diff --git a/assets/clastix/kamaji-1.0.0.tgz b/assets/clastix/kamaji-1.0.0.tgz new file mode 100644 index 000000000..606f6452f Binary files /dev/null and b/assets/clastix/kamaji-1.0.0.tgz differ diff --git a/assets/dynatrace/dynatrace-operator-1.2.0.tgz b/assets/dynatrace/dynatrace-operator-1.2.0.tgz new file mode 100644 index 000000000..b53ac7988 Binary files /dev/null and b/assets/dynatrace/dynatrace-operator-1.2.0.tgz differ diff --git a/assets/f5/nginx-ingress-1.3.0.tgz b/assets/f5/nginx-ingress-1.3.0.tgz new file mode 100644 index 000000000..d277752ae Binary files /dev/null and b/assets/f5/nginx-ingress-1.3.0.tgz differ diff --git a/assets/haproxy/haproxy-1.40.0.tgz b/assets/haproxy/haproxy-1.40.0.tgz new file mode 100644 index 000000000..f95812295 Binary files /dev/null and b/assets/haproxy/haproxy-1.40.0.tgz differ diff --git a/assets/harbor/harbor-1.15.0.tgz b/assets/harbor/harbor-1.15.0.tgz new file mode 100644 index 000000000..8ce946ebe Binary files /dev/null and b/assets/harbor/harbor-1.15.0.tgz differ diff --git a/assets/instana/instana-agent-1.2.73.tgz b/assets/instana/instana-agent-1.2.73.tgz new file mode 100644 index 000000000..0cf9ef66c Binary files /dev/null and b/assets/instana/instana-agent-1.2.73.tgz differ diff --git a/assets/jenkins/jenkins-5.3.3.tgz b/assets/jenkins/jenkins-5.3.3.tgz new file mode 100644 index 000000000..2b9c627bb Binary files /dev/null and b/assets/jenkins/jenkins-5.3.3.tgz differ diff --git a/assets/jfrog/artifactory-ha-107.84.16.tgz b/assets/jfrog/artifactory-ha-107.84.16.tgz new file mode 100644 index 000000000..4adc83426 Binary files /dev/null and b/assets/jfrog/artifactory-ha-107.84.16.tgz differ diff --git a/assets/jfrog/artifactory-jcr-107.84.16.tgz b/assets/jfrog/artifactory-jcr-107.84.16.tgz new file mode 100644 index 000000000..76846c030 Binary files /dev/null and b/assets/jfrog/artifactory-jcr-107.84.16.tgz differ diff --git a/assets/kasten/k10-7.0.201.tgz b/assets/kasten/k10-7.0.201.tgz new file mode 100644 index 000000000..f5fdf1ad1 Binary files /dev/null and b/assets/kasten/k10-7.0.201.tgz differ diff --git a/assets/kasten/k10-7.0.301.tgz b/assets/kasten/k10-7.0.301.tgz new file mode 100644 index 000000000..208384397 Binary files /dev/null and b/assets/kasten/k10-7.0.301.tgz differ diff --git a/assets/kubecost/cost-analyzer-2.2.5.tgz b/assets/kubecost/cost-analyzer-2.2.5.tgz index f007cde54..5b5720271 100644 Binary files a/assets/kubecost/cost-analyzer-2.2.5.tgz and b/assets/kubecost/cost-analyzer-2.2.5.tgz differ diff --git a/assets/kubecost/cost-analyzer-2.3.1.tgz b/assets/kubecost/cost-analyzer-2.3.1.tgz new file mode 100644 index 000000000..28bfcfad7 Binary files /dev/null and b/assets/kubecost/cost-analyzer-2.3.1.tgz differ diff --git a/assets/kuma/kuma-2.8.0.tgz b/assets/kuma/kuma-2.8.0.tgz new file mode 100644 index 000000000..651977330 Binary files /dev/null and b/assets/kuma/kuma-2.8.0.tgz differ diff --git a/assets/linkerd/linkerd-control-plane-2024.6.2.tgz b/assets/linkerd/linkerd-control-plane-2024.6.2.tgz index 120d2492b..75f7a25e9 100644 Binary files a/assets/linkerd/linkerd-control-plane-2024.6.2.tgz and b/assets/linkerd/linkerd-control-plane-2024.6.2.tgz differ diff --git a/assets/linkerd/linkerd-control-plane-2024.6.4.tgz b/assets/linkerd/linkerd-control-plane-2024.6.4.tgz new file mode 100644 index 000000000..0bdc8a037 Binary files /dev/null and b/assets/linkerd/linkerd-control-plane-2024.6.4.tgz differ diff --git a/assets/linkerd/linkerd-crds-2024.6.4.tgz b/assets/linkerd/linkerd-crds-2024.6.4.tgz new file mode 100644 index 000000000..d2b9aa0cb Binary files /dev/null and b/assets/linkerd/linkerd-crds-2024.6.4.tgz differ diff --git a/assets/loft/loft-3.4.8.tgz b/assets/loft/loft-3.4.8.tgz new file mode 100644 index 000000000..714968321 Binary files /dev/null and b/assets/loft/loft-3.4.8.tgz differ diff --git a/assets/mongodb/community-operator-0.10.0.tgz b/assets/mongodb/community-operator-0.10.0.tgz new file mode 100644 index 000000000..5f45f85df Binary files /dev/null and b/assets/mongodb/community-operator-0.10.0.tgz differ diff --git a/assets/new-relic/nri-bundle-5.0.84.tgz b/assets/new-relic/nri-bundle-5.0.84.tgz new file mode 100644 index 000000000..0d449245a Binary files /dev/null and b/assets/new-relic/nri-bundle-5.0.84.tgz differ diff --git a/assets/percona/psmdb-db-1.16.2.tgz b/assets/percona/psmdb-db-1.16.2.tgz new file mode 100644 index 000000000..93319b84c Binary files /dev/null and b/assets/percona/psmdb-db-1.16.2.tgz differ diff --git a/assets/percona/psmdb-operator-1.16.2.tgz b/assets/percona/psmdb-operator-1.16.2.tgz new file mode 100644 index 000000000..be6153c28 Binary files /dev/null and b/assets/percona/psmdb-operator-1.16.2.tgz differ diff --git a/assets/percona/pxc-operator-1.14.2.tgz b/assets/percona/pxc-operator-1.14.2.tgz new file mode 100644 index 000000000..33f3e36f9 Binary files /dev/null and b/assets/percona/pxc-operator-1.14.2.tgz differ diff --git a/assets/redpanda/redpanda-5.8.11.tgz b/assets/redpanda/redpanda-5.8.11.tgz new file mode 100644 index 000000000..f46ea4382 Binary files /dev/null and b/assets/redpanda/redpanda-5.8.11.tgz differ diff --git a/assets/speedscale/speedscale-operator-2.2.74.tgz b/assets/speedscale/speedscale-operator-2.2.74.tgz new file mode 100644 index 000000000..26a9b8786 Binary files /dev/null and b/assets/speedscale/speedscale-operator-2.2.74.tgz differ diff --git a/assets/stackstate/stackstate-k8s-agent-1.0.88.tgz b/assets/stackstate/stackstate-k8s-agent-1.0.88.tgz new file mode 100644 index 000000000..c687b85c6 Binary files /dev/null and b/assets/stackstate/stackstate-k8s-agent-1.0.88.tgz differ diff --git a/assets/weka/csi-wekafsplugin-2.4.0.tgz b/assets/weka/csi-wekafsplugin-2.4.0.tgz new file mode 100644 index 000000000..0deb4c0a5 Binary files /dev/null and b/assets/weka/csi-wekafsplugin-2.4.0.tgz differ diff --git a/assets/yugabyte/yugabyte-2.18.8.tgz b/assets/yugabyte/yugabyte-2.18.8.tgz new file mode 100644 index 000000000..6cf5da7e1 Binary files /dev/null and b/assets/yugabyte/yugabyte-2.18.8.tgz differ diff --git a/assets/yugabyte/yugaware-2.18.8.tgz b/assets/yugabyte/yugaware-2.18.8.tgz new file mode 100644 index 000000000..d88098795 Binary files /dev/null and b/assets/yugabyte/yugaware-2.18.8.tgz differ diff --git a/charts/clastix/kamaji/Chart.yaml b/charts/clastix/kamaji/Chart.yaml index 9301b80b4..231611662 100644 --- a/charts/clastix/kamaji/Chart.yaml +++ b/charts/clastix/kamaji/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21.0-0' catalog.cattle.io/release-name: kamaji apiVersion: v2 -appVersion: v0.5.1 +appVersion: v1.0.0 description: Kamaji is the Hosted Control Plane Manager for Kubernetes. home: https://github.com/clastix/kamaji icon: https://github.com/clastix/kamaji/raw/master/assets/logo-colored.png @@ -22,4 +22,4 @@ name: kamaji sources: - https://github.com/clastix/kamaji type: application -version: 0.15.3 +version: 1.0.0 diff --git a/charts/clastix/kamaji/README.md b/charts/clastix/kamaji/README.md index b2b60fbe6..89a7d078b 100644 --- a/charts/clastix/kamaji/README.md +++ b/charts/clastix/kamaji/README.md @@ -1,6 +1,6 @@ # kamaji -![Version: 0.15.3](https://img.shields.io/badge/Version-0.15.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.5.1](https://img.shields.io/badge/AppVersion-v0.5.1-informational?style=flat-square) +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.0](https://img.shields.io/badge/AppVersion-v1.0.0-informational?style=flat-square) Kamaji is the Hosted Control Plane Manager for Kubernetes. @@ -77,7 +77,7 @@ Here the values you can override: | datastore.driver | string | `"etcd"` | (string) The Kamaji Datastore driver, supported: etcd, MySQL, PostgreSQL (defaults=etcd). | | datastore.enabled | bool | `true` | (bool) Enable the Kamaji Datastore creation (default=true) | | datastore.endpoints | list | `[]` | (array) List of endpoints of the selected Datastore. When letting the Chart install the etcd datastore, this field is populated automatically. | -| datastore.nameOverride | string | `nil` | The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. | +| datastore.nameOverride | string | `nil` | The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. | | datastore.tlsConfig.certificateAuthority.certificate.keyPath | string | `nil` | Key of the Secret which contains the content of the certificate. | | datastore.tlsConfig.certificateAuthority.certificate.name | string | `nil` | Name of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. | | datastore.tlsConfig.certificateAuthority.certificate.namespace | string | `nil` | Namespace of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. | @@ -90,6 +90,7 @@ Here the values you can override: | datastore.tlsConfig.clientCertificate.privateKey.keyPath | string | `nil` | Key of the Secret which contains the content of the private key. | | datastore.tlsConfig.clientCertificate.privateKey.name | string | `nil` | Name of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore. | | datastore.tlsConfig.clientCertificate.privateKey.namespace | string | `nil` | Namespace of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore. | +| datastore.tlsConfig.enabled | bool | `true` | | | etcd.compactionInterval | int | `0` | ETCD Compaction interval (e.g. "5m0s"). (default: "0" (disabled)) | | etcd.deploy | bool | `true` | Install an etcd with enabled multi-tenancy along with Kamaji | | etcd.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.5.6"}` | Install specific etcd image | @@ -133,6 +134,7 @@ Here the values you can override: | serviceAccount.create | bool | `true` | | | serviceAccount.name | string | `"kamaji-controller-manager"` | | | serviceMonitor.enabled | bool | `false` | Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured | +| telemetry | object | `{"disabled":false}` | Disable the analytics traces collection | | temporaryDirectoryPath | string | `"/tmp/kamaji"` | Directory which will be used to work with temporary files. (default "/tmp/kamaji") | | tolerations | list | `[]` | Kubernetes node taints that the Kamaji controller pods would tolerate | diff --git a/charts/clastix/kamaji/crds/datastore.yaml b/charts/clastix/kamaji/crds/datastore.yaml index 0077a06e8..974054958 100644 --- a/charts/clastix/kamaji/crds/datastore.yaml +++ b/charts/clastix/kamaji/crds/datastore.yaml @@ -71,10 +71,12 @@ spec: minLength: 1 type: string name: - description: name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to reference + a secret resource. type: string namespace: - description: namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which + the secret name must be unique. type: string required: - keyPath @@ -98,10 +100,12 @@ spec: minLength: 1 type: string name: - description: name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to reference + a secret resource. type: string namespace: - description: namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which + the secret name must be unique. type: string required: - keyPath @@ -118,6 +122,7 @@ spec: - etcd - MySQL - PostgreSQL + - NATS type: string endpoints: description: |- @@ -128,7 +133,9 @@ spec: minItems: 1 type: array tlsConfig: - description: Defines the TLS/SSL configuration required to connect to the data store in a secure way. + description: |- + Defines the TLS/SSL configuration required to connect to the data store in a secure way. + This value is optional. properties: certificateAuthority: description: |- @@ -152,10 +159,12 @@ spec: minLength: 1 type: string name: - description: name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to + reference a secret resource. type: string namespace: - description: namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which + the secret name must be unique. type: string required: - keyPath @@ -179,10 +188,12 @@ spec: minLength: 1 type: string name: - description: name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to + reference a secret resource. type: string namespace: - description: namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which + the secret name must be unique. type: string required: - keyPath @@ -193,7 +204,8 @@ spec: - certificate type: object clientCertificate: - description: Specifies the SSL/TLS key and private key pair used to connect to the data store. + description: Specifies the SSL/TLS key and private key pair used + to connect to the data store. properties: certificate: properties: @@ -212,10 +224,12 @@ spec: minLength: 1 type: string name: - description: name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to + reference a secret resource. type: string namespace: - description: namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which + the secret name must be unique. type: string required: - keyPath @@ -239,10 +253,12 @@ spec: minLength: 1 type: string name: - description: name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to + reference a secret resource. type: string namespace: - description: namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which + the secret name must be unique. type: string required: - keyPath @@ -255,18 +271,17 @@ spec: type: object required: - certificateAuthority - - clientCertificate type: object required: - driver - endpoints - - tlsConfig type: object status: description: DataStoreStatus defines the observed state of DataStore. properties: usedBy: - description: List of the Tenant Control Planes, namespaced named, using this data store. + description: List of the Tenant Control Planes, namespaced named, + using this data store. items: type: string type: array diff --git a/charts/clastix/kamaji/crds/tenantcontrolplane.yaml b/charts/clastix/kamaji/crds/tenantcontrolplane.yaml index 2af863422..b94dd3288 100644 --- a/charts/clastix/kamaji/crds/tenantcontrolplane.yaml +++ b/charts/clastix/kamaji/crds/tenantcontrolplane.yaml @@ -55,7 +55,8 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: TenantControlPlane is the Schema for the tenantcontrolplanes API. + description: TenantControlPlane is the Schema for the tenantcontrolplanes + API. properties: apiVersion: description: |- @@ -97,7 +98,8 @@ spec: type: string type: object konnectivity: - description: Enables the Konnectivity addon in the Tenant Cluster, required if the worker nodes are in a different network. + description: Enables the Konnectivity addon in the Tenant Cluster, + required if the worker nodes are in a different network. properties: agent: default: @@ -115,8 +117,53 @@ spec: type: array image: default: registry.k8s.io/kas-network-proxy/proxy-agent - description: AgentImage defines the container image for Konnectivity's agent. + description: AgentImage defines the container image for + Konnectivity's agent. type: string + tolerations: + default: + - key: CriticalAddonsOnly + operator: Exists + description: |- + Tolerations for the deployed agent. + Can be customized to start the konnectivity-agent even if the nodes are not ready or tainted. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array version: default: v0.0.32 description: Version for Konnectivity agent. @@ -139,14 +186,17 @@ spec: type: array image: default: registry.k8s.io/kas-network-proxy/proxy-server - description: Container image used by the Konnectivity server. + description: Container image used by the Konnectivity + server. type: string port: - description: The port which Konnectivity server is listening to. + description: The port which Konnectivity server is listening + to. format: int32 type: integer resources: - description: Resources define the amount of CPU and memory to allocate to the Konnectivity server. + description: Resources define the amount of CPU and memory + to allocate to the Konnectivity server. properties: claims: description: |- @@ -160,7 +210,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -202,7 +253,8 @@ spec: type: object version: default: v0.0.32 - description: Container image version of the Konnectivity server. + description: Container image version of the Konnectivity + server. type: string required: - port @@ -231,12 +283,15 @@ spec: such as the number of Pod replicas, the Service resource, or the Ingress. properties: deployment: - description: Defining the options for the deployed Tenant Control Plane as Deployment resource. + description: Defining the options for the deployed Tenant Control + Plane as Deployment resource. properties: additionalContainers: - description: AdditionalContainers allows adding additional containers to the Control Plane deployment. + description: AdditionalContainers allows adding additional + containers to the Control Plane deployment. items: - description: A single application container that you want to run within a pod. + description: A single application container that you want + to run within a pod. properties: args: description: |- @@ -271,10 +326,12 @@ spec: List of environment variables to set in the container. Cannot be updated. items: - description: EnvVar represents an environment variable present in a Container. + description: EnvVar represents an environment variable + present in a Container. properties: name: - description: Name of the environment variable. Must be a C_IDENTIFIER. + description: Name of the environment variable. + Must be a C_IDENTIFIER. type: string value: description: |- @@ -289,7 +346,8 @@ spec: Defaults to "". type: string valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. + description: Source for the environment variable's + value. Cannot be used if value is not empty. properties: configMapKeyRef: description: Selects a key of a ConfigMap. @@ -304,7 +362,8 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the ConfigMap or its key must be defined + description: Specify whether the ConfigMap + or its key must be defined type: boolean required: - key @@ -316,10 +375,13 @@ spec: spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". type: string fieldPath: - description: Path of the field to select in the specified API version. + description: Path of the field to select + in the specified API version. type: string required: - fieldPath @@ -331,13 +393,16 @@ spec: (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: - description: 'Container name: required for volumes, optional for env vars' + description: 'Container name: required + for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format of the exposed resources, defaults to "1" + description: Specifies the output format + of the exposed resources, defaults to + "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: @@ -348,10 +413,13 @@ spec: type: object x-kubernetes-map-type: atomic secretKeyRef: - description: Selects a key of a secret in the pod's namespace + description: Selects a key of a secret in + the pod's namespace properties: key: - description: The key of the secret to select from. Must be a valid secret key. + description: The key of the secret to + select from. Must be a valid secret + key. type: string name: description: |- @@ -360,7 +428,8 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the Secret or its key must be defined + description: Specify whether the Secret + or its key must be defined type: boolean required: - key @@ -383,7 +452,8 @@ spec: Values defined by an Env with a duplicate key will take precedence. Cannot be updated. items: - description: EnvFromSource represents the source of a set of ConfigMaps + description: EnvFromSource represents the source of + a set of ConfigMaps properties: configMapRef: description: The ConfigMap to select from @@ -395,12 +465,14 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the ConfigMap must be defined + description: Specify whether the ConfigMap + must be defined type: boolean type: object x-kubernetes-map-type: atomic prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string secretRef: description: The Secret to select from @@ -412,7 +484,8 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the Secret must be defined + description: Specify whether the Secret must + be defined type: boolean type: object x-kubernetes-map-type: atomic @@ -462,7 +535,8 @@ spec: x-kubernetes-list-type: atomic type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -470,9 +544,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the + request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -489,7 +565,8 @@ spec: type: array x-kubernetes-list-type: atomic path: - description: Path to access on the HTTP server. + description: Path to access on the HTTP + server. type: string