status.yaml Normal file
View File

@ -0,0 +1,79 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (include "tls-enabled" . | fromJson).bool (not (include "sasl-enabled" . | fromJson).bool) -}}
apiVersion: v1
kind: Pod
metadata:
name: {{ include "redpanda.fullname" . }}-test-kafka-internal-tls-status
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" . }}
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
restartPolicy: Never
containers:
- name: {{ template "redpanda.name" . }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
command:
- /bin/bash
- -c
- >
rpk cluster info
--brokers {{ include "redpanda.fullname" .}}-0.{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }}
--tls-enabled --tls-truststore /etc/tls/certs/{{ .Values.listeners.kafka.tls.cert }}/ca.crt
volumeMounts:
- name: config
mountPath: /etc/redpanda
{{- range $name, $cert := .Values.tls.certs }}
- name: redpanda-{{ $name }}-cert
mountPath: {{ printf "/etc/tls/certs/%s" $name }}
{{- end }}
resources:
{{- toYaml .Values.statefulset.resources | nindent 12 }}
volumes:
- name: {{ template "redpanda.fullname" . }}
configMap:
name: {{ template "redpanda.fullname" . }}
- name: config
emptyDir: {}
{{- if (include "tls-enabled" . | fromJson).bool }}
{{- range $name, $cert := .Values.tls.certs }}
- name: redpanda-{{ $name }}-cert
secret:
defaultMode: 420
items:
- key: tls.key
path: tls.key
- key: tls.crt
path: tls.crt
{{- if $cert.caEnabled }}
- key: ca.crt
path: ca.crt
{{- end }}
secretName: {{ template "redpanda.fullname" $ }}-{{ $name }}-cert
{{- end }}
{{- end -}}
{{- end }}

94
charts/redpanda/redpanda/2.1.7/templates/tests/test-kafka-sasl-status.yaml Normal file
View File

@ -0,0 +1,94 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (include "sasl-enabled" . | fromJson).bool (not (include "tls-enabled" . | fromJson).bool) }}
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "redpanda.fullname" . }}-test-kafka-sasl-status"
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" . }}
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
restartPolicy: Never
containers:
- name: {{ template "redpanda.name" . }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
command:
- /bin/bash
- -c
- >
rpk acl user delete admin
--api-urls {{ include "redpanda.fullname" . }}-0.{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}
--brokers {{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }};
sleep 3;
rpk acl user create admin -p test
--api-urls {{ include "redpanda.fullname" . }}-0.{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }} &&
sleep 3 &&
rpk topic create test-topic --user admin --password test --sasl-mechanism SCRAM-SHA-256
--brokers {{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }} &&
rpk topic describe test-topic --user admin --password test --sasl-mechanism SCRAM-SHA-256
--brokers {{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }} &&
rpk topic delete test-topic --user admin --password test --sasl-mechanism SCRAM-SHA-256
--brokers {{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }} &&
rpk acl user delete admin
--api-urls {{ include "redpanda.fullname" . }}-0.{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}
--brokers {{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }}
volumeMounts:
- name: config
mountPath: /etc/redpanda
{{- if (include "tls-enabled" . | fromJson).bool }}
{{- range $name, $cert := .Values.tls.certs }}
- name: redpanda-{{ $name }}-cert
mountPath: {{ printf "/etc/tls/certs/%s" $name }}
{{- end }}
{{- end }}
resources:
{{- toYaml .Values.statefulset.resources | nindent 12 }}
volumes:
- name: {{ template "redpanda.fullname" . }}
configMap:
name: {{ template "redpanda.fullname" . }}
- name: config
emptyDir: {}
{{- if (include "tls-enabled" . | fromJson).bool }}
{{- range $name, $cert := .Values.tls.certs }}
- name: redpanda-{{ $name }}-cert
secret:
defaultMode: 420
items:
- key: tls.key
path: tls.key
- key: tls.crt
path: tls.crt
{{- if $cert.caEnabled }}
- key: ca.crt
path: ca.crt
{{- end }}
secretName: {{ template "redpanda.fullname" $ }}-{{ $name }}-cert
{{- end }}
{{- end -}}
{{- end }}

101
charts/redpanda/redpanda/2.1.7/templates/tests/test-kafka-sasl-tls-status.yaml Normal file
View File