port: anyOf: @@ -509,10 +586,12 @@ spec: - port type: object sleep: - description: Sleep represents the duration that the container should sleep before being terminated. + description: Sleep represents the duration that + the container should sleep before being terminated. properties: seconds: - description: Seconds is the number of seconds to sleep. + description: Seconds is the number of seconds + to sleep. format: int64 type: integer required: @@ -525,7 +604,8 @@ spec: lifecycle hooks will fail in runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -568,7 +648,8 @@ spec: x-kubernetes-list-type: atomic type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -576,9 +657,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the + request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -595,7 +678,8 @@ spec: type: array x-kubernetes-list-type: atomic path: - description: Path to access on the HTTP server. + description: Path to access on the HTTP + server. type: string port: anyOf: @@ -615,10 +699,12 @@ spec: - port type: object sleep: - description: Sleep represents the duration that the container should sleep before being terminated. + description: Sleep represents the duration that + the container should sleep before being terminated. properties: seconds: - description: Seconds is the number of seconds to sleep. + description: Seconds is the number of seconds + to sleep. format: int64 type: integer required: @@ -631,7 +717,8 @@ spec: lifecycle hooks will fail in runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -676,10 +763,12 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: @@ -694,7 +783,8 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -702,9 +792,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -759,10 +851,12 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -814,7 +908,8 @@ spec: For more information See https://github.com/kubernetes/kubernetes/issues/108255. Cannot be updated. items: - description: ContainerPort represents a network port in a single container. + description: ContainerPort represents a network port + in a single container. properties: containerPort: description: |- @@ -823,7 +918,8 @@ spec: format: int32 type: integer hostIP: - description: What host IP to bind the external port to. + description: What host IP to bind the external + port to. type: string hostPort: description: |- @@ -882,10 +978,12 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: @@ -900,7 +998,8 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -908,9 +1007,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -965,10 +1066,12 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -1007,7 +1110,8 @@ spec: resizePolicy: description: Resources resize policy for the container. items: - description: ContainerResizePolicy represents resource resize policy for the container. + description: ContainerResizePolicy represents resource + resize policy for the container. properties: resourceName: description: |- @@ -1043,7 +1147,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -1150,14 +1255,16 @@ spec: add: description: Added capabilities items: - description: Capability represent POSIX capabilities type + description: Capability represent POSIX capabilities + type type: string type: array x-kubernetes-list-type: atomic drop: description: Removed capabilities items: - description: Capability represent POSIX capabilities type + description: Capability represent POSIX capabilities + type type: string type: array x-kubernetes-list-type: atomic @@ -1219,16 +1326,20 @@ spec: Note that this field cannot be set when spec.os.name is windows. properties: level: - description: Level is SELinux level label that applies to the container. + description: Level is SELinux level label that + applies to the container. type: string role: - description: Role is a SELinux role label that applies to the container. + description: Role is a SELinux role label that + applies to the container. type: string type: - description: Type is a SELinux type label that applies to the container. + description: Type is a SELinux type label that + applies to the container. type: string user: - description: User is a SELinux user label that applies to the container. + description: User is a SELinux user label that + applies to the container. type: string type: object seccompProfile: @@ -1272,7 +1383,8 @@ spec: GMSA credential spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. type: string hostProcess: description: |- @@ -1322,10 +1434,12 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: @@ -1340,7 +1454,8 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -1348,9 +1463,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -1405,10 +1522,12 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -1486,15 +1605,20 @@ spec: Default is false. type: boolean volumeDevices: - description: volumeDevices is the list of block devices to be used by the container. + description: volumeDevices is the list of block devices + to be used by the container. items: - description: volumeDevice describes a mapping of a raw block device within a container. + description: volumeDevice describes a mapping of a + raw block device within a container. properties: devicePath: - description: devicePath is the path inside of the container that the device will be mapped to. + description: devicePath is the path inside of + the container that the device will be mapped + to. type: string name: - description: name must match the name of a persistentVolumeClaim in the pod + description: name must match the name of a persistentVolumeClaim + in the pod type: string required: - devicePath @@ -1509,7 +1633,8 @@ spec: Pod volumes to mount into the container's filesystem. Cannot be updated. items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a + Volume within a container. properties: mountPath: description: |- @@ -1588,9 +1713,11 @@ spec: type: object type: array additionalInitContainers: - description: AdditionalInitContainers allows adding additional init containers to the Control Plane deployment. + description: AdditionalInitContainers allows adding additional + init containers to the Control Plane deployment. items: - description: A single application container that you want to run within a pod. + description: A single application container that you want + to run within a pod. properties: args: description: |- @@ -1625,10 +1752,12 @@ spec: List of environment variables to set in the container. Cannot be updated. items: - description: EnvVar represents an environment variable present in a Container. + description: EnvVar represents an environment variable + present in a Container. properties: name: - description: Name of the environment variable. Must be a C_IDENTIFIER. + description: Name of the environment variable. + Must be a C_IDENTIFIER. type: string value: description: |- @@ -1643,7 +1772,8 @@ spec: Defaults to "". type: string valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. + description: Source for the environment variable's + value. Cannot be used if value is not empty. properties: configMapKeyRef: description: Selects a key of a ConfigMap. @@ -1658,7 +1788,8 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the ConfigMap or its key must be defined + description: Specify whether the ConfigMap + or its key must be defined type: boolean required: - key @@ -1670,10 +1801,13 @@ spec: spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". type: string fieldPath: - description: Path of the field to select in the specified API version. + description: Path of the field to select + in the specified API version. type: string required: - fieldPath @@ -1685,13 +1819,16 @@ spec: (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: - description: 'Container name: required for volumes, optional for env vars' + description: 'Container name: required + for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format of the exposed resources, defaults to "1" + description: Specifies the output format + of the exposed resources, defaults to + "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: @@ -1702,10 +1839,13 @@ spec: type: object x-kubernetes-map-type: atomic secretKeyRef: - description: Selects a key of a secret in the pod's namespace + description: Selects a key of a secret in + the pod's namespace properties: key: - description: The key of the secret to select from. Must be a valid secret key. + description: The key of the secret to + select from. Must be a valid secret + key. type: string name: description: |- @@ -1714,7 +1854,8 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the Secret or its key must be defined + description: Specify whether the Secret + or its key must be defined type: boolean required: - key @@ -1737,7 +1878,8 @@ spec: Values defined by an Env with a duplicate key will take precedence. Cannot be updated. items: - description: EnvFromSource represents the source of a set of ConfigMaps + description: EnvFromSource represents the source of + a set of ConfigMaps properties: configMapRef: description: The ConfigMap to select from @@ -1749,12 +1891,14 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the ConfigMap must be defined + description: Specify whether the ConfigMap + must be defined type: boolean type: object x-kubernetes-map-type: atomic prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string secretRef: description: The Secret to select from @@ -1766,7 +1910,8 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the Secret must be defined + description: Specify whether the Secret must + be defined type: boolean type: object x-kubernetes-map-type: atomic @@ -1816,7 +1961,8 @@ spec: x-kubernetes-list-type: atomic type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -1824,9 +1970,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the + request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -1843,7 +1991,8 @@ spec: type: array x-kubernetes-list-type: atomic path: - description: Path to access on the HTTP server. + description: Path to access on the HTTP + server. type: string port: anyOf: @@ -1863,10 +2012,12 @@ spec: - port type: object sleep: - description: Sleep represents the duration that the container should sleep before being terminated. + description: Sleep represents the duration that + the container should sleep before being terminated. properties: seconds: - description: Seconds is the number of seconds to sleep. + description: Seconds is the number of seconds + to sleep. format: int64 type: integer required: @@ -1879,7 +2030,8 @@ spec: lifecycle hooks will fail in runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -1922,7 +2074,8 @@ spec: x-kubernetes-list-type: atomic type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -1930,9 +2083,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the + request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -1949,7 +2104,8 @@ spec: type: array x-kubernetes-list-type: atomic path: - description: Path to access on the HTTP server. + description: Path to access on the HTTP + server. type: string port: anyOf: @@ -1969,10 +2125,12 @@ spec: - port type: object sleep: - description: Sleep represents the duration that the container should sleep before being terminated. + description: Sleep represents the duration that + the container should sleep before being terminated. properties: seconds: - description: Seconds is the number of seconds to sleep. + description: Seconds is the number of seconds + to sleep. format: int64 type: integer required: @@ -1985,7 +2143,8 @@ spec: lifecycle hooks will fail in runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -2030,10 +2189,12 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: @@ -2048,7 +2209,8 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -2056,9 +2218,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -2113,10 +2277,12 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -2168,7 +2334,8 @@ spec: For more information See https://github.com/kubernetes/kubernetes/issues/108255. Cannot be updated. items: - description: ContainerPort represents a network port in a single container. + description: ContainerPort represents a network port + in a single container. properties: containerPort: description: |- @@ -2177,7 +2344,8 @@ spec: format: int32 type: integer hostIP: - description: What host IP to bind the external port to. + description: What host IP to bind the external + port to. type: string hostPort: description: |- @@ -2236,10 +2404,12 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: @@ -2254,7 +2424,8 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -2262,9 +2433,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -2319,10 +2492,12 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -2361,7 +2536,8 @@ spec: resizePolicy: description: Resources resize policy for the container. items: - description: ContainerResizePolicy represents resource resize policy for the container. + description: ContainerResizePolicy represents resource + resize policy for the container. properties: resourceName: description: |- @@ -2397,7 +2573,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -2504,14 +2681,16 @@ spec: add: description: Added capabilities items: - description: Capability represent POSIX capabilities type + description: Capability represent POSIX capabilities + type type: string type: array x-kubernetes-list-type: atomic drop: description: Removed capabilities items: - description: Capability represent POSIX capabilities type + description: Capability represent POSIX capabilities + type type: string type: array x-kubernetes-list-type: atomic @@ -2573,16 +2752,20 @@ spec: Note that this field cannot be set when spec.os.name is windows. properties: level: - description: Level is SELinux level label that applies to the container. + description: Level is SELinux level label that + applies to the container. type: string role: - description: Role is a SELinux role label that applies to the container. + description: Role is a SELinux role label that + applies to the container. type: string type: - description: Type is a SELinux type label that applies to the container. + description: Type is a SELinux type label that + applies to the container. type: string user: - description: User is a SELinux user label that applies to the container. + description: User is a SELinux user label that + applies to the container. type: string type: object seccompProfile: @@ -2626,7 +2809,8 @@ spec: GMSA credential spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. type: string hostProcess: description: |- @@ -2676,10 +2860,12 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: @@ -2694,7 +2880,8 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -2702,9 +2889,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -2759,10 +2948,12 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -2840,15 +3031,20 @@ spec: Default is false. type: boolean volumeDevices: - description: volumeDevices is the list of block devices to be used by the container. + description: volumeDevices is the list of block devices + to be used by the container. items: - description: volumeDevice describes a mapping of a raw block device within a container. + description: volumeDevice describes a mapping of a + raw block device within a container. properties: devicePath: - description: devicePath is the path inside of the container that the device will be mapped to. + description: devicePath is the path inside of + the container that the device will be mapped + to. type: string name: - description: name must match the name of a persistentVolumeClaim in the pod + description: name must match the name of a persistentVolumeClaim + in the pod type: string required: - devicePath @@ -2863,7 +3059,8 @@ spec: Pod volumes to mount into the container's filesystem. Cannot be updated. items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a + Volume within a container. properties: mountPath: description: |- @@ -2942,7 +3139,9 @@ spec: type: object type: array additionalMetadata: - description: AdditionalMetadata defines which additional metadata, such as labels and annotations, must be attached to the created resource. + description: AdditionalMetadata defines which additional metadata, + such as labels and annotations, must be attached to the + created resource. properties: annotations: additionalProperties: @@ -2960,7 +3159,8 @@ spec: properties: apiServer: items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a Volume + within a container. properties: mountPath: description: |- @@ -3026,7 +3226,8 @@ spec: type: array controllerManager: items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a Volume + within a container. properties: mountPath: description: |- @@ -3092,7 +3293,8 @@ spec: type: array scheduler: items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a Volume + within a container. properties: mountPath: description: |- @@ -3158,9 +3360,11 @@ spec: type: array type: object additionalVolumes: - description: AdditionalVolumes allows to add additional volumes to the Control Plane deployment. + description: AdditionalVolumes allows to add additional volumes + to the Control Plane deployment. items: - description: Volume represents a named volume in a pod that may be accessed by any container in the pod. + description: Volume represents a named volume in a pod that + may be accessed by any container in the pod. properties: awsElasticBlockStore: description: |- @@ -3198,16 +3402,20 @@ spec: - volumeID type: object azureDisk: - description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + description: azureDisk represents an Azure Data Disk + mount on the host and bind mount to the pod. properties: cachingMode: - description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.' + description: 'cachingMode is the Host Caching mode: + None, Read Only, Read Write.' type: string diskName: - description: diskName is the Name of the data disk in the blob storage + description: diskName is the Name of the data disk + in the blob storage type: string diskURI: - description: diskURI is the URI of data disk in the blob storage + description: diskURI is the URI of data disk in + the blob storage type: string fsType: description: |- @@ -3216,7 +3424,11 @@ spec: Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string kind: - description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared' + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single + blob disk per storage account Managed: azure + managed data disk (only in managed availability + set). defaults to shared' type: string readOnly: description: |- @@ -3228,7 +3440,8 @@ spec: - diskURI type: object azureFile: - description: azureFile represents an Azure File Service mount on the host and bind mount to the pod. + description: azureFile represents an Azure File Service + mount on the host and bind mount to the pod. properties: readOnly: description: |- @@ -3236,7 +3449,8 @@ spec: the ReadOnly setting in VolumeMounts. type: boolean secretName: - description: secretName is the name of secret that contains Azure Storage Account Name and Key + description: secretName is the name of secret that + contains Azure Storage Account Name and Key type: string shareName: description: shareName is the azure share Name @@ -3246,7 +3460,8 @@ spec: - shareName type: object cephfs: - description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime + description: cephFS represents a Ceph FS mount on the + host that shares a pod's lifetime properties: monitors: description: |- @@ -3257,7 +3472,9 @@ spec: type: array x-kubernetes-list-type: atomic path: - description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /' + description: 'path is Optional: Used as the mounted + root, rather than the full Ceph tree, default + is /' type: string readOnly: description: |- @@ -3331,7 +3548,8 @@ spec: - volumeID type: object configMap: - description: configMap represents a configMap that should populate this volume + description: configMap represents a configMap that should + populate this volume properties: defaultMode: description: |- @@ -3354,7 +3572,8 @@ spec: the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. items: - description: Maps a string key to a path within a volume. + description: Maps a string key to a path within + a volume. properties: key: description: key is the key to project. @@ -3389,12 +3608,15 