@ -0,0 +1,101 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (include "sasl-enabled" . | fromJson).bool (include "tls-enabled" . | fromJson).bool -}}
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "redpanda.fullname" . }}-test-kafka-sasl-tls-status"
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" . }}
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
restartPolicy: Never
containers:
- name: {{ template "redpanda.name" . }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
command:
- /bin/bash
- -c
- >
rpk acl user delete admin
--tls-truststore /etc/tls/certs/{{ .Values.listeners.kafka.tls.cert }}/ca.crt
--admin-api-tls-truststore /etc/tls/certs/{{ .Values.listeners.admin.tls.cert }}/ca.crt
--api-urls {{ include "redpanda.fullname" . }}-0.{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}
--brokers {{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }};
sleep 3;
rpk acl user create admin -p test
--tls-truststore /etc/tls/certs/{{ .Values.listeners.kafka.tls.cert }}/ca.crt
--admin-api-tls-truststore /etc/tls/certs/{{ .Values.listeners.admin.tls.cert }}/ca.crt
--api-urls {{ include "redpanda.fullname" . }}-0.{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }} &&
sleep 3 &&
rpk topic create test-topic --user admin --password test --sasl-mechanism SCRAM-SHA-256
--tls-enabled --tls-truststore /etc/tls/certs/{{ .Values.listeners.kafka.tls.cert }}/ca.crt
--brokers {{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }} &&
rpk topic describe test-topic --user admin --password test --sasl-mechanism SCRAM-SHA-256
--tls-enabled --tls-truststore /etc/tls/certs/{{ .Values.listeners.kafka.tls.cert }}/ca.crt
--brokers {{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }} &&
rpk topic delete test-topic --user admin --password test --sasl-mechanism SCRAM-SHA-256
--tls-enabled --tls-truststore /etc/tls/certs/{{ .Values.listeners.kafka.tls.cert }}/ca.crt
--brokers {{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }} &&
rpk acl user delete admin
--tls-truststore /etc/tls/certs/{{ .Values.listeners.kafka.tls.cert }}/ca.crt
--admin-api-tls-truststore /etc/tls/certs/{{ .Values.listeners.admin.tls.cert }}/ca.crt
--api-urls {{ include "redpanda.fullname" . }}-0.{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}
--brokers {{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }}
volumeMounts:
- name: config
mountPath: /etc/redpanda
{{- range $name, $cert := .Values.tls.certs }}
- name: redpanda-{{ $name }}-cert
mountPath: {{ printf "/etc/tls/certs/%s" $name }}
{{- end }}
resources:
{{- toYaml .Values.statefulset.resources | nindent 12 }}
volumes:
- name: {{ template "redpanda.fullname" . }}
configMap:
name: {{ template "redpanda.fullname" . }}
- name: config
emptyDir: {}
{{- if (include "tls-enabled" . | fromJson).bool }}
{{- range $name, $cert := .Values.tls.certs }}
- name: redpanda-{{ $name }}-cert
secret:
defaultMode: 420
items:
- key: tls.key
path: tls.key
- key: tls.crt
path: tls.crt
{{- if $cert.caEnabled }}
- key: ca.crt
path: ca.crt
{{- end }}
secretName: {{ template "redpanda.fullname" $ }}-{{ $name }}-cert
{{- end }}
{{- end -}}
{{- end }}

79
charts/redpanda/redpanda/2.1.7/templates/tests/test-pandaproxy-internal-tls-status.yaml Normal file
View File

@ -0,0 +1,79 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (include "tls-enabled" . | fromJson).bool (not (include "sasl-enabled" . | fromJson).bool) -}}
apiVersion: v1
kind: Pod
metadata:
name: {{ include "redpanda.fullname" . }}-test-pandaproxy-internal-tls-status
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" . }}
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
restartPolicy: Never
containers:
- name: {{ template "redpanda.name" . }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
command:
- curl
- -svm3
- --ssl-reqd
- --cacert
- /etc/tls/certs/{{ .Values.listeners.admin.tls.cert }}/ca.crt
- https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.http.port }}/brokers
volumeMounts:
- name: config
mountPath: /etc/redpanda
{{- range $name, $cert := .Values.tls.certs }}
- name: redpanda-{{ $name }}-cert
mountPath: {{ printf "/etc/tls/certs/%s" $name }}
{{- end }}
resources:
{{- toYaml .Values.statefulset.resources | nindent 12 }}
volumes:
- name: {{ template "redpanda.fullname" . }}
configMap:
name: {{ template "redpanda.fullname" . }}
- name: config
emptyDir: {}
{{- if (include "tls-enabled" . | fromJson).bool }}
{{- range $name, $cert := .Values.tls.certs }}
- name: redpanda-{{ $name }}-cert
secret:
defaultMode: 420
items:
- key: tls.key
path: tls.key
- key: tls.crt
path: tls.crt
{{- if $cert.caEnabled }}
- key: ca.crt
path: ca.crt
{{- end }}
secretName: {{ template "redpanda.fullname" $ }}-{{ $name }}-cert
{{- end }}
{{- end -}}
{{- end }}

44
charts/redpanda/redpanda/2.1.7/templates/tests/test-pandaproxy-status.yaml Normal file
View File

@ -0,0 +1,44 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if not (or (include "tls-enabled" . | fromJson).bool (include "sasl-enabled" . | fromJson).bool) -}}
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "redpanda.fullname" . }}-test-pandaproxy-status"
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" . }}
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
restartPolicy: Never
containers:
- name: {{ template "redpanda.name" . }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
command:
- curl
- -svm3
- http://{{ include "redpanda.fullname" . }}:{{ .Values.listeners.http.port }}/brokers
{{- end }}

77
charts/redpanda/redpanda/2.1.7/templates/tests/test-schemaregistry-internal-tls-status.yaml Normal file
View File

@ -0,0 +1,77 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and (include "tls-enabled" . | fromJson).bool (not (include "sasl-enabled" .|fromJson).bool) }}
apiVersion: v1
kind: Pod
metadata:
name: {{ include "redpanda.fullname" . }}-test-schemaregistry-internal-tls-status
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" . }}
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
restartPolicy: Never
containers:
- name: {{ template "redpanda.name" . }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
command:
- curl
- -svm3
- --ssl-reqd
- --cacert
- /etc/tls/certs/{{ .Values.listeners.schemaRegistry.tls.cert }}/ca.crt
- https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.schemaRegistry.port }}/subjects
volumeMounts:
- name: config
mountPath: /etc/redpanda
{{- range $name, $cert := .Values.tls.certs }}
- name: redpanda-{{ $name }}-cert
mountPath: {{ printf "/etc/tls/certs/%s" $name }}
{{- end }}
resources:
{{- toYaml .Values.statefulset.resources | nindent 12 }}
volumes:
- name: {{ template "redpanda.fullname" . }}
configMap:
name: {{ template "redpanda.fullname" . }}
- name: config
emptyDir: {}
{{- range $name, $cert := .Values.tls.certs }}
- name: redpanda-{{ $name }}-cert
secret:
defaultMode: 420
items:
- key: tls.key
path: tls.key
- key: tls.crt
path: tls.crt
{{- if $cert.caEnabled }}
- key: ca.crt
path: ca.crt
{{- end }}
secretName: {{ template "redpanda.fullname" $ }}-{{ $name }}-cert
{{- end }}
{{- end }}

46
charts/redpanda/redpanda/2.1.7/templates/tests/test-schemaregistry-status.yaml Normal file
View File

@ -0,0 +1,46 @@
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- /* TODO test fails if SASL is enabled */}}
{{- /* TODO test expects the first listener to have TLS enabled */}}
{{- if not (or (include "tls-enabled" . | fromJson).bool (include "sasl-enabled" . | fromJson).bool) }}
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "redpanda.fullname" . }}-test-schemaregistry-status"
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "redpanda.chart" . }}
app.kubernetes.io/name: {{ template "redpanda.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/component: {{ template "redpanda.name" . }}
{{- with .Values.commonLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
restartPolicy: Never
containers:
- name: {{ template "redpanda.name" . }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
command:
- curl
- -svm3
- http://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.schemaRegistry.port }}/subjects
{{- end }}