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: optional specify whether the ConfigMap or its keys must be defined + description: optional specify whether the ConfigMap + or its keys must be defined type: boolean type: object x-kubernetes-map-type: atomic csi: - description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature). + description: csi (Container Storage Interface) represents + ephemeral storage that is handled by certain external + CSI drivers (Beta feature). properties: driver: description: |- @@ -3439,7 +3661,8 @@ spec: - driver type: object downwardAPI: - description: downwardAPI represents downward API about the pod that should populate this volume + description: downwardAPI represents downward API about + the pod that should populate this volume properties: defaultMode: description: |- @@ -3454,18 +3677,26 @@ spec: format: int32 type: integer items: - description: Items is a list of downward API volume file + description: Items is a list of downward API volume + file items: - description: DownwardAPIVolumeFile represents information to create the file containing the pod field + description: DownwardAPIVolumeFile represents + information to create the file containing the + pod field properties: fieldRef: - description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.' + description: 'Required: Selects a field of + the pod: only annotations, labels, name, + namespace and uid are supported.' properties: apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". type: string fieldPath: - description: Path of the field to select in the specified API version. + description: Path of the field to select + in the specified API version. type: string required: - fieldPath @@ -3482,7 +3713,11 @@ spec: format: int32 type: integer path: - description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + description: 'Required: Path is the relative + path name of the file to be created. Must + not be absolute or contain the ''..'' path. + Must be utf-8 encoded. The first item of + the relative path must not start with ''..''' type: string resourceFieldRef: description: |- @@ -3490,13 +3725,16 @@ spec: (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. properties: containerName: - description: 'Container name: required for volumes, optional for env vars' + description: 'Container name: required + for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format of the exposed resources, defaults to "1" + description: Specifies the output format + of the exposed resources, defaults to + "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: @@ -3635,10 +3873,12 @@ spec: For any other third-party types, APIGroup is required. type: string kind: - description: Kind is the type of resource being referenced + description: Kind is the type of resource + being referenced type: string name: - description: Name is the name of resource being referenced + description: Name is the name of resource + being referenced type: string required: - kind @@ -3678,10 +3918,12 @@ spec: For any other third-party types, APIGroup is required. type: string kind: - description: Kind is the type of resource being referenced + description: Kind is the type of resource + being referenced type: string name: - description: Name is the name of resource being referenced + description: Name is the name of resource + being referenced type: string namespace: description: |- @@ -3727,17 +3969,22 @@ spec: type: object type: object selector: - description: selector is a label query over volumes to consider for binding. + description: selector is a label query over + volumes to consider for binding. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: description: |- @@ -3796,7 +4043,8 @@ spec: Value of Filesystem is implied when not included in claim spec. type: string volumeName: - description: volumeName is the binding reference to the PersistentVolume backing this claim. + description: volumeName is the binding reference + to the PersistentVolume backing this claim. type: string type: object required: @@ -3804,7 +4052,9 @@ spec: type: object type: object fc: - description: fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine and then + exposed to the pod. properties: fsType: description: |- @@ -3823,7 +4073,8 @@ spec: the ReadOnly setting in VolumeMounts. type: boolean targetWWNs: - description: 'targetWWNs is Optional: FC target worldwide names (WWNs)' + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' items: type: string type: array @@ -3843,7 +4094,8 @@ spec: provisioned/attached using an exec based plugin. properties: driver: - description: driver is the name of the driver to use for this volume. + description: driver is the name of the driver to + use for this volume. type: string fsType: description: |- @@ -3854,7 +4106,8 @@ spec: options: additionalProperties: type: string - description: 'options is Optional: this field holds extra command options if any.' + description: 'options is Optional: this field holds + extra command options if any.' type: object readOnly: description: |- @@ -3881,7 +4134,9 @@ spec: - driver type: object flocker: - description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running + description: flocker represents a Flocker volume attached + to a kubelet's host machine. This depends on the Flocker + control service being running properties: datasetName: description: |- @@ -3889,7 +4144,8 @@ spec: should be considered as deprecated type: string datasetUUID: - description: datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset + description: datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker dataset type: string type: object gcePersistentDisk: @@ -3947,7 +4203,8 @@ spec: description: repository is the URL type: string revision: - description: revision is the commit hash for the specified revision. + description: revision is the commit hash for the + specified revision. type: string required: - repository @@ -4010,10 +4267,12 @@ spec: More info: https://examples.k8s.io/volumes/iscsi/README.md properties: chapAuthDiscovery: - description: chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication + description: chapAuthDiscovery defines whether support + iSCSI Discovery CHAP authentication type: boolean chapAuthSession: - description: chapAuthSession defines whether support iSCSI Session CHAP authentication + description: chapAuthSession defines whether support + iSCSI Session CHAP authentication type: boolean fsType: description: |- @@ -4055,7 +4314,8 @@ spec: Defaults to false. type: boolean secretRef: - description: secretRef is the CHAP Secret for iSCSI target and initiator authentication + description: secretRef is the CHAP Secret for iSCSI + target and initiator authentication properties: name: description: |- @@ -4126,7 +4386,9 @@ spec: - claimName type: object photonPersistentDisk: - description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine + description: photonPersistentDisk represents a PhotonController + persistent disk attached and mounted on kubelets host + machine properties: fsType: description: |- @@ -4135,13 +4397,15 @@ spec: Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string pdID: - description: pdID is the ID that identifies Photon Controller persistent disk + description: pdID is the ID that identifies Photon + Controller persistent disk type: string required: - pdID type: object portworxVolume: - description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine + description: portworxVolume represents a portworx volume + attached and mounted on kubelets host machine properties: fsType: description: |- @@ -4155,13 +4419,15 @@ spec: the ReadOnly setting in VolumeMounts. type: boolean volumeID: - description: volumeID uniquely identifies a Portworx volume + description: volumeID uniquely identifies a Portworx + volume type: string required: - volumeID type: object projected: - description: projected items for all in one resources secrets, configmaps, and downward API + description: projected items for all in one resources + secrets, configmaps, and downward API properties: defaultMode: description: |- @@ -4176,7 +4442,8 @@ spec: sources: description: sources is the list of volume projections items: - description: Projection that may be projected along with other supported volume types + description: Projection that may be projected + along with other supported volume types properties: clusterTrustBundle: description: |- @@ -4205,14 +4472,18 @@ spec: everything". properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: description: |- @@ -4259,7 +4530,8 @@ spec: ClusterTrustBundles. type: boolean path: - description: Relative path from the volume root to write the bundle. + description: Relative path from the volume + root to write the bundle. type: string signerName: description: |- @@ -4271,7 +4543,8 @@ spec: - path type: object configMap: - description: configMap information about the configMap data to project + description: configMap information about the + configMap data to project properties: items: description: |- @@ -4283,7 +4556,8 @@ spec: the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. items: - description: Maps a string key to a path within a volume. + description: Maps a string key to a + path within a volume. properties: key: description: key is the key to project. @@ -4318,26 +4592,38 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: optional specify whether the ConfigMap or its keys must be defined + description: optional specify whether + the ConfigMap or its keys must be defined type: boolean type: object x-kubernetes-map-type: atomic downwardAPI: - description: downwardAPI information about the downwardAPI data to project + description: downwardAPI information about + the downwardAPI data to project properties: items: - description: Items is a list of DownwardAPIVolume file + description: Items is a list of DownwardAPIVolume + file items: - description: DownwardAPIVolumeFile represents information to create the file containing the pod field + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field properties: fieldRef: - description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.' + description: 'Required: Selects + a field of the pod: only annotations, + labels, name, namespace and uid + are supported.' properties: apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + description: Version of the + schema the FieldPath is written + in terms of, defaults to "v1". type: string fieldPath: - description: Path of the field to select in the specified API version. + description: Path of the field + to select in the specified + API version. type: string required: - fieldPath @@ -4354,7 +4640,13 @@ spec: format: int32 type: integer path: - description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + description: 'Required: Path is the + relative path name of the file + to be created. Must not be absolute + or contain the ''..'' path. Must + be utf-8 encoded. The first item + of the relative path must not + start with ''..''' type: string resourceFieldRef: description: |- @@ -4362,17 +4654,22 @@ spec: (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. properties: containerName: - description: 'Container name: required for volumes, optional for env vars' + description: 'Container name: + required for volumes, optional + for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format of the exposed resources, defaults to "1" + description: Specifies the output + format of the exposed resources, + defaults to "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to select' + description: 'Required: resource + to select' type: string required: - resource @@ -4385,7 +4682,8 @@ spec: x-kubernetes-list-type: atomic type: object secret: - description: secret information about the secret data to project + description: secret information about the + secret data to project properties: items: description: |- @@ -4397,7 +4695,8 @@ spec: the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. items: - description: Maps a string key to a path within a volume. + description: Maps a string key to a + path within a volume. properties: key: description: key is the key to project. @@ -4432,12 +4731,14 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: optional field specify whether the Secret or its key must be defined + description: optional field specify whether + the Secret or its key must be defined type: boolean type: object x-kubernetes-map-type: atomic serviceAccountToken: - description: serviceAccountToken is information about the serviceAccountToken data to project + description: serviceAccountToken is information + about the serviceAccountToken data to project properties: audience: description: |- @@ -4469,7 +4770,8 @@ spec: x-kubernetes-list-type: atomic type: object quobyte: - description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime + description: quobyte represents a Quobyte mount on the + host that shares a pod's lifetime properties: group: description: |- @@ -4498,7 +4800,8 @@ spec: Defaults to serivceaccount user type: string volume: - description: volume is a string that references an already created Quobyte volume by name. + description: volume is a string that references + an already created Quobyte volume by name. type: string required: - registry @@ -4574,7 +4877,8 @@ spec: - monitors type: object scaleIO: - description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + description: scaleIO represents a ScaleIO persistent + volume attached and mounted on Kubernetes nodes. properties: fsType: description: |- @@ -4584,10 +4888,12 @@ spec: Default is "xfs". type: string gateway: - description: gateway is the host address of the ScaleIO API Gateway. + description: gateway is the host address of the + ScaleIO API Gateway. type: string protectionDomain: - description: protectionDomain is the name of the ScaleIO Protection Domain for the configured storage. + description: protectionDomain is the name of the + ScaleIO Protection Domain for the configured storage. type: string readOnly: description: |- @@ -4608,7 +4914,8 @@ spec: type: object x-kubernetes-map-type: atomic sslEnabled: - description: sslEnabled Flag enable/disable SSL communication with Gateway, default false + description: sslEnabled Flag enable/disable SSL + communication with Gateway, default false type: boolean storageMode: description: |- @@ -4616,10 +4923,12 @@ spec: Default is ThinProvisioned. type: string storagePool: - description: storagePool is the ScaleIO Storage Pool associated with the protection domain. + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. type: string system: - description: system is the name of the storage system as configured in ScaleIO. + description: system is the name of the storage system + as configured in ScaleIO. type: string volumeName: description: |- @@ -4657,7 +4966,8 @@ spec: the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. items: - description: Maps a string key to a path within a volume. + description: Maps a string key to a path within + a volume. properties: key: description: key is the key to project. @@ -4686,7 +4996,8 @@ spec: type: array x-kubernetes-list-type: atomic optional: - description: optional field specify whether the Secret or its keys must be defined + description: optional field specify whether the + Secret or its keys must be defined type: boolean secretName: description: |- @@ -4695,7 +5006,8 @@ spec: type: string type: object storageos: - description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. + description: storageOS represents a StorageOS volume + attached and mounted on Kubernetes nodes. properties: fsType: description: |- @@ -4737,7 +5049,8 @@ spec: type: string type: object vsphereVolume: - description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine + description: vsphereVolume represents a vSphere volume + attached and mounted on kubelets host machine properties: fsType: description: |- @@ -4746,13 +5059,17 @@ spec: Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string storagePolicyID: - description: storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName. + description: storagePolicyID is the storage Policy + Based Management (SPBM) profile ID associated + with the StoragePolicyName. type: string storagePolicyName: - description: storagePolicyName is the storage Policy Based Management (SPBM) profile name. + description: storagePolicyName is the storage Policy + Based Management (SPBM) profile name. type: string volumePath: - description: volumePath is the path that identifies vSphere volume vmdk + description: volumePath is the path that identifies + vSphere volume vmdk type: string required: - volumePath @@ -4767,7 +5084,8 @@ spec: More info: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/ properties: nodeAffinity: - description: Describes node affinity scheduling rules for the pod. + description: Describes node affinity scheduling rules + for the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: description: |- @@ -4786,17 +5104,20 @@ spec: (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: - description: A node selector term, associated with the corresponding weight. + description: A node selector term, associated + with the corresponding weight. properties: matchExpressions: - description: A list of node selector requirements by node's labels. + description: A list of node selector requirements + by node's labels. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: The label key that the selector applies to. + description: The label key that the + selector applies to. type: string operator: description: |- @@ -4821,14 +5142,16 @@ spec: type: array x-kubernetes-list-type: atomic matchFields: - description: A list of node selector requirements by node's fields. + description: A list of node selector requirements + by node's fields. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: The label key that the selector applies to. + description: The label key that the + selector applies to. type: string operator: description: |- @@ -4855,7 +5178,9 @@ spec: type: object x-kubernetes-map-type: atomic weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. format: int32 type: integer required: @@ -4873,7 +5198,8 @@ spec: may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. + description: Required. A list of node selector + terms. The terms are ORed. items: description: |- A null or empty node selector term matches no objects. The requirements of @@ -4881,14 +5207,16 @@ spec: The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: - description: A list of node selector requirements by node's labels. + description: A list of node selector requirements + by node's labels. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: The label key that the selector applies to. + description: The label key that the + selector applies to. type: string operator: description: |- @@ -4913,14 +5241,16 @@ spec: type: array x-kubernetes-list-type: atomic matchFields: - description: A list of node selector requirements by node's fields. + description: A list of node selector requirements + by node's fields. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: The label key that the selector applies to. + description: The label key that the + selector applies to. type: string operator: description: |- @@ -4954,7 +5284,9 @@ spec: x-kubernetes-map-type: atomic type: object podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: description: |- @@ -4968,10 +5300,13 @@ spec: "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) properties: podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. + description: Required. A pod affinity term, + associated with the corresponding weight. properties: labelSelector: description: |- @@ -4979,14 +5314,18 @@ spec: If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: description: |- @@ -5058,14 +5397,18 @@ spec: An empty selector ({}) matches all namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: description: |- @@ -5155,14 +5498,17 @@ spec: If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key + that the selector applies to. type: string operator: description: |- @@ -5234,14 +5580,17 @@ spec: An empty selector ({}) matches all namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key + that the selector applies to. type: string operator: description: |- @@ -5299,7 +5648,9 @@ spec: x-kubernetes-list-type: atomic type: object podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: description: |- @@ -5313,10 +5664,13 @@ spec: "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) properties: podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. + description: Required. A pod affinity term, + associated with the corresponding weight. properties: labelSelector: description: |- @@ -5324,14 +5678,18 @@ spec: If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: description: |- @@ -5403,14 +5761,18 @@ spec: An empty selector ({}) matches all namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: description: |- @@ -5500,14 +5862,17 @@ spec: If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key + that the selector applies to. type: string operator: description: |- @@ -5579,14 +5944,17 @@ spec: An empty selector ({}) matches all namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key + that the selector applies to. type: string operator: description: |- @@ -5660,7 +6028,8 @@ spec: type: string type: array kine: - description: Available only if Kamaji is running using Kine as backing storage. + description: Available only if Kamaji is running using + Kine as backing storage. items: type: string type: array @@ -5677,6 +6046,20 @@ spec: Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object + podAdditionalMetadata: + description: AdditionalMetadata defines which additional metadata, + such as labels and annotations, must be attached to the + created resource. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object registrySettings: default: apiServerImage: kube-apiserver @@ -5715,7 +6098,8 @@ spec: (kube-apiserver, controller-manager, and scheduler). properties: apiServer: - description: ResourceRequirements describes the compute resource requirements. + description: ResourceRequirements describes the compute + resource requirements. properties: claims: description: |- @@ -5729,7 +6113,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -5770,7 +6155,8 @@ spec: type: object type: object controllerManager: - description: ResourceRequirements describes the compute resource requirements. + description: ResourceRequirements describes the compute + resource requirements. properties: claims: description: |- @@ -5784,7 +6170,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -5841,7 +6228,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -5882,7 +6270,8 @@ spec: type: object type: object scheduler: - description: ResourceRequirements describes the compute resource requirements. + description: ResourceRequirements describes the compute + resource requirements. properties: claims: description: |- @@ -5896,7 +6285,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -5945,6 +6335,11 @@ spec: empty definition that uses the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class type: string + serviceAccountName: + default: default + description: ServiceAccountName allows to specify the service + account to be mounted to the pods of the Control plane deployment + type: string strategy: default: rollingUpdate: @@ -5998,7 +6393,8 @@ spec: x-kubernetes-int-or-string: true type: object type: - description: Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate. + description: Type of deployment. Can be "Recreate" or + "RollingUpdate". Default is RollingUpdate. type: string type: object tolerations: @@ -6049,7 +6445,8 @@ spec: In case of nil underlying LabelSelector, the Kamaji one for the given Tenant Control Plane will be used. All topologySpreadConstraints are ANDed. items: - description: TopologySpreadConstraint specifies how to spread matching pods among the given topology. + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. properties: labelSelector: description: |- @@ -6058,14 +6455,16 @@ spec: in their corresponding topology domain. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: description: |- @@ -6225,10 +6624,13 @@ spec: type: array type: object ingress: - description: Defining the options for an Optional Ingress which will expose API Server of the Tenant Control Plane + description: Defining the options for an Optional Ingress which + will expose API Server of the Tenant Control Plane properties: additionalMetadata: - description: AdditionalMetadata defines which additional metadata, such as labels and annotations, must be attached to the created resource. + description: AdditionalMetadata defines which additional metadata, + such as labels and annotations, must be attached to the + created resource. properties: annotations: additionalProperties: @@ -6248,10 +6650,13 @@ spec: type: string type: object service: - description: Defining the options for the Tenant Control Plane Service resource. + description: Defining the options for the Tenant Control Plane + Service resource. properties: additionalMetadata: - description: AdditionalMetadata defines which additional metadata, such as labels and annotations, must be attached to the created resource. + description: AdditionalMetadata defines which additional metadata, + such as labels and annotations, must be attached to the + created resource. properties: annotations: additionalProperties: @@ -6263,7 +6668,8 @@ spec: type: object type: object serviceType: - description: ServiceType allows specifying how to expose the Tenant Control Plane. + description: ServiceType allows specifying how to expose the + Tenant Control Plane. enum: - ClusterIP - NodePort @@ -6445,7 +6851,8 @@ spec: - enabled type: object konnectivity: - description: KonnectivityStatus defines the status of Konnectivity as Addon. + description: KonnectivityStatus defines the status of Konnectivity + as Addon. properties: agent: properties: @@ -6490,7 +6897,8 @@ spec: enabled: type: boolean kubeconfig: - description: KubeconfigStatus contains information about the generated kubeconfig. + description: KubeconfigStatus contains information about the + generated kubeconfig. properties: checksum: type: string @@ -6512,12 +6920,24 @@ spec: type: string type: object service: - description: KubernetesServiceStatus defines the status for the Tenant Control Plane Service in the management cluster. + description: KubernetesServiceStatus defines the status for + the Tenant Control Plane Service in the management cluster. properties: conditions: description: Current service state items: - description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}" + description: "Condition contains details for one aspect + of the current state of this API Resource.\n---\nThis + struct is intended for direct use as an array at the + field path .status.conditions. For example,\n\n\n\ttype + FooStatus struct{\n\t // Represents the observations + of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t + \ // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t + \ // +listType=map\n\t // +listMapKey=type\n\t + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: description: |- @@ -6551,7 +6971,8 @@ spec: pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: - description: status of the condition, one of True, False, Unknown. + description: status of the condition, one of True, + False, Unknown. enum: - "True" - "False" @@ -6631,7 +7052,9 @@ spec: pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string port: - description: Port is the port number of the service port of which status is recorded here + description: Port is the port number of + the service port of which status is + recorded here format: int32 type: integer protocol: @@ -6654,7 +7077,8 @@ spec: description: The name of the Service for the given cluster. type: string namespace: - description: The namespace which the Service for the given cluster is deployed. + description: The namespace which the Service for the given + cluster is deployed. type: string port: description: The port where the service is running @@ -6719,10 +7143,12 @@ spec: type: string type: object etcd: - description: ETCDCertificatesStatus defines the observed state of ETCD Certificate for API server. + description: ETCDCertificatesStatus defines the observed state + of ETCD Certificate for API server. properties: apiServer: - description: APIServerCertificatesStatus defines the observed state of ETCD Certificate for API server. + description: APIServerCertificatesStatus defines the observed + state of ETCD Certificate for API server. properties: checksum: type: string @@ -6733,7 +7159,8 @@ spec: type: string type: object ca: - description: ETCDCertificateStatus defines the observed state of ETCD Certificate for API server. + description: ETCDCertificateStatus defines the observed state + of ETCD Certificate for API server. properties: checksum: type: string @@ -6779,13 +7206,16 @@ spec: type: object type: object controlPlaneEndpoint: - description: ControlPlaneEndpoint contains the status of the kubernetes control plane + description: ControlPlaneEndpoint contains the status of the kubernetes + control plane type: string kubeadmPhase: - description: KubeadmPhase contains the status of the kubeadm phases action + description: KubeadmPhase contains the status of the kubeadm phases + action properties: bootstrapToken: - description: KubeadmPhaseStatus contains the status of a kubeadm phase action. + description: KubeadmPhaseStatus contains the status of a kubeadm + phase action. properties: checksum: type: string @@ -6797,7 +7227,8 @@ spec: - bootstrapToken type: object kubeadmconfig: - description: KubeadmConfig contains the status of the configuration required by kubeadm + description: KubeadmConfig contains the status of the configuration + required by kubeadm properties: checksum: description: Checksum of the kubeadm configuration to detect changes @@ -6809,10 +7240,12 @@ spec: type: string type: object kubeconfig: - description: KubeConfig contains information about the kubenconfigs that control plane pieces need + description: KubeConfig contains information about the kubenconfigs + that control plane pieces need properties: admin: - description: KubeconfigStatus contains information about the generated kubeconfig. + description: KubeconfigStatus contains information about the generated + kubeconfig. properties: checksum: type: string @@ -6823,7 +7256,8 @@ spec: type: string type: object controllerManager: - description: KubeconfigStatus contains information about the generated kubeconfig. + description: KubeconfigStatus contains information about the generated + kubeconfig. properties: checksum: type: string @@ -6834,7 +7268,8 @@ spec: type: string type: object scheduler: - description: KubeconfigStatus contains information about the generated kubeconfig. + description: KubeconfigStatus contains information about the generated + kubeconfig. properties: checksum: type: string @@ -6846,13 +7281,16 @@ spec: type: object type: object kubernetesResources: - description: Kubernetes contains information about the reconciliation of the required Kubernetes resources deployed in the admin cluster + description: Kubernetes contains information about the reconciliation + of the required Kubernetes resources deployed in the admin cluster properties: deployment: - description: KubernetesDeploymentStatus defines the status for the Tenant Control Plane Deployment in the management cluster. + description: KubernetesDeploymentStatus defines the status for + the Tenant Control Plane Deployment in the management cluster. properties: availableReplicas: - description: Total number of available pods (ready for at least minReadySeconds) targeted by this deployment. + description: Total number of available pods (ready for at + least minReadySeconds) targeted by this deployment. format: int32 type: integer collisionCount: @@ -6863,12 +7301,15 @@ spec: format: int32 type: integer conditions: - description: Represents the latest available observations of a deployment's current state. + description: Represents the latest available observations + of a deployment's current state. items: - description: DeploymentCondition describes the state of a deployment at a certain point. + description: DeploymentCondition describes the state of + a deployment at a certain point. properties: lastTransitionTime: - description: Last time the condition transitioned from one status to another. + description: Last time the condition transitioned from + one status to another. format: date-time type: string lastUpdateTime: @@ -6876,13 +7317,15 @@ spec: format: date-time type: string message: - description: A human readable message indicating details about the transition. + description: A human readable message indicating details + about the transition. type: string reason: description: The reason for the condition's last transition. type: string status: - description: Status of the condition, one of True, False, Unknown. + description: Status of the condition, one of True, False, + Unknown. type: string type: description: Type of deployment condition. @@ -6903,22 +7346,26 @@ spec: description: The name of the Deployment for the given cluster. type: string namespace: - description: The namespace which the Deployment for the given cluster is deployed. + description: The namespace which the Deployment for the given + cluster is deployed. type: string observedGeneration: description: The generation observed by the deployment controller. format: int64 type: integer readyReplicas: - description: readyReplicas is the number of pods targeted by this Deployment with a Ready Condition. + description: readyReplicas is the number of pods targeted + by this Deployment with a Ready Condition. format: int32 type: integer replicas: - description: Total number of non-terminated pods targeted by this deployment (their labels match the selector). + description: Total number of non-terminated pods targeted + by this deployment (their labels match the selector). format: int32 type: integer selector: - description: Selector is the label selector used to group the Tenant Control Plane Pods used by the scale subresource. + description: Selector is the label selector used to group + the Tenant Control Plane Pods used by the scale subresource. type: string unavailableReplicas: description: |- @@ -6928,7 +7375,8 @@ spec: format: int32 type: integer updatedReplicas: - description: Total number of non-terminated pods targeted by this deployment that have the desired template spec. + description: Total number of non-terminated pods targeted + by this deployment that have the desired template spec. format: int32 type: integer required: @@ -6937,26 +7385,34 @@ spec: - selector type: object ingress: - description: KubernetesIngressStatus defines the status for the Tenant Control Plane Ingress in the management cluster. + description: KubernetesIngressStatus defines the status for the + Tenant Control Plane Ingress in the management cluster. properties: loadBalancer: - description: loadBalancer contains the current status of the load-balancer. + description: loadBalancer contains the current status of the + load-balancer. properties: ingress: - description: ingress is a list containing ingress points for the load-balancer. + description: ingress is a list containing ingress points + for the load-balancer. items: - description: IngressLoadBalancerIngress represents the status of a load-balancer ingress point. + description: IngressLoadBalancerIngress represents the + status of a load-balancer ingress point. properties: hostname: - description: hostname is set for load-balancer ingress points that are DNS based. + description: hostname is set for load-balancer ingress + points that are DNS based. type: string ip: - description: ip is set for load-balancer ingress points that are IP based. + description: ip is set for load-balancer ingress + points that are IP based. type: string ports: - description: ports provides information about the ports exposed by this LoadBalancer. + description: ports provides information about the + ports exposed by this LoadBalancer. items: - description: IngressPortStatus represents the error condition of a service port + description: IngressPortStatus represents the + error condition of a service port properties: error: description: |- @@ -6972,7 +7428,8 @@ spec: pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string port: - description: port is the port number of the ingress port. + description: port is the port number of the + ingress port. format: int32 type: integer protocol: @@ -6995,19 +7452,32 @@ spec: description: The name of the Ingress for the given cluster. type: string namespace: - description: The namespace which the Ingress for the given cluster is deployed. + description: The namespace which the Ingress for the given + cluster is deployed. type: string required: - name - namespace type: object service: - description: KubernetesServiceStatus defines the status for the Tenant Control Plane Service in the management cluster. + description: KubernetesServiceStatus defines the status for the + Tenant Control Plane Service in the management cluster. properties: conditions: description: Current service state items: - description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}" + description: "Condition contains details for one aspect + of the current state of this API Resource.\n---\nThis + struct is intended for direct use as an array at the field + path .status.conditions. For example,\n\n\n\ttype FooStatus + struct{\n\t // Represents the observations of a foo's + current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t + \ // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t + \ // +listType=map\n\t // +listMapKey=type\n\t Conditions + []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" + patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: description: |- @@ -7041,7 +7511,8 @@ spec: pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: - description: status of the condition, one of True, False, Unknown. + description: status of the condition, one of True, False, + Unknown. enum: - "True" - "False" @@ -7121,7 +7592,9 @@ spec: pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string port: - description: Port is the port number of the service port of which status is recorded here + description: Port is the port number of the + service port of which status is recorded + here format: int32 type: integer protocol: @@ -7144,7 +7617,8 @@ spec: description: The name of the Service for the given cluster. type: string namespace: - description: The namespace which the Service for the given cluster is deployed. + description: The namespace which the Service for the given + cluster is deployed. type: string port: description: The port where the service is running @@ -7156,11 +7630,13 @@ spec: - port type: object version: - description: KubernetesVersion contains the information regarding the running Kubernetes version, and its upgrade status. + description: KubernetesVersion contains the information regarding + the running Kubernetes version, and its upgrade status. properties: status: default: Provisioning - description: Status returns the current status of the Kubernetes version, such as its provisioning state, or completed upgrade. + description: Status returns the current status of the Kubernetes + version, such as its provisioning state, or completed upgrade. enum: - Provisioning - CertificateAuthorityRotating @@ -7170,12 +7646,14 @@ spec: - NotReady type: string version: - description: Version is the running Kubernetes version of the Tenant Control Plane. + description: Version is the running Kubernetes version of + the Tenant Control Plane. type: string type: object type: object storage: - description: Storage Status contains information about Kubernetes storage system + description: Storage Status contains information about Kubernetes + storage system properties: certificate: properties: diff --git a/charts/clastix/kamaji/templates/controller.yaml b/charts/clastix/kamaji/templates/controller.yaml index 82ddd5cba..e1a73e67c 100644 --- a/charts/clastix/kamaji/templates/controller.yaml +++ b/charts/clastix/kamaji/templates/controller.yaml @@ -34,6 +34,9 @@ spec: - --metrics-bind-address={{ .Values.metricsBindAddress }} - --tmp-directory={{ .Values.temporaryDirectoryPath }} - --datastore={{ include "datastore.fullname" . }} + {{- if .Values.telemetry.disabled }} + - --disable-telemetry + {{- end }} {{- if .Values.loggingDevel.enable }} - --zap-devel {{- end }} diff --git a/charts/clastix/kamaji/templates/datastore.yaml b/charts/clastix/kamaji/templates/datastore.yaml index b54ef99a0..08631b98e 100644 --- a/charts/clastix/kamaji/templates/datastore.yaml +++ b/charts/clastix/kamaji/templates/datastore.yaml @@ -20,9 +20,14 @@ spec: secretReference: {{- .Values.datastore.basicAuth.passwordSecret | toYaml | nindent 8 }} {{- end }} +{{- if .Values.datastore.tlsConfig.enabled }} tlsConfig: certificateAuthority: {{- include "datastore.certificateAuthority" . | indent 6 }} + + {{- if .Values.datastore.tlsConfig.clientCertificate }} clientCertificate: {{- include "datastore.clientCertificate" . | indent 6 }} + {{- end }} +{{- end}} {{- end}} diff --git a/charts/clastix/kamaji/templates/validatingwebhookconfiguration.yaml b/charts/clastix/kamaji/templates/validatingwebhookconfiguration.yaml index d981e9743..a347443f7 100644 --- a/charts/clastix/kamaji/templates/validatingwebhookconfiguration.yaml +++ b/charts/clastix/kamaji/templates/validatingwebhookconfiguration.yaml @@ -8,6 +8,27 @@ metadata: {{- include "kamaji.labels" $data | nindent 4 }} name: kamaji-validating-webhook-configuration webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "kamaji.webhookServiceName" . }} + namespace: {{ .Release.Namespace }} + path: /telemetry + failurePolicy: Ignore + name: telemetry.kamaji.clastix.io + rules: + - apiGroups: + - kamaji.clastix.