580
charts/redpanda/redpanda/2.1.7/values.yaml Normal file
View File

@ -0,0 +1,580 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This file contains values for variables referenced from yaml files in the templates directory.
#
# For further information on Helm templating see the documentation at:
# https://helm.sh/docs/chart_template_guide/values_files/
# Common parameters
#
# Override redpanda.name template
nameOverride: ""
# Override redpanda.fullname template
fullnameOverride: ""
# Default kuberentes cluster domain
clusterDomain: cluster.local
# Additional labels added to all Kubernetes objects
commonLabels: {}
# Redpanda parameters
#
image:
repository: vectorized/redpanda
# Redpanda version. This determines the installed version (not Chart.appVersion)
tag: v22.2.2
# The imagePullPolicy will default to Always when the tag is 'latest'
pullPolicy: IfNotPresent
# Your license key (optional)
license_key: ""
#
# Authentication
auth:
#
# SASL configuration
sasl:
enabled: false
# user list
# TODO create user at startup
users:
- name: admin
# Password for the user. This will be used to generate a secret
# password: password
# If password isn't given, then the secretName must point to an already existing secret
# secretName: adminPassword
#
# TLS configuration
tls:
# Enable global TLS, which turns on TLS by default for all listeners
# Each listener must include a certificate name in its TLS section
# Any certificates in auth.tls.certs will still be loaded if enabled is false
# This is because listeners may enable TLS individually (see listeners.<listener name>.tls.enabled)
enabled: false
# list all certificates below, then reference a certificate's name in each listener (see listeners.<listener name>.tls.cert)
certs:
# This is the certificate name that is used to associate the certificate with a listener
# See listeners.<listener group>.tls.cert for more information
default:
# Define an issuerRef to use your own custom pre-installed Issuer
# issuerRef:
# name: redpanda-default-root-issuer
# kind: Issuer # Can be Issuer or ClusterIssuer
# The caEnabled flag determines whether the ca.crt file is included in the TLS mount path on each Redpanda pod
caEnabled: true
# duration: 43800h
#
# External access configuration
external:
# Default external access value for all listeners except RPC
# External config doesn't apply to RPC listeners as they are never externally accessible
# These values can be overridden by each listener if needed
enabled: true
# Default external access type (options are NodePort and LoadBalancer)
# TODO include IP range for load balancer that support it: https://github.com/redpanda-data/helm-charts/issues/106
type: NodePort
domain: local
# annotations:
# For example:
# cloud.google.com/load-balancer-type: "Internal"
# service.beta.kubernetes.io/aws-load-balancer-type: nlb
# Logging
logging:
# Log level
# Valid values (from least to most logging) are warn, info, debug, trace
logLevel: info
#
# Send usage stats back to Redpanda
# See https://docs.redpanda.com/docs/cluster-administration/monitoring/#stats-reporting
usageStats:
# rpk.enable_usage_stats
enabled: true
# Your organization name (optional)
# organization: your-org
# Your cluster ID (optional)
# clusterId: your-helm-cluster
#
resources:
# Both Redpanda and Kubernetes have multiple ways to allocate resources.
# There are also several associated parameters that impact how these resources are used by
# Kubernetes, the Redpanda app, and the subsystem Redpanda is built on (Seastar).
# This section attempts to simplify allocating resources by providing a single location
# where resources are defined.
# Helm sets these resource values within the following templates:
# - statefulset.yaml
# - configmap.yaml
#
# The default values below are what should work for a development environment.
# Production-level values and other considerations are provided in comments
# if those values are different from the default.
#
cpu:
# Redpanda makes use of a thread per core model described here:
# https://redpanda.com/blog/tpc-buffers
# For this reason, Redpanda should only be given full cores (cores parameter below).
#
# NOTE: You can increase cores, but decreasing cores is not currently supported:
# https://github.com/redpanda-data/redpanda/issues/350
#
# Equivalent to: --smp, resources.requests.cpu, and resources.limits.cpu
# For production: 4 or greater
cores: 1
#
# Overprovisioned means Redpanda won't assume it has all of the provisioned CPU.
# This should be true unless the container has CPU affinity (eg. min and max above are equal).
# Equivalent to: --idle-poll-time-us 0 --thread-affinity 0 --poll-aio 0
# overprovisioned: false
#
memory:
# Enables memory locking.
# For production: true
# enable_memory_locking: false
#
# It is recommended to have at least 2Gi of memory per core for the Redpanda binary.
# This memory is taken from the total memory given to each container.
# We allocate 80% of the container's memory to Redpanda, leaving the rest for
# the Seastar subsystem (reserveMemory) and other container processes.
# So at least 2.5Gi per core is recommended in order to ensure Redpanda has a full 2Gi.
#
# These values affect --memory and --reserve-memory flags passed to Redpanda and the memory
# requests/limits in the StatefulSet.
# Valid suffixes: k M G Ki Mi Gi
# Only support a single decimal (eg. 2.5Gi rather than 2.55Gi)
#
container:
# Minimum memory count for each Redpanda broker
# If omitted, the min value will equal the max value (requested resources defaults to limits)
# Equivalent to: resources.requests.memory
# For production: 10Gi or greater
# min: 2.5Gi
#
# Minimum memory count for each Redpanda broker
# Equivalent to: resources.limits.memory
# For production: 10Gi or greater
max: 2.5Gi
#
# redpanda:
# This optional redpanda section allows specifying the memory size for both the Redpanda
# process and the underlying reserved memory (used by Seastar).
# This section is omitted by default, and memory sizes are calculated automatically
# based on container memory.
# Uncommenting this section and setting memory and reserveMemory values will disable
# automatic calculation.
#
# If you are setting the following values manually, keep in mind the following guidelines (getting
# this wrong will potentially lead to performance issues, instability, loss of data, etc.):
# The amount of memory to allocate to a container is determined by the sum of three values:
# 1. Redpanda (at least 2Gi per core, ~80% of the container's total memory)
# 2. Seastar subsystem (200Mi * 0.2% of the container's total memory, 200Mi < x < 1Gi)
# 3. other container processes (whatever small amount remains)
#
# Memory for the Redpanda process.
# This must be lower the container's memory (resources.memory.container.min if provided, otherwise
# resources.memory.container.max).
# Equivalent to: --memory
# For production: 8Gi or greater
# memory: 2Gi
#
# Memory reserved for the Seastar subsystem.
# Any value above 1Gi will provide diminishing performance benefits.
# Equivalent to: --reserve-memory
# For production: 1Gi
# reserveMemory: 200Mi
#
# Persistence
storage:
# Absolute path on host to store Redpanda's data.
# If not specified, then `emptyDir` will be used instead.
# If specified, but `persistentVolume.enabled` is `true`, then has no effect.
hostPath: ""
# If `enabled` is `true` then a PersistentVolumeClaim will be created and
# used to store Redpanda's data, otherwise `hostPath` is used.
persistentVolume:
enabled: true
size: 3Gi
# If defined, then `storageClassName: <storageClass>`.
# If set to "-", then `storageClassName: ""`, which disables dynamic
# provisioning.
# If undefined or empty (default), then no `storageClassName` spec is set,
# so the default provisioner will be chosen (gp2 on AWS, standard on
# GKE, AWS & OpenStack).
storageClass: ""
# Additional labels to apply to the created PersistentVolumeClaims.
labels: {}
# Additional annotations to apply to the created PersistentVolumeClaims.
annotations: {}
statefulset:
# Number of Redpanda brokers (recommend setting this to the number of nodes in the cluster)
replicas: 3
updateStrategy:
type: RollingUpdate
podManagementPolicy: Parallel
budget:
maxUnavailable: 1
# Additional annotations to apply to the Pods of this StatefulSet.
annotations: {}
# Adjust the period for your probes to meet your needs (see https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes)
startupProbe:
initialDelaySeconds: 1
failureThreshold: 120
periodSeconds: 10
livenessProbe:
initialDelaySeconds: 10
failureThreshold: 3
periodSeconds: 10
readinessProbe:
initialDelaySeconds: 1
failureThreshold: 3
periodSeconds: 10
successThreshold: 1
#
# A note regarding statefulset resources:
# Resources are set through the top-level resources section above.
# It is recommended to set resources values in that section rather than here, as this will guarantee
# memory is allocated across containers, Redpanda, and the Seastar subsystem correctly.
# This automatic memory allocation is in place because Repanda and the Seastar subsystem require flags
# at startup that set the amount of memory available to each process.
# Kubernetes (mainly statefulset), Redpanda, and Seastar memory values are tightly coupled.
# Adding a resource section here will be ignored.
#
# Inter-Pod Affinity rules for scheduling Pods of this StatefulSet.
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
podAffinity: {}
# Anti-affinity rules for scheduling Pods of this StatefulSet.
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
# You may either toggle options below for default anti-affinity rules,
# or specify the whole set of anti-affinity rules instead of them.
podAntiAffinity:
# The topologyKey to be used.
# Can be used to spread across different nodes, AZs, regions etc.
topologyKey: kubernetes.io/hostname
# Type of anti-affinity rules: either `soft`, `hard` or empty value (which
# disables anti-affinity rules).
type: soft
# Weight for `soft` anti-affinity rules.
# Does not apply for other anti-affinity types.
weight: 100
# Node selection constraints for scheduling Pods of this StatefulSet.
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
nodeSelector: {}
# PriorityClassName given to Pods of this StatefulSet
# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
priorityClassName: ""
# Taints to be tolerated by Pods of this StatefulSet.
# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
topologySpreadConstraints:
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
# When using persistent storage the volume will be mounted as root. In order for redpanda to use the volume
# we must set the fsGroup to the uid of redpanda, which is 101
podSecurityContext:
fsGroup: 101
# runAsNonRoot: true
# runAsUser: 1000
# Service account management
serviceAccount:
# Specifies whether a service account should be created
create: false
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
tuning: {}
# This section contains Redpanda tuning parameters.
# Each parameter below is set to their default values.
# Remove the curly brackets above if you uncomment any parameters below.
#
# Increases the number of allowed asynchronous IO events.
# tune_aio_events: false
#
# Syncs NTP
# tune_clocksource: false
#
# Creates a "ballast" file so that, if a Redpanda node runs out of space,
# you can delete the ballast file to allow the node to resume operations and then
# delete a topic or records to reduce the space used by Redpanda.
# tune_ballast_file: false
#
# The path where the ballast file will be created.
# ballast_file_path: "/var/lib/redpanda/data/ballast"
#
# The ballast file size.
# ballast_file_size: "1GiB"
#
# (Optional) The vendor, VM type and storage device type that redpanda will run on, in
# the format <vendor>:<vm>:<storage>. This hints to rpk which configuration values it
# should use for the redpanda IO scheduler.
# Some valid values are "gcp:c2-standard-16:nvme", "aws:i3.xlarge:default"
# well_known_io: ""
#
# The following tuning parameters must be false in container environments and will be ignored:
# tune_network
# tune_disk_scheduler
# tune_disk_nomerges
# tune_disk_irq
# tune_fstrim
# tune_cpu
# tune_swappiness
# tune_transparent_hugepages
# tune_coredump
### Overrides
#
# This sections can be used to override global settings configured above for individual
# listeners.
#
listeners:
# Admin API listener
# The kafka listener group cannot be disabled
admin:
# The port for the admin server
port: 9644
# Optional external section
external:
# # `enabled`` is used to override the setting of the `external` top-level key
# # for this external listener. The default is `true`.
# enabled: true
# # Type of external access (options are NodePort and LoadBalancer)
# type: NodePort
# # External port
# # `nodePort` defines the TCP port to listen on for NodePort types.
# nodePort: 31644
# Optional TLS section (required if global TLS is enabled)
tls:
# Optional flag to override the global TLS enabled flag
# enabled: true
# Name of certificate used for TLS (must match a cert registered at auth.tls.certs)
cert: default
# If true, the truststore file for this listener will be included in the ConfigMap
requireClientAuth: false
# Kafka API listeners
# The kafka listener group cannot be disabled
kafka:
port: 9093
# Listeners internal to kubernetes service network
tls:
# enabled: true
cert: default
requireClientAuth: false
# External listeners
external:
# to disable external kafka listeners when the global `external` is enabled,
# replace this with an empty list, ie: `external: []`
default:
port: 9094
# Type can be `NodePort or `LoadBalancer`. If unset, it will default to the type
# in the `external` section.`
type: NodePort
# External port
# This listener port will be used on each kubernetes node
nodePort: 31092
# HTTP API listeners (aka PandaProxy)
# PandaProxy is a kafka client that connects to an endpoint from listeners.kafka.endpoints
http:
enabled: true
port: 8082
kafkaEndpoint: default
tls:
# enabled: true
cert: default
requireClientAuth: false
# External listeners
external:
default:
# Ports must be unique per listener
port: 8083
# Type of external access (options are ClusterIP, NodePort, and LoadBalancer)
type: NodePort
# External port
# This listener port will be used for the external port if NodePort is selected
nodePort: 30082
# RPC listener
# The RPC listener cannot be disabled
rpc:
port: 33145
tls:
# enabled: true
cert: default
requireClientAuth: false
# Schema registry listeners
schemaRegistry:
enabled: true
port: 8081
# Schema Registry is a kafka client that connects to an endpoint from listeners.kafka.endpoints
kafkaEndpoint: default
tls:
# enabled: true
cert: default
requireClientAuth: false
external:
default:
# Ports must be unique per listener
port: 8080
# Optional external section
# enabled: true
# Type of external access (options are NodePort and LoadBalancer)
# type: NodePort
# External port
# This listener port will be used for the external port if this is not included
nodePort: 30081
# Expert Config
# This section contains various settings supported by Redpanda that may not work
# correctly in a kubernetes cluster. Changing these settings comes with some risk.
#
# Here be dragons!
#
# This section allows modifying various Redpanda settings not covered in other sections above.
# These values do not pertain to the kubernetes objects created with helm.
# Instead these parameters get passed directly to the Redpanda binary at startup.
# See https://docs.redpanda.com/docs/cluster-administration/configuration/
config:
cluster:
# auto_create_topics_enabled: true # Allow topic auto creation
# transaction_coordinator_replication: 1 # Replication factor for a transaction coordinator topic
# id_allocator_replication: 1 # Replication factor for an ID allocator topic
# disable_metrics: false # Disable registering metrics
# enable_coproc: false # Enable coprocessing mode
# enable_idempotence: false # Enable idempotent producer
# enable_pid_file: true # Enable pid file; You probably don't want to change this
# enable_transactions: false # Enable transactions
# group_max_session_timeout_ms: 300s # The maximum allowed session timeout for registered consumers; Longer timeouts give consumers more time to process messages in between heartbeats at the cost of a longer time to detect failures; Default quota tracking window size in milliseconds
# group_min_session_timeout_ms: Optional # The minimum allowed session timeout for registered consumers; Shorter timeouts result in quicker failure detection at the cost of more frequent consumer heartbeating
# kafka_group_recovery_timeout_ms: 30000ms # Kafka group recovery timeout expressed in milliseconds
# kafka_qdc_enable: false # Enable kafka queue depth control
# kafka_qdc_max_latency_ms: 80ms # Max latency threshold for kafka queue depth control depth tracking
# log_cleanup_policy: deletion # Default topic cleanup policy
# log_compaction_interval_ms: 5min # How often do we trigger background compaction
# log_compression_type: producer # Default topic compression type
# log_message_timestamp_type: create_time # Default topic messages timestamp type
# retention_bytes: None # max bytes per partition on disk before triggering a compaction
# rm_sync_timeout_ms: 2000ms
# rm_violation_recovery_policy: crash # Describes how to recover from an invariant violation happened on the partition level
# target_quota_byte_rate: 2GB # Target quota byte rate in bytes per second
# tm_sync_timeout_ms: 2000ms # Time to wait state catch up before rejecting a request
# tm_violation_recovery_policy: crash # Describes how to recover from an invariant violation happened on the transaction coordinator level
# transactional_id_expiration_ms: 10080min # Producer ids are expired once this time has elapsed after the last write with the given producer ID
tunable:
# alter_topic_cfg_timeout_ms: 5s # Time to wait for entries replication in controller log when executing alter configuration request
# compacted_log_segment_size: 256MiB # How large in bytes should each compacted log segment be (default 256MiB)
# controller_backend_housekeeping_interval_ms: 1s # Interval between iterations of controller backend housekeeping loop
# coproc_max_batch_size: 32kb # Maximum amount of bytes to read from one topic read
# coproc_max_inflight_bytes: 10MB # Maximum amountt of inflight bytes when sending data to wasm engine
# coproc_max_ingest_bytes: 640kb # Maximum amount of data to hold from input logs in memory
# coproc_offset_flush_interval_ms: 300000ms # Interval for which all coprocessor offsets are flushed to disk
# create_topic_timeout_ms: 2000ms # Timeout (ms) to wait for new topic creation
# default_num_windows: 10 # Default number of quota tracking windows
# default_window_sec: 1000ms # Default quota tracking window size in milliseconds
# delete_retention_ms: 10080min # delete segments older than this (default 1 week)
# disable_batch_cache: false # Disable batch cache in log manager
# fetch_reads_debounce_timeout: 1ms # Time to wait for next read in fetch request when requested min bytes wasn't reached
# fetch_session_eviction_timeout_ms: 60s # Minimum time before which unused session will get evicted from sessions; Maximum time after which inactive session will be deleted is two time given configuration valuecache
# group_initial_rebalance_delay: 300ms # Extra delay (ms) added to rebalance phase to wait for new members
# group_new_member_join_timeout: 30000ms # Timeout for new member joins
# group_topic_partitions: 1 # Number of partitions in the internal group membership topic
# id_allocator_batch_size: 1000 # ID allocator allocates messages in batches (each batch is a one log record) and then serves requests from memory without touching the log until the batch is exhausted
# id_allocator_log_capacity: 100 # Capacity of the id_allocator log in number of messages; Once it reached id_allocator_stm should compact the log
# join_retry_timeout_ms: 5s # Time between cluster join retries in milliseconds
# kafka_qdc_idle_depth: 10 # Queue depth when idleness is detected in kafka queue depth control
# kafka_qdc_latency_alpha: 0.002 # Smoothing parameter for kafka queue depth control latency tracking
# kafka_qdc_max_depth: 100 # Maximum queue depth used in kafka queue depth control
# kafka_qdc_min_depth: 1 # Minimum queue depth used in kafka queue depth control
# kafka_qdc_window_count: 12 # Number of windows used in kafka queue depth control latency tracking
# kafka_qdc_window_size_ms: 1500ms # Window size for kafka queue depth control latency tracking
# kvstore_flush_interval: 10ms # Key-value store flush interval (ms)
# kvstore_max_segment_size: 16MB # Key-value maximum segment size (bytes)
# log_segment_size: 1GB # How large in bytes should each log segment be (default 1G)
# max_compacted_log_segment_size: 5GB # Max compacted segment size after consolidation
# max_kafka_throttle_delay_ms: 60000ms # Fail-safe maximum throttle delay on kafka requests
# metadata_dissemination_interval_ms: 3000ms # Interaval for metadata dissemination batching
# metadata_dissemination_retries: 10 # Number of attempts of looking up a topic's meta data like shard before failing a request
# metadata_dissemination_retry_delay_ms: 500ms # Delay before retry a topic lookup in a shard or other meta tables
# quota_manager_gc_sec: 30000ms # Quota manager GC frequency in milliseconds
# raft_learner_recovery_rate: 104857600 # Raft learner recovery rate in bytes per second
# raft_heartbeat_disconnect_failures: 3 #After how many failed heartbeats to forcibly close an unresponsive TCP connection. Set to 0 to disable force disconnection.
# raft_heartbeat_interval_ms: 150 #The interval in ms between raft leader heartbeats.
# raft_heartbeat_timeout_ms: 3000 #Raft heartbeat RPC timeout.
# raft_io_timeout_ms: 10000 #Raft I/O timeout.
# raft_max_concurrent_append_requests_per_follower: 16 #Maximum number of concurrent append entries requests sent by leader to one follower.
# raft_max_recovery_memory: 33554432 #Maximum memory that can be used for reads in the raft recovery process.
# raft_recovery_default_read_size: 524288 #Default size of read issued during raft follower recovery.
# raft_replicate_batch_window_size: 1048576 #Maximum size of requests cached for replication.
# raft_smp_max_non_local_requests: #Maximum number of x-core requests pending in Raft seastar::smp group. (for more details look at seastar::smp_service_group documentation).
# raft_timeout_now_timeout_ms: 1000 #Timeout for a timeout now request.
# raft_transfer_leader_recovery_timeout_ms: 1000 #Timeout waiting for follower recovery when transferring leadership.
# raft_election_timeout_ms: 1500ms # Election timeout expressed in milliseconds TBD - election_time_out
# readers_cache_eviction_timeout_ms: 30s # Duration after which inactive readers will be evicted from cache
# reclaim_growth_window: 3000ms # Length of time in which reclaim sizes grow
# reclaim_max_size: 4MB # Maximum batch cache reclaim size
# reclaim_min_size: 128KB # Minimum batch cache reclaim size
# reclaim_stable_window: 10000ms # Length of time above which growth is reset
# recovery_append_timeout_ms: 5s # Timeout for append entries requests issued while updating stale follower
# release_cache_on_segment_roll: false # Free cache when segments roll
# replicate_append_timeout_ms: 3s # Timeout for append entries requests issued while replicating entries
# segment_appender_flush_timeout_ms: 1ms # Maximum delay until buffered data is written
# wait_for_leader_timeout_ms: 5000ms # Timeout (ms) to wait for leadership in metadata cache
node:
# node_id: # Unique ID identifying a node in the cluster
# data_directory: # Place where redpanda will keep the data
# admin_api_doc_dir: /usr/share/redpanda/admin-api-doc # Admin API doc directory
# api_doc_dir: /usr/share/redpanda/proxy-api-doc # API doc directory
# coproc_supervisor_server: 127.0.0.1:43189 # IpAddress and port for supervisor service
# dashboard_dir: None # serve http dashboard on / url
# rack: None # Rack identifier
# developer_mode: optional # Skips most of the checks performed at startup
# Invalid properties
# Any of these properties will be ignored. These otherwise valid properties are not allowed
# to be used in this section since they impact deploying Redpanda in Kubernetes.
# Make use of the above sections to modify these values instead (see comments below).
# admin: 127.0.0.1:9644 # Address and port of admin server
# admin_api_tls: validate_many # TLS configuration for admin HTTP server
# advertised_kafka_api: None # Address of Kafka API published to the clients
# advertised_pandaproxy_api: None # Rest API address and port to publish to client
# advertised_rpc_api: None # Address of RPC endpoint published to other cluster members
# cloud_storage_access_key: None # AWS access key
# cloud_storage_api_endpoint: None # Optional API endpoint
# cloud_storage_api_endpoint_port: 443 # TLS port override
# cloud_storage_bucket: None # AWS bucket that should be used to store data
# cloud_storage_disable_tls: false # Disable TLS for all S3 connections
# cloud_storage_enabled: false # Enable archival storage
# cloud_storage_max_connections: 20 # Max number of simultaneous uploads to S3
# cloud_storage_reconciliation_ms: 10s # Interval at which the archival service runs reconciliation (ms)
# cloud_storage_region: None # AWS region that houses the bucket used for storage
# cloud_storage_secret_key: None # AWS secret key
# cloud_storage_trust_file: None # Path to certificate that should be used to validate server certificate during TLS handshake
# default_topic_partitions: 1 # Default number of partitions per topic
# default_topic_replications: 3 # Default replication factor for new topics
# enable_admin_api Enable the admin API true
# enable_sasl Enable SASL authentication for Kafka connections false
# kafka_api Address and port of an interface to listen for Kafka API requests 127.0.0.1:9092
# kafka_api_tls TLS configuration for Kafka API endpoint None
# pandaproxy_api Rest API listen address and port 0.0.0.0:8082
# pandaproxy_api_tls TLS configuration for Pandaproxy api validate_many
# rpc_server IP address and port for RPC server 127.0.0.1:33145
# rpc_server_tls TLS configuration for RPC server validate
# seed_servers List of the seed servers used to join current cluster; If the seed_server list is empty the node will be a cluster root and it will form a new cluster None
# superusers List of superuser usernames None

55
index.yaml Executable file → Normal file
View File

@ -1271,6 +1271,30 @@ entries:
- assets/dynatrace/dynatrace-operator-0.7.2.tgz
version: 0.7.2
external-secrets:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: External Secrets Operator
catalog.cattle.io/kube-version: '>= 1.19.0-0'
catalog.cattle.io/release-name: external-secrets
apiVersion: v2
appVersion: v0.6.0
created: "2022-10-11T16:39:34.182619-04:00"
description: External secret management for Kubernetes
digest: d48d5029693cf6327cc60178e870e36a990ae2d45e34174aa188d8ead9e53b65
home: https://github.com/external-secrets/external-secrets
icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png
keywords:
- kubernetes-external-secrets
- secrets
kubeVersion: '>= 1.19.0-0'
maintainers:
- email: kellinmcavoy@gmail.com
name: mcavoyk
name: external-secrets
type: application
urls:
- assets/external-secrets/external-secrets-0.6.0.tgz
version: 0.6.0
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: External Secrets Operator
@ -5129,6 +5153,37 @@ entries:
urls:
- assets/portworx/portworx-essentials-2.9.100.tgz
version: 2.9.100
redpanda:
- annotations:
artifacthub.io/images: |
- name: redpanda
image: vectorized/redpanda:v22.2.4
- name: busybox
image: busybox:latest
artifacthub.io/license: Apache-2.0
artifacthub.io/links: |
- name: Documentation
url: https://docs.redpanda.com
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Redpanda
catalog.cattle.io/kube-version: '>=1.21-0'
catalog.cattle.io/release-name: redpanda
apiVersion: v2
appVersion: 22.2.5
created: "2022-10-11T16:39:34.564374-04:00"
description: Redpanda is the real-time engine for modern apps.
digest: 4e4db4019873795454da090034c5c062f0d1b98495ac2b25c620ab709b91ae58
icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg
maintainers:
- name: redpanda-data
url: https://github.com/orgs/redpanda-data/people
name: redpanda
sources:
- https://github.com/redpanda-data/helm-charts
type: application
urls:
- assets/redpanda/redpanda-2.1.7.tgz
version: 2.1.7
sextant:
- annotations:
catalog.cattle.io/certified: partner

1
packages/external-secrets-operator/upstream.yaml
View File

@ -2,4 +2,3 @@ HelmRepo: https://charts.external-secrets.io
HelmChart: external-secrets
Vendor: External Secrets
DisplayName: External Secrets Operator
PackageVersion: 01