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tenantcontrolplanes + sideEffects: None - admissionReviewVersions: - v1 clientConfig: diff --git a/charts/clastix/kamaji/values.yaml b/charts/clastix/kamaji/values.yaml index 814f2aa90..03d4f6358 100644 --- a/charts/clastix/kamaji/values.yaml +++ b/charts/clastix/kamaji/values.yaml @@ -60,7 +60,7 @@ etcd: # -- The custom annotations to add to the PVC customAnnotations: {} # volumeType: local - + # -- (array) Kubernetes affinity rules to apply to Kamaji etcd pods tolerations: [] @@ -162,7 +162,7 @@ loggingDevel: datastore: # -- (bool) Enable the Kamaji Datastore creation (default=true) enabled: true - # -- (string) The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. + # -- (string) The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. nameOverride: # -- (string) The Kamaji Datastore driver, supported: etcd, MySQL, PostgreSQL (defaults=etcd). driver: etcd @@ -184,6 +184,7 @@ datastore: # -- The Secret key where the data is stored. keyPath: tlsConfig: + enabled: true certificateAuthority: certificate: # -- Name of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. @@ -218,4 +219,9 @@ datastore: cfssl: image: repository: cfssl/cfssl - tag: latest \ No newline at end of file + tag: latest + +# -- Disable the analytics traces collection +telemetry: + disabled: false + \ No newline at end of file diff --git a/charts/dynatrace/dynatrace-operator/Chart.yaml b/charts/dynatrace/dynatrace-operator/Chart.yaml index f6fbd40e8..98dd24a54 100644 --- a/charts/dynatrace/dynatrace-operator/Chart.yaml +++ b/charts/dynatrace/dynatrace-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.19.0-0' catalog.cattle.io/release-name: dynatrace-operator apiVersion: v2 -appVersion: 1.1.1 +appVersion: 1.2.0 description: The Dynatrace Operator Helm chart for Kubernetes and OpenShift home: https://www.dynatrace.com/ icon: https://assets.dynatrace.com/global/resources/Signet_Logo_RGB_CP_512x512px.png @@ -20,4 +20,4 @@ name: dynatrace-operator sources: - https://github.com/Dynatrace/dynatrace-operator type: application -version: 1.1.1 +version: 1.2.0 diff --git a/charts/dynatrace/dynatrace-operator/questions.yml b/charts/dynatrace/dynatrace-operator/questions.yml index a2291a19e..70c94f9da 100644 --- a/charts/dynatrace/dynatrace-operator/questions.yml +++ b/charts/dynatrace/dynatrace-operator/questions.yml @@ -179,20 +179,6 @@ questions: type: string group: "CSI Driver Deployment Configuration" - - variable: csidriver.provisioner.limits.cpu - label: "CPU resource limits settings for Dynatrace CSI Driver's provisioner container" - description: "The maximum amount of CPU resources that the Dynatrace CSI Driver's provisioner container can use. Default: 300m" - default: "300m" - type: string - group: "CSI Driver Deployment Configuration" - - - variable: csidriver.provisioner.limits.memory - label: "Memory resource limits settings for Dynatrace CSI Driver's provisioner container" - description: "The maximum amount of memory that the Dynatrace CSI Driver's provisioner container can use. Pod restarted if exceeded. Default: 100Mi" - default: "100Mi" - type: string - group: "CSI Driver Deployment Configuration" - - variable: csidriver.registrar.requests.cpu label: "CPU resource requests settings for Dynatrace CSI Driver's registrar container" description: "The minimum amount of CPU resources that the Dynatrace CSI Driver's registrar container should request. Affects scheduling. Default: 20m" diff --git a/charts/dynatrace/dynatrace-operator/templates/Common/crd/dynatrace-operator-crd.yaml b/charts/dynatrace/dynatrace-operator/templates/Common/crd/dynatrace-operator-crd.yaml index 435233513..7b89d2852 100644 --- a/charts/dynatrace/dynatrace-operator/templates/Common/crd/dynatrace-operator-crd.yaml +++ b/charts/dynatrace/dynatrace-operator/templates/Common/crd/dynatrace-operator-crd.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: dynakubes.dynatrace.com spec: conversion: @@ -16,6 +16,7 @@ spec: namespace: {{.Release.Namespace}} path: /convert conversionReviewVersions: + - v1 - v1beta1 group: dynatrace.com names: @@ -31,1049 +32,6 @@ spec: preserveUnknownFields: false scope: Namespaced versions: - - additionalPrinterColumns: - - jsonPath: .spec.apiUrl - name: ApiUrl - type: string - - jsonPath: .status.tokens - name: Tokens - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: DynaKube is the Schema for the DynaKube API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: DynaKubeSpec defines the desired state of DynaKube - properties: - activeGate: - description: General configuration about ActiveGate instances - properties: - autoUpdate: - description: Disable automatic restarts of OneAgent pods in case - a new version is available - type: boolean - image: - description: |- - Optional: the ActiveGate container image. Defaults to the latest ActiveGate image provided by the Docker Registry - implementation from the Dynatrace environment set as API URL. - type: string - type: object - apiUrl: - description: Location of the Dynatrace API to connect to, including - your specific environment UUID - type: string - classicFullStack: - description: Configuration for ClassicFullStack Monitoring - properties: - args: - description: 'Optional: Arguments to the OneAgent installer' - items: - type: string - type: array - dnsPolicy: - description: 'Optional: Sets DNS Policy for the OneAgent pods' - type: string - enabled: - description: Enables FullStack Monitoring - type: boolean - env: - description: 'Optional: List of environment variables to set for - the installer' - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - labels: - additionalProperties: - type: string - description: 'Optional: Adds additional labels for the OneAgent - pods' - type: object - nodeSelector: - additionalProperties: - type: string - description: Node selector to control the selection of nodes (optional) - type: object - priorityClassName: - description: |- - Optional: If specified, indicates the pod's priority. Name must be defined by creating a PriorityClass object with that - name. If not specified the setting will be removed from the DaemonSet. - type: string - resources: - description: 'Optional: define resources requests and limits for - single pods' - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - serviceAccountName: - description: 'Optional: set custom Service Account Name used with - OneAgent pods' - type: string - tolerations: - description: 'Optional: set tolerations for the OneAgent pods' - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - useImmutableImage: - description: Defines if you want to use the immutable image or - the installer - type: boolean - useUnprivilegedMode: - description: 'Optional: Runs the OneAgent Pods as unprivileged - (Early Adopter)' - type: boolean - waitReadySeconds: - description: 'Optional: Defines the time to wait until OneAgent - pod is ready after update - default 300 sec' - minimum: 0 - type: integer - type: object - customPullSecret: - description: 'Optional: Pull secret for your private registry' - type: string - enableIstio: - description: If enabled, Istio on the cluster will be configured automatically - to allow access to the Dynatrace environment - type: boolean - kubernetesMonitoring: - description: ' Configuration for Kubernetes Monitoring' - properties: - args: - description: 'Optional: Adds additional arguments for the ActiveGate - instances' - items: - type: string - type: array - customProperties: - description: |- - Optional: Add a custom properties file by providing it as a value or reference it from a secret - If referenced from a secret, make sure the key is called 'customProperties' - properties: - value: - type: string - valueFrom: - type: string - type: object - enabled: - description: Enables Capability - type: boolean - env: - description: 'Optional: List of environment variables to set for - the ActiveGate' - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - group: - description: 'Optional: Set activation group for ActiveGate' - type: string - labels: - additionalProperties: - type: string - description: 'Optional: Adds additional labels for the ActiveGate - pods' - type: object - nodeSelector: - additionalProperties: - type: string - description: 'Optional: Node selector to control the selection - of nodes' - type: object - replicas: - description: Amount of replicas for your DynaKube - format: int32 - type: integer - resources: - description: 'Optional: define resources requests and limits for - single ActiveGate pods' - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - serviceAccountName: - description: 'Optional: set custom Service Account Name used with - ActiveGate pods' - type: string - tolerations: - description: 'Optional: set tolerations for the ActiveGatePods - pods' - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - networkZone: - description: 'Optional: Sets Network Zone for OneAgent and ActiveGate - pods' - type: string - oneAgent: - description: General configuration about OneAgent instances - properties: - autoUpdate: - description: Disable automatic restarts of OneAgent pods in case - a new version is available - type: boolean - image: - description: |- - Optional: the Dynatrace installer container image - Defaults to docker.io/dynatrace/oneagent:latest for Kubernetes and to registry.connect.redhat.com/dynatrace/oneagent for OpenShift - type: string - version: - description: |- - Optional: If specified, indicates the OneAgent version to use - Defaults to latest - Example: {major.minor.release} - 1.200.0 - type: string - type: object - proxy: - description: 'Optional: Set custom proxy settings either directly - or from a secret with the field ''proxy''' - properties: - value: - type: string - valueFrom: - type: string - type: object - routing: - description: ' Configuration for Routing' - properties: - args: - description: 'Optional: Adds additional arguments for the ActiveGate - instances' - items: - type: string - type: array - customProperties: - description: |- - Optional: Add a custom properties file by providing it as a value or reference it from a secret - If referenced from a secret, make sure the key is called 'customProperties' - properties: - value: - type: string - valueFrom: - type: string - type: object - enabled: - description: Enables Capability - type: boolean - env: - description: 'Optional: List of environment variables to set for - the ActiveGate' - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - group: - description: 'Optional: Set activation group for ActiveGate' - type: string - labels: - additionalProperties: - type: string - description: 'Optional: Adds additional labels for the ActiveGate - pods' - type: object - nodeSelector: - additionalProperties: - type: string - description: 'Optional: Node selector to control the selection - of nodes' - type: object - replicas: - description: Amount of replicas for your DynaKube - format: int32 - type: integer - resources: - description: 'Optional: define resources requests and limits for - single ActiveGate pods' - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - serviceAccountName: - description: 'Optional: set custom Service Account Name used with - ActiveGate pods' - type: string - tolerations: - description: 'Optional: set tolerations for the ActiveGatePods - pods' - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - skipCertCheck: - description: Disable certificate validation checks for installer download - and API communication - type: boolean - tokens: - description: Credentials for the DynaKube to connect back to Dynatrace. - type: string - trustedCAs: - description: |- - Optional: Adds custom RootCAs from a configmap - This property only affects certificates used to communicate with the Dynatrace API. - The property is not applied to the ActiveGate - type: string - required: - - apiUrl - type: object - status: - description: DynaKubeStatus defines the observed state of DynaKube - properties: - activeGate: - properties: - imageHash: - description: ImageHash contains the last image hash seen. - type: string - imageVersion: - description: ImageVersion contains the version from the last image - seen. - type: string - lastImageProbeTimestamp: - description: LastImageProbeTimestamp defines the last timestamp - when the querying for image updates have been done. - format: date-time - type: string - type: object - conditions: - description: Conditions includes status about the current state of - the instance - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - environmentID: - description: EnvironmentID contains the environment UUID corresponding - to the API URL - type: string - lastAPITokenProbeTimestamp: - description: LastAPITokenProbeTimestamp tracks when the last request - for the API token validity was sent - format: date-time - type: string - lastClusterVersionProbeTimestamp: - description: LastClusterVersionProbeTimestamp indicates when the cluster's - version was last checked - format: date-time - type: string - lastPaaSTokenProbeTimestamp: - description: LastPaaSTokenProbeTimestamp tracks when the last request - for the PaaS token validity was sent - format: date-time - type: string - oneAgent: - properties: - imageHash: - description: ImageHash contains the last image hash seen. - type: string - imageVersion: - description: ImageVersion contains the version from the last image - seen. - type: string - instances: - additionalProperties: - properties: - ipAddress: - type: string - podName: - type: string - version: - type: string - type: object - type: object - lastImageProbeTimestamp: - description: LastImageProbeTimestamp defines the last timestamp - when the querying for image updates have been done. - format: date-time - type: string - lastUpdateProbeTimestamp: - description: LastUpdateProbeTimestamp defines the last timestamp - when the querying for updates have been done - format: date-time - type: string - useImmutableImage: - description: UseImmutableImage is set when an immutable image - is currently in use - type: boolean - version: - description: Dynatrace version being used. - type: string - type: object - phase: - description: Defines the current state (Running, Updating, Error, - ...) - type: string - tokens: - description: Credentials used to connect back to Dynatrace. - type: string - updatedTimestamp: - description: UpdatedTimestamp indicates when the instance was last - updated - format: date-time - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - additionalPrinterColumns: - jsonPath: .spec.apiUrl name: ApiUrl @@ -1173,10 +131,15 @@ spec: description: The key to select. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap or its @@ -1236,10 +199,15 @@ spec: be a valid secret key. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its key @@ -1420,11 +388,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -1495,9 +465,6 @@ spec: In this situation, new pod with the same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it will violate MaxSkew. - - - This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default). format: int32 type: integer nodeAffinityPolicy: @@ -1634,10 +601,15 @@ spec: description: The key to select. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap or its @@ -1697,10 +669,15 @@ spec: be a valid secret key. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its key @@ -1870,11 +847,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -1945,9 +924,6 @@ spec: In this situation, new pod with the same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it will violate MaxSkew. - - - This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default). format: int32 type: integer nodeAffinityPolicy: @@ -2045,11 +1021,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -2207,10 +1185,15 @@ spec: description: The key to select. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap or @@ -2270,10 +1253,15 @@ spec: from. Must be a valid secret key. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its @@ -2478,10 +1466,15 @@ spec: description: The key to select. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap or @@ -2541,10 +1534,15 @@ spec: from. Must be a valid secret key. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its @@ -2804,10 +1802,15 @@ spec: description: The key to select. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap or @@ -2867,10 +1870,15 @@ spec: from. Must be a valid secret key. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its @@ -3075,10 +2083,15 @@ spec: description: The key to select. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap or its @@ -3138,10 +2151,15 @@ spec: be a valid secret key. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its key @@ -3311,11 +2329,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -3386,9 +2406,6 @@ spec: In this situation, new pod with the same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it will violate MaxSkew. - - - This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default). format: int32 type: integer nodeAffinityPolicy: @@ -3711,6 +2728,1942 @@ spec: type: object type: object served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.apiUrl + name: ApiUrl + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: DynaKube is the Schema for the DynaKube API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: DynaKubeSpec defines the desired state of DynaKube + properties: + activeGate: + description: General configuration about ActiveGate instances. + properties: + annotations: + additionalProperties: + type: string + description: Adds additional annotations to the ActiveGate pods + type: object + capabilities: + description: Activegate capabilities enabled (routing, kubernetes-monitoring, + metrics-ingest, dynatrace-api) + items: + type: string + type: array + customProperties: + description: |- + Add a custom properties file by providing it as a value or reference it from a secret + If referenced from a secret, make sure the key is called 'customProperties' + properties: + value: + description: Custom properties value. + nullable: true + type: string + valueFrom: + description: Custom properties secret. + nullable: true + type: string + type: object + dnsPolicy: + description: Sets DNS Policy for the ActiveGate pods + type: string + env: + description: List of environment variables to set for the ActiveGate + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + group: + description: Set activation group for ActiveGate + type: string + image: + description: The ActiveGate container image. Defaults to the latest + ActiveGate image provided by the registry on the tenant + type: string + labels: + additionalProperties: + type: string + description: Adds additional labels for the ActiveGate pods + type: object + nodeSelector: + additionalProperties: + type: string + description: Node selector to control the selection of nodes + type: object + priorityClassName: + description: |- + If specified, indicates the pod's priority. Name must be defined by creating a PriorityClass object with that + name. If not specified the setting will be removed from the StatefulSet. + type: string + replicas: + default: 1 + description: Amount of replicas for your ActiveGates + format: int32 + type: integer + resources: + description: Define resources requests and limits for single ActiveGate + pods + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + tlsSecretName: + description: |- + The name of a secret containing ActiveGate TLS cert+key and password. If not set, self-signed certificate is used. + server.p12: certificate+key pair in pkcs12 format + password: passphrase to read server.p12 + type: string + tolerations: + description: Set tolerations for the ActiveGate pods + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: Adds TopologySpreadConstraints for the ActiveGate + pods + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + + If this value is nil, the behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + + If this value is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + apiUrl: + description: |- + Dynatrace apiUrl, including the /api path at the end. For SaaS, set YOUR_ENVIRONMENT_ID to your environment ID. For Managed, change the apiUrl address. + For instructions on how to determine the environment ID and how to configure the apiUrl address, see Environment ID (https://www.dynatrace.com/support/help/get-started/monitoring-environment/environment-id). + type: string + customPullSecret: + description: |- + Defines a custom pull secret in case you use a private registry when pulling images from the Dynatrace environment. + To define a custom pull secret and learn about the expected behavior, see Configure customPullSecret + (https://www.dynatrace.com/support/help/setup-and-configuration/setup-on-container-platforms/kubernetes/get-started-with-kubernetes-monitoring/dto-config-options-k8s#custompullsecret). + type: string + dynatraceApiRequestThreshold: + default: 15 + description: Configuration for thresholding Dynatrace API requests. + type: integer + enableIstio: + description: |- + When enabled, and if Istio is installed on the Kubernetes environment, Dynatrace Operator will create the corresponding + VirtualService and ServiceEntry objects to allow access to the Dynatrace Cluster from the OneAgent or ActiveGate. + Disabled by default. + type: boolean + metadataEnrichment: + description: Configuration for Metadata Enrichment. + properties: + enabled: + default: true + description: Enables MetadataEnrichment, `true` by default. + type: boolean + namespaceSelector: + description: The namespaces where you want Dynatrace Operator + to inject enrichment. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - enabled + type: object + networkZone: + description: Sets a network zone for the OneAgent and ActiveGate pods. + type: string + oneAgent: + description: |- + General configuration about OneAgent instances. + You can't enable more than one module (classicFullStack, cloudNativeFullStack, hostMonitoring, or applicationMonitoring). + properties: + applicationMonitoring: + description: |- + dynatrace-webhook injects into application pods based on labeled namespaces. + Has an optional CSI driver per node via DaemonSet to provide binaries to pods. + nullable: true + properties: + codeModulesImage: + description: The OneAgent image that is used to inject into + Pods. + type: string + initResources: + description: |- + Define resources requests and limits for the initContainer. For details, see Managing resources for containers + (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers). + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + namespaceSelector: + description: |- + Applicable only for applicationMonitoring or cloudNativeFullStack configuration types. The namespaces where you want Dynatrace Operator to inject. + For more information, see Configure monitoring for namespaces and pods (https://www.dynatrace.com/support/help/setup-and-configuration/setup-on-container-platforms/kubernetes/get-started-with-kubernetes-monitoring/dto-config-options-k8s#annotate). + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + useCSIDriver: + default: false + description: Set if you want to use the CSIDriver. Don't enable + it if you do not have access to Kubernetes nodes or if you + lack privileges. + type: boolean + version: + description: The OneAgent version to be used. + type: string + type: object + classicFullStack: + description: |- + Has a single OneAgent per node via DaemonSet. + Injection is performed via the same OneAgent DaemonSet. + nullable: true + properties: + annotations: + additionalProperties: + type: string + description: Add custom OneAgent annotations. + type: object + args: + description: |- + Set additional arguments to the OneAgent installer. + For available options, see Linux custom installation (https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation/linux/installation/customize-oneagent-installation-on-linux). + For the list of limitations, see Limitations (https://www.dynatrace.com/support/help/setup-and-configuration/setup-on-container-platforms/docker/set-up-dynatrace-oneagent-as-docker-container#limitations). + items: + type: string + type: array + x-kubernetes-list-type: set + autoUpdate: + default: true + description: |- + Disables automatic restarts of OneAgent pods in case a new version is available (https://www.dynatrace.com/support/help/setup-and-configuration/setup-on-container-platforms/kubernetes/get-started-with-kubernetes-monitoring#disable-auto). + Enabled by default. + type: boolean + dnsPolicy: + description: Set the DNS Policy for OneAgent pods. For details, + see Pods DNS Policy (https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy). + type: string + env: + description: Set additional environment variables for the + OneAgent pods. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must + be a C_IDENTIFIER. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in + the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of + the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + description: Use a custom OneAgent Docker image. Defaults + to the image from the Dynatrace cluster. + type: string + labels: + additionalProperties: + type: string + description: Your defined labels for OneAgent pods in order + to structure workloads as desired. + type: object + nodeSelector: + additionalProperties: + type: string + description: Specify the node selector that controls on which + nodes OneAgent will be deployed. + type: object + oneAgentResources: + description: |- + Resource settings for OneAgent container. Consumption of the OneAgent heavily depends on the workload to monitor. You can use the default settings in the CR. + Note: resource.requests shows the values needed to run; resource.limits shows the maximum limits for the pod. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + priorityClassName: + description: |- + Assign a priority class to the OneAgent pods. By default, no class is set. + For details, see Pod Priority and Preemption (https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/). + type: string + secCompProfile: + description: The SecComp Profile that will be configured in + order to run in secure computing mode. + type: string + tolerations: + description: Tolerations to include with the OneAgent DaemonSet. + For details, see Taints and Tolerations (https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + version: + description: The OneAgent version to be used. + type: string + type: object + cloudNativeFullStack: + description: |- + Has a single OneAgent per node via DaemonSet. + dynatrace-webhook injects into application pods based on labeled namespaces. + Has a CSI driver per node via DaemonSet to provide binaries to pods. + nullable: true + properties: + annotations: + additionalProperties: + type: string + description: Add custom OneAgent annotations. + type: object + args: + description: |- + Set additional arguments to the OneAgent installer. + For available options, see Linux custom installation (https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation/linux/installation/customize-oneagent-installation-on-linux). + For the list of limitations, see Limitations (https://www.dynatrace.com/support/help/setup-and-configuration/setup-on-container-platforms/docker/set-up-dynatrace-oneagent-as-docker-container#limitations). + items: + type: string + type: array + x-kubernetes-list-type: set + autoUpdate: + default: true + description: |- + Disables automatic restarts of OneAgent pods in case a new version is available (https://www.dynatrace.com/support/help/setup-and-configuration/setup-on-container-platforms/kubernetes/get-started-with-kubernetes-monitoring#disable-auto). + Enabled by default. + type: boolean + codeModulesImage: + description: The OneAgent image that is used to inject into + Pods. + type: string + dnsPolicy: + description: Set the DNS Policy for OneAgent pods. For details, + see Pods DNS Policy (https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy). + type: string + env: + description: Set additional environment variables for the + OneAgent pods. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must + be a C_IDENTIFIER. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in + the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of + the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + description: Use a custom OneAgent Docker image. Defaults + to the image from the Dynatrace cluster. + type: string + initResources: + description: |- + Define resources requests and limits for the initContainer. For details, see Managing resources for containers + (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers). + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + labels: + additionalProperties: + type: string + description: Your defined labels for OneAgent pods in order + to structure workloads as desired. + type: object + namespaceSelector: + description: |- + Applicable only for applicationMonitoring or cloudNativeFullStack configuration types. The namespaces where you want Dynatrace Operator to inject. + For more information, see Configure monitoring for namespaces and pods (https://www.dynatrace.com/support/help/setup-and-configuration/setup-on-container-platforms/kubernetes/get-started-with-kubernetes-monitoring/dto-config-options-k8s#annotate). + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nodeSelector: + additionalProperties: + type: string + description: Specify the node selector that controls on which + nodes OneAgent will be deployed. + type: object + oneAgentResources: + description: |- + Resource settings for OneAgent container. Consumption of the OneAgent heavily depends on the workload to monitor. You can use the default settings in the CR. + Note: resource.requests shows the values needed to run; resource.limits shows the maximum limits for the pod. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + priorityClassName: + description: |- + Assign a priority class to the OneAgent pods. By default, no class is set. + For details, see Pod Priority and Preemption (https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/). + type: string + secCompProfile: + description: The SecComp Profile that will be configured in + order to run in secure computing mode. + type: string + tolerations: + description: Tolerations to include with the OneAgent DaemonSet. + For details, see Taints and Tolerations (https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + version: + description: The OneAgent version to be used. + type: string + type: object + hostGroup: + description: Sets a host group for OneAgent. + type: string + hostMonitoring: + description: |- + Has a single OneAgent per node via DaemonSet. + Doesn't inject into application pods. + nullable: true + properties: + annotations: + additionalProperties: + type: string + description: Add custom OneAgent annotations. + type: object + args: + description: |- + Set additional arguments to the OneAgent installer. + For available options, see Linux custom installation (https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-oneagent/installation-and-operation/linux/installation/customize-oneagent-installation-on-linux). + For the list of limitations, see Limitations (https://www.dynatrace.com/support/help/setup-and-configuration/setup-on-container-platforms/docker/set-up-dynatrace-oneagent-as-docker-container#limitations). + items: + type: string + type: array + x-kubernetes-list-type: set + autoUpdate: + default: true + description: |- + Disables automatic restarts of OneAgent pods in case a new version is available (https://www.dynatrace.com/support/help/setup-and-configuration/setup-on-container-platforms/kubernetes/get-started-with-kubernetes-monitoring#disable-auto). + Enabled by default. + type: boolean + dnsPolicy: + description: Set the DNS Policy for OneAgent pods. For details, + see Pods DNS Policy (https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy). + type: string + env: + description: Set additional environment variables for the + OneAgent pods. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must + be a C_IDENTIFIER. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in + the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of + the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + description: Use a custom OneAgent Docker image. Defaults + to the image from the Dynatrace cluster. + type: string + labels: + additionalProperties: + type: string + description: Your defined labels for OneAgent pods in order + to structure workloads as desired. + type: object + nodeSelector: + additionalProperties: + type: string + description: Specify the node selector that controls on which + nodes OneAgent will be deployed. + type: object + oneAgentResources: + description: |- + Resource settings for OneAgent container. Consumption of the OneAgent heavily depends on the workload to monitor. You can use the default settings in the CR. + Note: resource.requests shows the values needed to run; resource.limits shows the maximum limits for the pod. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + priorityClassName: + description: |- + Assign a priority class to the OneAgent pods. By default, no class is set. + For details, see Pod Priority and Preemption (https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/). + type: string + secCompProfile: + description: The SecComp Profile that will be configured in + order to run in secure computing mode. + type: string + tolerations: + description: Tolerations to include with the OneAgent DaemonSet. + For details, see Taints and Tolerations (https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + version: + description: The OneAgent version to be used. + type: string + type: object + type: object + proxy: + description: |- + Set custom proxy settings either directly or from a secret with the field proxy. + Note: Applies to Dynatrace Operator, ActiveGate, and OneAgents. + properties: + value: + description: Proxy URL. It has preference over ValueFrom. + nullable: true + type: string + valueFrom: + description: Secret containing proxy URL. + nullable: true + type: string + type: object + skipCertCheck: + description: |- + Disable certificate check for the connection between Dynatrace Operator and the Dynatrace Cluster. + Set to true if you want to skip certification validation checks. + type: boolean + tokens: + description: Name of the secret holding the tokens used for connecting + to Dynatrace. + type: string + trustedCAs: + description: |- + Adds custom RootCAs from a configmap. Put the certificate under certs within your configmap. + Note: Applies to Dynatrace Operator, OneAgent and ActiveGate. + type: string + required: + - apiUrl + type: object + status: + description: DynaKubeStatus defines the observed state of DynaKube + properties: + activeGate: + description: Observed state of ActiveGate + properties: + connectionInfoStatus: + description: Information about Active Gate's connections + properties: + endpoints: + description: Available connection endpoints + type: string + lastRequest: + description: Time of the last connection request + format: date-time + type: string + tenantUUID: + description: UUID of the tenant, received from the tenant + type: string + type: object + imageID: + description: Image ID + type: string + lastProbeTimestamp: + description: Indicates when the last check for a new version was + performed + format: date-time + type: string + serviceIPs: + description: The ClusterIPs set by Kubernetes on the ActiveGate + Service created by the Operator + items: + type: string + type: array + source: + description: Source of the image (tenant-registry, public-registry, + ...) + type: string + type: + description: Image type + type: string + version: + description: Image version + type: string + type: object + codeModules: + description: Observed state of Code Modules + properties: + imageID: + description: Image ID + type: string + lastProbeTimestamp: + description: Indicates when the last check for a new version was + performed + format: date-time + type: string + source: + description: Source of the image (tenant-registry, public-registry, + ...) + type: string + type: + description: Image type + type: string + version: + description: Image version + type: string + type: object + conditions: + description: Conditions includes status about the current state of + the instance + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + dynatraceApi: + description: Observed state of Dynatrace API + properties: + lastTokenScopeRequest: + description: Time of the last token request + format: date-time + type: string + type: object + kubeSystemUUID: + description: KubeSystemUUID contains the UUID of the current Kubernetes + cluster + type: string + oneAgent: + description: Observed state of OneAgent + properties: + connectionInfoStatus: + description: Information about OneAgent's connections + properties: + communicationHosts: + description: List of communication hosts + items: + properties: + host: + description: Host domain + type: string + port: + description: Connection port + format: int32 + type: integer + protocol: + description: Connection protocol + type: string + type: object + type: array + endpoints: + description: Available connection endpoints + type: string + lastRequest: + description: Time of the last connection request + format: date-time + type: string + tenantUUID: + description: UUID of the tenant, received from the tenant + type: string + type: object + healthcheck: + description: Commands used for OneAgent's readiness probe + type: object + x-kubernetes-preserve-unknown-fields: true + imageID: + description: Image ID + type: string + instances: + additionalProperties: + properties: + ipAddress: + description: IP address of the pod + type: string + podName: + description: Name of the OneAgent pod + type: string + type: object + description: List of deployed OneAgent instances + type: object + lastInstanceStatusUpdate: + description: Time of the last instance status update + format: date-time + type: string + lastProbeTimestamp: + description: Indicates when the last check for a new version was + performed + format: date-time + type: string + source: + description: Source of the image (tenant-registry, public-registry, + ...) + type: string + type: + description: Image type + type: string + version: + description: Image version + type: string + type: object + phase: + description: Defines the current state (Running, Updating, Error, + ...) + type: string + updatedTimestamp: + description: UpdatedTimestamp indicates when the instance was last + updated + format: date-time + type: string + type: object + type: object + served: true storage: true subresources: status: {} @@ -3719,7 +4672,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: edgeconnects.dynatrace.com spec: group: dynatrace.com @@ -3821,10 +4774,15 @@ spec: description: The key to select. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap or its key @@ -3883,10 +4841,15 @@ spec: be a valid secret key. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its key must @@ -3923,6 +4886,14 @@ spec: description: Indicates version of the EdgeConnect image to use type: string type: object + kubernetesAutomation: + description: KubernetesAutomation enables Kubernetes Automation for + Workflows + properties: + enabled: + description: Enables Kubernetes Automation for Workflows + type: boolean + type: object labels: additionalProperties: type: string @@ -4041,6 +5012,11 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + serviceAccountName: + default: dynatrace-edgeconnect + description: ServiceAccountName that allows EdgeConnect to access + the Kubernetes API + type: string tolerations: description: Sets tolerations for the EdgeConnect pods items: @@ -4119,11 +5095,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -4194,9 +5172,6 @@ spec: In this situation, new pod with the same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it will violate MaxSkew. - - - This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default). format: int32 type: integer nodeAffinityPolicy: diff --git a/charts/dynatrace/dynatrace-operator/templates/Common/csi/daemonset.yaml b/charts/dynatrace/dynatrace-operator/templates/Common/csi/daemonset.yaml index 79dc013a5..6de25c129 100644 --- a/charts/dynatrace/dynatrace-operator/templates/Common/csi/daemonset.yaml +++ b/charts/dynatrace/dynatrace-operator/templates/Common/csi/daemonset.yaml @@ -262,19 +262,12 @@ spec: {{- if .Values.csidriver.nodeSelector }} nodeSelector: {{- toYaml .Values.csidriver.nodeSelector | nindent 8 }} {{- end }} + {{- include "dynatrace-operator.nodeAffinity" . | nindent 6 }} tolerations: {{- if .Values.csidriver.tolerations }} {{- toYaml .Values.csidriver.tolerations | nindent 8 }} {{- end }} - - key: kubernetes.io/arch - value: arm64 - effect: NoSchedule - - key: kubernetes.io/arch - value: amd64 - effect: NoSchedule - - key: kubernetes.io/arch - value: ppc64le - effect: NoSchedule + {{- include "dynatrace-operator.defaultTolerations" . | nindent 8 }} - key: ToBeDeletedByClusterAutoscaler operator: Exists effect: NoSchedule diff --git a/charts/dynatrace/dynatrace-operator/templates/Common/operator/clusterrole-operator.yaml b/charts/dynatrace/dynatrace-operator/templates/Common/operator/clusterrole-operator.yaml index aec1e26a1..7b42b258b 100644 --- a/charts/dynatrace/dynatrace-operator/templates/Common/operator/clusterrole-operator.yaml +++ b/charts/dynatrace/dynatrace-operator/templates/Common/operator/clusterrole-operator.yaml @@ -57,6 +57,14 @@ rules: - update - delete - list + - apiGroups: + - "" + resources: + - services + resourceNames: + - kubernetes + verbs: + - get - apiGroups: - "" resources: diff --git a/charts/dynatrace/dynatrace-operator/templates/Common/operator/deployment-operator.yaml b/charts/dynatrace/dynatrace-operator/templates/Common/operator/deployment-operator.yaml index 4b92b2c5e..3cd3c49c9 100644 --- a/charts/dynatrace/dynatrace-operator/templates/Common/operator/deployment-operator.yaml +++ b/charts/dynatrace/dynatrace-operator/templates/Common/operator/deployment-operator.yaml @@ -85,23 +85,7 @@ spec: {{- include "dynatrace-operator.startupProbe" . | nindent 10 }} securityContext: {{- toYaml .Values.operator.securityContext | nindent 12 }} - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - {{- if ne (include "dynatrace-operator.platform" .) "gke-autopilot" }} - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - {{- end }} - - key: kubernetes.io/os - operator: In - values: - - linux + {{- include "dynatrace-operator.nodeAffinity" . | nindent 6 }} volumes: - emptyDir: { } name: tmp-cert-dir @@ -119,13 +103,5 @@ spec: {{- if .Values.operator.tolerations }} {{- toYaml .Values.operator.tolerations | nindent 8 }} {{- end }} - - key: kubernetes.io/arch - value: arm64 - effect: NoSchedule - - key: kubernetes.io/arch - value: amd64 - effect: NoSchedule - - key: kubernetes.io/arch - value: ppc64le - effect: NoSchedule -{{ end }} + {{- include "dynatrace-operator.defaultTolerations" . | nindent 8 }} + {{ end }} diff --git a/charts/dynatrace/dynatrace-operator/templates/Common/webhook/deployment-webhook.yaml b/charts/dynatrace/dynatrace-operator/templates/Common/webhook/deployment-webhook.yaml index a70c30dd7..53614cf21 100644 --- a/charts/dynatrace/dynatrace-operator/templates/Common/webhook/deployment-webhook.yaml +++ b/charts/dynatrace/dynatrace-operator/templates/Common/webhook/deployment-webhook.yaml @@ -67,23 +67,7 @@ spec: volumes: - emptyDir: {} name: certs-dir - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - {{- if ne (include "dynatrace-operator.platform" .) "gke-autopilot"}} - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - {{- end }} - - key: kubernetes.io/os - operator: In - values: - - linux + {{- include "dynatrace-operator.nodeAffinity" . | nindent 6 }} containers: - name: webhook args: @@ -147,13 +131,5 @@ spec: {{- if .Values.webhook.tolerations }} {{- toYaml .Values.webhook.tolerations | nindent 8 }} {{- end }} - - key: kubernetes.io/arch - value: arm64 - effect: NoSchedule - - key: kubernetes.io/arch - value: amd64 - effect: NoSchedule - - key: kubernetes.io/arch - value: ppc64le - effect: NoSchedule -{{ end }} + {{- include "dynatrace-operator.defaultTolerations" . | nindent 8 }} + {{ end }} diff --git a/charts/dynatrace/dynatrace-operator/templates/Common/webhook/validatingwebhookconfiguration.yaml b/charts/dynatrace/dynatrace-operator/templates/Common/webhook/validatingwebhookconfiguration.yaml index 06cd0597c..ba2216f1b 100644 --- a/charts/dynatrace/dynatrace-operator/templates/Common/webhook/validatingwebhookconfiguration.yaml +++ b/charts/dynatrace/dynatrace-operator/templates/Common/webhook/validatingwebhookconfiguration.yaml @@ -36,7 +36,7 @@ webhooks: apiGroups: - dynatrace.com apiVersions: - - v1beta1 + - v1beta2 resources: - dynakubes name: webhook.dynatrace.com diff --git a/charts/dynatrace/dynatrace-operator/templates/_helpers.tpl b/charts/dynatrace/dynatrace-operator/templates/_helpers.tpl index ad40fde3d..3fdecabc9 100644 --- a/charts/dynatrace/dynatrace-operator/templates/_helpers.tpl +++ b/charts/dynatrace/dynatrace-operator/templates/_helpers.tpl @@ -59,5 +59,4 @@ startupProbe: periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 1 -{{- println }} {{- end -}} diff --git a/charts/dynatrace/dynatrace-operator/templates/_platform.tpl b/charts/dynatrace/dynatrace-operator/templates/_platform.tpl index 0958774cd..c60834e70 100644 --- a/charts/dynatrace/dynatrace-operator/templates/_platform.tpl +++ b/charts/dynatrace/dynatrace-operator/templates/_platform.tpl @@ -20,8 +20,6 @@ Auto-detect the platform (if not set), according to the available APIVersions {{- printf .Values.platform -}} {{- else if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} {{- printf "openshift" -}} - {{- else if .Capabilities.APIVersions.Has "auto.gke.io/v1" }} - {{- printf "gke-autopilot" -}} {{- else }} {{- printf "kubernetes" -}} {{- end -}} @@ -52,3 +50,37 @@ Enforces that platform is set to a valid one {{- define "dynatrace-operator.platformRequired" -}} {{- $platformIsSet := printf "%s" (required "Platform needs to be set to kubernetes, openshift, google-marketplace, or gke-autopilot" (include "dynatrace-operator.platformIsValid" .))}} {{- end -}} + +{{- define "dynatrace-operator.nodeAffinity" -}} +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux +{{- end -}} + +{{- define "dynatrace-operator.defaultTolerations" -}} +- key: kubernetes.io/arch + value: arm64 + effect: NoSchedule +- key: kubernetes.io/arch + value: amd64 + effect: NoSchedule +- key: kubernetes.io/arch + value: ppc64le + effect: NoSchedule +- key: kubernetes.io/arch + value: s390x + effect: NoSchedule +{{- end -}} diff --git a/charts/dynatrace/dynatrace-operator/values.yaml b/charts/dynatrace/dynatrace-operator/values.yaml index 2619f7f63..2f9533543 100644 --- a/charts/dynatrace/dynatrace-operator/values.yaml +++ b/charts/dynatrace/dynatrace-operator/values.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# may be set to "kubernetes", "openshift", or "gke-autopilot" +# may be set to "kubernetes", "openshift", "gke-autopilot" (deprecated) platform: "" #image qualifier; OBSOLETE -> use imageref instead! @@ -156,9 +156,6 @@ csidriver: requests: cpu: 300m memory: 100Mi - limits: - cpu: 300m - memory: 100Mi registrar: securityContext: runAsUser: 0 diff --git a/charts/f5/nginx-ingress/Chart.yaml b/charts/f5/nginx-ingress/Chart.yaml index 58f716cd3..c1c2247d2 100644 --- a/charts/f5/nginx-ingress/Chart.yaml +++ b/charts/f5/nginx-ingress/Chart.yaml @@ -4,10 +4,10 @@ annotations: catalog.cattle.io/kube-version: '>= 1.23.0-0' catalog.cattle.io/release-name: nginx-ingress apiVersion: v2 -appVersion: 3.5.2 +appVersion: 3.6.0 description: NGINX Ingress Controller home: https://github.com/nginxinc/kubernetes-ingress -icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/charts/nginx-ingress/chart-icon.png +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/charts/nginx-ingress/chart-icon.png keywords: - ingress - nginx @@ -17,6 +17,6 @@ maintainers: name: nginxinc name: nginx-ingress sources: -- https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/charts/nginx-ingress +- https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/charts/nginx-ingress type: application -version: 1.2.2 +version: 1.3.0 diff --git a/charts/f5/nginx-ingress/README.md b/charts/f5/nginx-ingress/README.md index df8acd899..36ecbbdd5 100644 --- a/charts/f5/nginx-ingress/README.md +++ b/charts/f5/nginx-ingress/README.md @@ -2,7 +2,7 @@ ## Introduction -This chart deploys the NGINX Ingress Controller in your Kubernetes cluster. +This chart deploys NGINX Ingress Controller in your Kubernetes cluster. ## Prerequisites @@ -51,10 +51,10 @@ kubectl apply -f crds/ Alternatively, CRDs can be upgraded without pulling the chart by running: ```console -kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/deploy/crds.yaml +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/deploy/crds.yaml ``` -In the above command, `v3.5.2` represents the version of NGINX Ingress Controller release rather than the Helm chart version. +In the above command, `v3.6.0` represents the version of NGINX Ingress Controller release rather than the Helm chart version. > **Note** > @@ -87,14 +87,14 @@ To install the chart with the release name my-release (my-release is the name th For NGINX: ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2 +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0 ``` For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`) ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true ``` This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to @@ -109,7 +109,7 @@ CRDs](#upgrading-the-crds). To upgrade the release `my-release`: ```console -helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2 +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0 ``` ### Uninstalling the Chart @@ -150,7 +150,7 @@ upgrading/deleting the CRDs. 1. Pull the chart sources: ```console - helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.2.2 + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.3.0 ``` 2. Change your working directory to nginx-ingress: @@ -236,7 +236,7 @@ The steps you should follow depend on the Helm release name: Selector: app=nginx-ingress-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.5.2` +2. Checkout the latest available tag using `git checkout v3.6.0` 3. Navigate to `/kubernates-ingress/charts/nginx-ingress` @@ -288,7 +288,7 @@ reviewing its events: Selector: app=-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.5.2` +2. Checkout the latest available tag using `git checkout v3.6.0` 3. Navigate to `/kubernates-ingress/charts/nginx-ingress` @@ -355,7 +355,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.logLevel` | The log level of the Ingress Controller. | 1 | |`controller.image.digest` | The image digest of the Ingress Controller. | None | |`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress | -|`controller.image.tag` | The tag of the Ingress Controller image. | 3.5.2 | +|`controller.image.tag` | The tag of the Ingress Controller image. | 3.6.0 | |`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent | |`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} | |`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | @@ -386,7 +386,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.initContainerResources` | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi | |`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 | |`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | -|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.5.2, do not set the value to false. | true | +|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.6.0, do not set the value to false. | true | |`controller.ingressClass.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass.name`. Requires `controller.ingressClass.create`. | false | |`controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" | |`controller.watchNamespaceLabel` | Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespace`. | "" | @@ -443,6 +443,20 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.pod.annotations` | The annotations of the Ingress Controller pod. | {} | |`controller.pod.extraLabels` | The additional extra labels of the Ingress Controller pod. | {} | |`controller.appprotect.enable` | Enables the App Protect WAF module in the Ingress Controller. | false | +|`controller.appprotect.v5` | Enables App Protect WAF v5. | false | +|`controller.appprotect.volumes` | Volumes for App Protect WAF v5. | [{"name": "app-protect-bd-config", "emptyDir": {}},{"name": "app-protect-config", "emptyDir": {}},{"name": "app-protect-bundles", "emptyDir": {}}] | +|`controller.appprotect.enforcer.host` | Host that the App Protect WAF v5 Enforcer runs on. | "127.0.0.1" | +|`controller.appprotect.enforcer.port` | Port that the App Protect WAF v5 Enforcer runs on. | 50000 | +|`controller.appprotect.enforcer.image` | The image repository of the App Protect WAF v5 Enforcer. | private-registry.nginx.com/nap/waf-enforcer | +|`controller.appprotect.enforcer.tag` | The tag of the App Protect WAF v5 Enforcer. | "5.2.0" | +|`controller.appprotect.enforcer.digest` | The digest of the App Protect WAF v5 Enforcer. Takes precedence over tag if set. | "5.2.0" | +|`controller.appprotect.enforcer.pullPolicy` | The pull policy for the App Protect WAF v5 Enforcer image. | "5.2.0" | +|`controller.appprotect.enforcer.securityContext` | The security context for App Protect WAF v5 Enforcer container. | {} | +|`controller.appprotect.configManager.image` | The image repository of the App Protect WAF v5 Configuration Manager. | private-registry.nginx.com/nap/waf-config-mgr | +|`controller.appprotect.configManager.tag` | The tag of the App Protect WAF v5 Configuration Manager. | "5.2.0" | +|`controller.appprotect.configManager.digest` | The digest of the App Protect WAF v5 Configuration Manager. Takes precedence over tag if set. | "5.2.0" | +|`controller.appprotect.configManager.pullPolicy` | The pull policy for the App Protect WAF v5 Configuration Manager image. | "5.2.0" | +|`controller.appprotect.configManager.securityContext` | The security context for App Protect WAF v5 Configuration Manager container. | {"allowPrivilegeEscalation":false,"runAsUser":101,"runAsNonRoot":true,"capabilities":{"drop":["all"]}} | |`controller.appprotectdos.enable` | Enables the App Protect DoS module in the Ingress Controller. | false | |`controller.appprotectdos.debug` | Enable debugging for App Protect DoS. | false | |`controller.appprotectdos.maxDaemons` | Max number of ADMD instances. | 1 | @@ -473,6 +487,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.telemetryReporting.enable` | Enable telemetry reporting. | true | |`controller.enableWeightChangesDynamicReload` | Enable weight changes without reloading the NGINX configuration. May require increasing `map_hash_bucket_size`, `map_hash_max_size`, `variable_hash_bucket_size`, and `variable_hash_max_size` in the [ConfigMap](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) if there are many two-way splits. Requires `controller.nginxplus` | false | |`rbac.create` | Configures RBAC. | true | +|`rbac.clusterrole.create` | Configures creation of ClusterRole. Creation can be disabled when more fine-grained control over RBAC is required. For example when controller.watchNamespace is used. | true | |`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true | |`prometheus.port` | Configures the port to scrape the metrics. | 9113 | |`prometheus.scheme` | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http | diff --git a/charts/f5/nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml b/charts/f5/nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml index 53b7fb40d..8aacce99c 100644 --- a/charts/f5/nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml +++ b/charts/f5/nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: aplogconfs.appprotect.f5.com spec: group: appprotect.f5.com @@ -15,66 +14,70 @@ spec: preserveUnknownFields: false scope: Namespaced versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: APLogConf is the Schema for the APLogConfs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: APLogConfSpec defines the desired state of APLogConf - properties: - content: - properties: - escaping_characters: - items: - properties: - from: - type: string - to: - type: string - type: object - type: array - format: - enum: - - splunk - - arcsight - - default - - user-defined - - grpc - type: string - format_string: - type: string - list_delimiter: - type: string - list_prefix: - type: string - list_suffix: - type: string - max_message_size: - pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ - type: string - max_request_size: - pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|1[0-9]{3}|20[1-3][0-9]|204[1-8]|any)$ - type: string - type: object - filter: - properties: - request_type: - enum: - - all - - illegal - - blocked - type: string - type: object - type: object - type: object - served: true - storage: true + - name: v1beta1 + schema: + openAPIV3Schema: + description: APLogConf is the Schema for the APLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APLogConfSpec defines the desired state of APLogConf + properties: + content: + properties: + escaping_characters: + items: + properties: + from: + type: string + to: + type: string + type: object + type: array + format: + enum: + - splunk + - arcsight + - default + - user-defined + - grpc + type: string + format_string: + type: string + list_delimiter: + type: string + list_prefix: + type: string + list_suffix: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + max_request_size: + pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|[1-9][0-9]{3}|10[0-2][0-9][0-9]|[1-9]k|10k|any)$ + type: string + type: object + filter: + properties: + request_type: + enum: + - all + - illegal + - blocked + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml b/charts/f5/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml index 0ca4649ce..4929c9624 100644 --- a/charts/f5/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml +++ b/charts/f5/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: appolicies.appprotect.f5.com spec: group: appprotect.f5.com @@ -15,1515 +14,1192 @@ spec: preserveUnknownFields: false scope: Namespaced versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: APPolicyConfig is the Schema for the APPolicyconfigs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: APPolicySpec defines the desired state of APPolicy - properties: - modifications: - items: - properties: - action: - type: string - description: - type: string - entity: - properties: - name: - type: string - type: object - entityChanges: - properties: - type: - type: string - type: object - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - modificationsReference: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APPolicyConfig is the Schema for the APPolicyconfigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APPolicySpec defines the desired state of APPolicy + properties: + modifications: + items: properties: - link: - pattern: ^http + action: type: string - type: object - policy: - description: Defines the App Protect policy - properties: - applicationLanguage: - enum: - - iso-8859-10 - - iso-8859-6 - - windows-1255 - - auto-detect - - koi8-r - - gb18030 - - iso-8859-8 - - windows-1250 - - iso-8859-9 - - windows-1252 - - iso-8859-16 - - gb2312 - - iso-8859-2 - - iso-8859-5 - - windows-1257 - - windows-1256 - - iso-8859-13 - - windows-874 - - windows-1253 - - iso-8859-3 - - euc-jp - - utf-8 - - gbk - - windows-1251 - - big5 - - iso-8859-1 - - shift_jis - - euc-kr - - iso-8859-4 - - iso-8859-7 - - iso-8859-15 - type: string - blocking-settings: - properties: - evasions: - items: - properties: - description: - enum: - - '%u decoding' - - Apache whitespace - - Bad unescape - - Bare byte decoding - - Directory traversals - - IIS backslashes - - IIS Unicode codepoints - - Multiple decoding - - Multiple slashes - - Semicolon path parameters - - Trailing dot - - Trailing slash - type: string - enabled: - type: boolean - maxDecodingPasses: - type: integer - type: object - type: array - http-protocols: - items: - properties: - description: - enum: - - Unescaped space in URL - - Unparsable request content - - Several Content-Length headers - - 'POST request with Content-Length: 0' - - Null in request - - No Host header in HTTP/1.1 request - - Multiple host headers - - Host header contains IP address - - High ASCII characters in headers - - Header name with no header value - - CRLF characters before request start - - Content length should be a positive number - - Chunked request with Content-Length header - - Check maximum number of cookies - - Check maximum number of parameters - - Check maximum number of headers - - Body in GET or HEAD requests - - Bad multipart/form-data request parsing - - Bad multipart parameters parsing - - Bad HTTP version - - Bad host header value - type: string - enabled: - type: boolean - maxCookies: - maximum: 100 - minimum: 1 - type: integer - maxHeaders: - maximum: 150 - minimum: 1 - type: integer - maxParams: - maximum: 5000 - minimum: 1 - type: integer - type: object - type: array - violations: - items: - properties: - alarm: - type: boolean - block: - type: boolean - description: - type: string - name: - enum: - - "VIOL_ACCESS_INVALID" - - "VIOL_ACCESS_MALFORMED" - - "VIOL_ACCESS_MISSING" - - "VIOL_ASM_COOKIE_HIJACKING" - - "VIOL_ASM_COOKIE_MODIFIED" - - "VIOL_BLACKLISTED_IP" - - "VIOL_COOKIE_EXPIRED" - - "VIOL_COOKIE_LENGTH" - - "VIOL_COOKIE_MALFORMED" - - "VIOL_COOKIE_MODIFIED" - - "VIOL_CSRF" - - "VIOL_DATA_GUARD" - - "VIOL_ENCODING" - - "VIOL_EVASION" - - "VIOL_FILETYPE" - - "VIOL_FILE_UPLOAD" - - "VIOL_FILE_UPLOAD_IN_BODY" - - "VIOL_GRAPHQL_ERROR_RESPONSE" - - "VIOL_GRAPHQL_FORMAT" - - "VIOL_GRAPHQL_INTROSPECTION_QUERY" - - "VIOL_GRAPHQL_MALFORMED" - - "VIOL_GRPC_FORMAT" - - "VIOL_GRPC_MALFORMED" - - "VIOL_GRPC_METHOD" - - "VIOL_HEADER_LENGTH" - - "VIOL_HEADER_METACHAR" - - "VIOL_HEADER_REPEATED" - - "VIOL_HTTP_PROTOCOL" - - "VIOL_HTTP_RESPONSE_STATUS" - - "VIOL_JSON_FORMAT" - - "VIOL_JSON_MALFORMED" - - "VIOL_JSON_SCHEMA" - - "VIOL_MANDATORY_HEADER" - - "VIOL_MANDATORY_PARAMETER" - - "VIOL_MANDATORY_REQUEST_BODY" - - "VIOL_METHOD" - - "VIOL_PARAMETER" - - "VIOL_PARAMETER_ARRAY_VALUE" - - "VIOL_PARAMETER_DATA_TYPE" - - "VIOL_PARAMETER_EMPTY_VALUE" - - "VIOL_PARAMETER_LOCATION" - - "VIOL_PARAMETER_MULTIPART_NULL_VALUE" - - "VIOL_PARAMETER_NAME_METACHAR" - - "VIOL_PARAMETER_NUMERIC_VALUE" - - "VIOL_PARAMETER_REPEATED" - - "VIOL_PARAMETER_STATIC_VALUE" - - "VIOL_PARAMETER_VALUE_BASE64" - - "VIOL_PARAMETER_VALUE_LENGTH" - - "VIOL_PARAMETER_VALUE_METACHAR" - - "VIOL_PARAMETER_VALUE_REGEXP" - - "VIOL_POST_DATA_LENGTH" - - "VIOL_QUERY_STRING_LENGTH" - - "VIOL_RATING_NEED_EXAMINATION" - - "VIOL_RATING_THREAT" - - "VIOL_REQUEST_LENGTH" - - "VIOL_REQUEST_MAX_LENGTH" - - "VIOL_THREAT_CAMPAIGN" - - "VIOL_URL" - - "VIOL_URL_CONTENT_TYPE" - - "VIOL_URL_LENGTH" - - "VIOL_URL_METACHAR" - - "VIOL_XML_FORMAT" - - "VIOL_XML_MALFORMED" - type: string - type: object - type: array - type: object - blockingSettingReference: - properties: - link: - pattern: ^http - type: string - type: object - bot-defense: - properties: - mitigations: - properties: - anomalies: - items: - properties: - $action: - enum: - - delete - type: string - action: - enum: - - alarm - - block - - default - - detect - - ignore - type: string - name: - type: string - scoreThreshold: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: array - browsers: - items: - properties: - $action: - enum: - - delete - type: string - action: - enum: - - alarm - - block - - detect - type: string - maxVersion: - maximum: 2147483647 - minimum: 0 - type: integer - minVersion: - maximum: 2147483647 - minimum: 0 - type: integer - name: - type: string - type: object - type: array - classes: - items: - properties: - action: - enum: - - alarm - - block - - detect - - ignore - type: string - name: - enum: - - browser - - malicious-bot - - suspicious-browser - - trusted-bot - - unknown - - untrusted-bot - type: string - type: object - type: array - signatures: - items: - properties: - $action: - enum: - - delete - type: string - action: - enum: - - alarm - - block - - detect - - ignore - type: string - name: - type: string - type: object - type: array - type: object - settings: - properties: - caseSensitiveHttpHeaders: - type: boolean - isEnabled: - type: boolean - type: object - type: object - browser-definitions: - items: - properties: - $action: - enum: - - delete - type: string - isUserDefined: - type: boolean - matchRegex: - type: string - matchString: - type: string - name: - type: string - type: object - type: array - caseInsensitive: - type: boolean - character-sets: - items: - properties: - characterSet: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - characterSetType: - enum: - - gwt-content - - header - - json-content - - parameter-name - - parameter-value - - plain-text-content - - url - - xml-content - type: string - type: object - type: array - characterSetReference: - properties: - link: - pattern: ^http - type: string - type: object - cookie-settings: - properties: - maximumCookieHeaderLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - cookieReference: - properties: - link: - pattern: ^http - type: string - type: object - cookieSettingsReference: - properties: - link: - pattern: ^http - type: string - type: object - cookies: - items: - properties: - $action: - enum: - - delete - type: string - accessibleOnlyThroughTheHttpProtocol: - type: boolean - attackSignaturesCheck: - type: boolean - decodeValueAsBase64: - enum: - - enabled - - disabled - - required - type: string - enforcementType: - type: string - insertSameSiteAttribute: - enum: - - lax - - none - - none-value - - strict - type: string - maskValueInLogs: - type: boolean - name: - type: string - securedOverHttpsConnection: - type: boolean - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - type: - enum: - - explicit - - wildcard - type: string - wildcardOrder: - type: integer - type: object - type: array - csrf-protection: - properties: - enabled: - type: boolean - expirationTimeInSeconds: - pattern: disabled|\d+ - type: string - sslOnly: - type: boolean - type: object - csrf-urls: - items: - properties: - $action: - enum: - - delete - type: string - enforcementAction: - enum: - - verify-origin - - none - type: string - method: - enum: - - GET - - POST - - any - type: string - url: - type: string - wildcardOrder: - type: integer - type: object - type: array - data-guard: - properties: - creditCardNumbers: - type: boolean - enabled: - type: boolean - enforcementMode: - enum: - - ignore-urls-in-list - - enforce-urls-in-list - type: string - enforcementUrls: - items: - type: string - type: array - lastCcnDigitsToExpose: - type: integer - lastSsnDigitsToExpose: - type: integer - maskData: - type: boolean - usSocialSecurityNumbers: - type: boolean - type: object - dataGuardReference: - properties: - link: - pattern: ^http - type: string - type: object description: type: string - enablePassiveMode: - type: boolean - enforcementMode: - enum: - - transparent - - blocking - type: string - enforcer-settings: - properties: - enforcerStateCookies: - properties: - httpOnlyAttribute: - type: boolean - sameSiteAttribute: - enum: - - lax - - none - - none-value - - strict - type: string - secureAttribute: - enum: - - always - - never - type: string - type: object - type: object - filetypeReference: - properties: - link: - pattern: ^http - type: string - type: object - filetypes: - items: - properties: - $action: - enum: - - delete - type: string - allowed: - type: boolean - checkPostDataLength: - type: boolean - checkQueryStringLength: - type: boolean - checkRequestLength: - type: boolean - checkUrlLength: - type: boolean - name: - type: string - postDataLength: - type: integer - queryStringLength: - type: integer - requestLength: - type: integer - responseCheck: - type: boolean - type: - enum: - - explicit - - wildcard - type: string - urlLength: - type: integer - wildcardOrder: - type: integer - type: object - type: array - fullPath: - type: string - general: - properties: - allowedResponseCodes: - items: - format: int32 - maximum: 999 - minimum: 100 - type: integer - type: array - customXffHeaders: - items: - type: string - type: array - maskCreditCardNumbersInRequest: - type: boolean - trustXff: - type: boolean - type: object - generalReference: - properties: - link: - pattern: ^http - type: string - type: object - grpc-profiles: - items: - properties: - $action: - enum: - - delete - type: string - associateUrls: - type: boolean - attackSignaturesCheck: - type: boolean - metacharCheck: - type: boolean - decodeStringValuesAsBase64: - enum: - - disabled - - enabled - type: string - defenseAttributes: - properties: - allowUnknownFields: - type: boolean - maximumDataLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - description: - type: string - hasIdlFiles: - type: boolean - idlFiles: - items: - properties: - idlFile: - properties: - contents: - type: string - fileName: - type: string - isBase64: - type: boolean - type: object - importUrl: - type: string - isPrimary: - type: boolean - primaryIdlFileName: - type: string - type: object - type: array - metacharElementCheck: - type: boolean - name: - type: string - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - type: object - type: array - header-settings: - properties: - maximumHttpHeaderLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - headerReference: - properties: - link: - pattern: ^http - type: string - type: object - headerSettingsReference: - properties: - link: - pattern: ^http - type: string - type: object - headers: - items: - properties: - $action: - enum: - - delete - type: string - allowRepeatedOccurrences: - type: boolean - base64Decoding: - type: boolean - checkSignatures: - type: boolean - decodeValueAsBase64: - enum: - - enabled - - disabled - - required - type: string - htmlNormalization: - type: boolean - mandatory: - type: boolean - maskValueInLogs: - type: boolean - name: - type: string - normalizationViolations: - type: boolean - percentDecoding: - type: boolean - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - type: - enum: - - explicit - - wildcard - type: string - urlNormalization: - type: boolean - wildcardOrder: - type: integer - type: object - type: array - host-names: - items: - properties: - $action: - enum: - - delete - type: string - includeSubdomains: - type: boolean - name: - type: string - type: object - type: array - idl-files: - items: - properties: - contents: - type: string - fileName: - type: string - isBase64: - type: boolean - type: object - type: array - json-profiles: - items: - properties: - $action: - enum: - - delete - type: string - attackSignaturesCheck: - type: boolean - defenseAttributes: - properties: - maximumArrayLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumStructureDepth: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumTotalLengthOfJSONData: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumValueLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - tolerateJSONParsingWarnings: - type: boolean - type: object - description: - type: string - handleJsonValuesAsParameters: - type: boolean - hasValidationFiles: - type: boolean - metacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - name: - type: string - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - validationFiles: - items: - properties: - importUrl: - type: string - isPrimary: - type: boolean - jsonValidationFile: - properties: - $action: - enum: - - delete - type: string - contents: - type: string - fileName: - type: string - isBase64: - type: boolean - type: object - type: object - type: array - type: object - type: array - json-validation-files: - items: - properties: - $action: - enum: - - delete - type: string - contents: - type: string - fileName: - type: string - isBase64: - type: boolean - type: object - type: array - jsonProfileReference: - properties: - link: - pattern: ^http - type: string - type: object - jsonValidationFileReference: - properties: - link: - pattern: ^http - type: string - type: object - methodReference: - properties: - link: - pattern: ^http - type: string - type: object - methods: - items: - properties: - $action: - enum: - - delete - type: string - name: - type: string - type: object - type: array - name: - type: string - open-api-files: - items: - properties: - link: - pattern: ^http - type: string - type: object - type: array - parameterReference: - properties: - link: - pattern: ^http - type: string - type: object - parameters: - items: - properties: - $action: - enum: - - delete - type: string - allowEmptyValue: - type: boolean - allowRepeatedParameterName: - type: boolean - arraySerializationFormat: - enum: - - csv - - form - - label - - matrix - - multi - - multipart - - pipe - - ssv - - tsv - type: string - attackSignaturesCheck: - type: boolean - checkMaxValue: - type: boolean - checkMaxValueLength: - type: boolean - checkMetachars: - type: boolean - checkMinValue: - type: boolean - checkMinValueLength: - type: boolean - checkMultipleOfValue: - type: boolean - contentProfile: - properties: - name: - type: string - type: object - dataType: - enum: - - alpha-numeric - - binary - - boolean - - decimal - - email - - integer - - none - - phone - type: string - decodeValueAsBase64: - enum: - - enabled - - disabled - - required - type: string - disallowFileUploadOfExecutables: - type: boolean - enableRegularExpression: - type: boolean - exclusiveMax: - type: boolean - exclusiveMin: - type: boolean - isBase64: - type: boolean - isCookie: - type: boolean - isHeader: - type: boolean - level: - enum: - - global - - url - type: string - mandatory: - type: boolean - maximumLength: - type: integer - maximumValue: - type: integer - metacharsOnParameterValueCheck: - type: boolean - minimumLength: - type: integer - minimumValue: - type: integer - multipleOf: - type: integer - name: - type: string - nameMetacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - objectSerializationStyle: - type: string - parameterEnumValues: - items: - type: string - type: array - parameterLocation: - enum: - - any - - cookie - - form-data - - header - - path - - query - type: string - regularExpression: - type: string - sensitiveParameter: - type: boolean - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - staticValues: - type: string - type: - enum: - - explicit - - wildcard - type: string - url: - properties: - method: - enum: - - ACL - - BCOPY - - BDELETE - - BMOVE - - BPROPFIND - - BPROPPATCH - - CHECKIN - - CHECKOUT - - CONNECT - - COPY - - DELETE - - GET - - HEAD - - LINK - - LOCK - - MERGE - - MKCOL - - MKWORKSPACE - - MOVE - - NOTIFY - - OPTIONS - - PATCH - - POLL - - POST - - PROPFIND - - PROPPATCH - - PUT - - REPORT - - RPC_IN_DATA - - RPC_OUT_DATA - - SEARCH - - SUBSCRIBE - - TRACE - - TRACK - - UNLINK - - UNLOCK - - UNSUBSCRIBE - - VERSION_CONTROL - - X-MS-ENUMATTS - - '*' - type: string - name: - type: string - protocol: - enum: - - http - - https - type: string - type: - enum: - - explicit - - wildcard - type: string - type: object - valueMetacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - valueType: - enum: - - array - - auto-detect - - dynamic-content - - dynamic-parameter-name - - ignore - - json - - object - - openapi-array - - static-content - - user-input - - xml - type: string - wildcardOrder: - type: integer - type: object - type: array - response-pages: - items: - properties: - ajaxActionType: - enum: - - alert-popup - - custom - - redirect - type: string - ajaxCustomContent: - type: string - ajaxEnabled: - type: boolean - ajaxPopupMessage: - type: string - ajaxRedirectUrl: - type: string - grpcStatusCode: - pattern: ABORTED|ALREADY_EXISTS|CANCELLED|DATA_LOSS|DEADLINE_EXCEEDED|FAILED_PRECONDITION|INTERNAL|INVALID_ARGUMENT|NOT_FOUND|OK|OUT_OF_RANGE|PERMISSION_DENIED|RESOURCE_EXHAUSTED|UNAUTHENTICATED|UNAVAILABLE|UNIMPLEMENTED|UNKNOWN|d+ - type: string - grpcStatusMessage: - type: string - responseActionType: - enum: - - custom - - default - - erase-cookies - - redirect - - soap-fault - type: string - responseContent: - type: string - responseHeader: - type: string - responsePageType: - enum: - - ajax - - ajax-login - - captcha - - captcha-fail - - default - - failed-login-honeypot - - failed-login-honeypot-ajax - - hijack - - leaked-credentials - - leaked-credentials-ajax - - mobile - - persistent-flow - - xml - - grpc - type: string - responseRedirectUrl: - type: string - type: object - type: array - responsePageReference: - properties: - link: - pattern: ^http - type: string - type: object - sensitive-parameters: - items: - properties: - $action: - enum: - - delete - type: string - name: - type: string - type: object - type: array - sensitiveParameterReference: - properties: - link: - pattern: ^http - type: string - type: object - server-technologies: - items: - properties: - $action: - enum: - - delete - type: string - serverTechnologyName: - enum: - - Jenkins - - SharePoint - - Oracle Application Server - - Python - - Oracle Identity Manager - - Spring Boot - - CouchDB - - SQLite - - Handlebars - - Mustache - - Prototype - - Zend - - Redis - - Underscore.js - - Ember.js - - ZURB Foundation - - ef.js - - Vue.js - - UIKit - - TYPO3 CMS - - RequireJS - - React - - MooTools - - Laravel - - GraphQL - - Google Web Toolkit - - Express.js - - CodeIgniter - - Backbone.js - - AngularJS - - JavaScript - - Nginx - - Jetty - - Joomla - - JavaServer Faces (JSF) - - Ruby - - MongoDB - - Django - - Node.js - - Citrix - - JBoss - - Elasticsearch - - Apache Struts - - XML - - PostgreSQL - - IBM DB2 - - Sybase/ASE - - CGI - - Proxy Servers - - SSI (Server Side Includes) - - Cisco - - Novell - - Macromedia JRun - - BEA Systems WebLogic Server - - Lotus Domino - - MySQL - - Oracle - - Microsoft SQL Server - - PHP - - Outlook Web Access - - Apache/NCSA HTTP Server - - Apache Tomcat - - WordPress - - Macromedia ColdFusion - - Unix/Linux - - Microsoft Windows - - ASP.NET - - Front Page Server Extensions (FPSE) - - IIS - - WebDAV - - ASP - - Java Servlets/JSP - - jQuery - type: string - type: object - type: array - serverTechnologyReference: - properties: - link: - pattern: ^http - type: string - type: object - signature-requirements: - items: - properties: - $action: - enum: - - delete - type: string - tag: - type: string - type: object - type: array - signature-sets: - items: - properties: - $action: - enum: - - delete - type: string - alarm: - type: boolean - block: - type: boolean - name: - type: string - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - signature-settings: - properties: - attackSignatureFalsePositiveMode: - enum: - - detect - - detect-and-allow - - disabled - type: string - minimumAccuracyForAutoAddedSignatures: - enum: - - high - - low - - medium - type: string - type: object - signatureReference: - properties: - link: - pattern: ^http - type: string - type: object - signatureSetReference: - properties: - link: - pattern: ^http - type: string - type: object - signatureSettingReference: - properties: - link: - pattern: ^http - type: string - type: object - signatures: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - softwareVersion: - type: string - template: + entity: properties: name: type: string type: object - threat-campaigns: - items: - properties: - isEnabled: - type: boolean - name: - type: string - type: object - type: array - threatCampaignReference: + entityChanges: properties: - link: - pattern: ^http + type: type: string type: object - urlReference: - properties: - link: - pattern: ^http - type: string - type: object - urls: - items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + modificationsReference: + properties: + link: + pattern: ^http + type: string + type: object + policy: + description: Defines the App Protect policy + properties: + applicationLanguage: + enum: + - iso-8859-10 + - iso-8859-6 + - windows-1255 + - auto-detect + - koi8-r + - gb18030 + - iso-8859-8 + - windows-1250 + - iso-8859-9 + - windows-1252 + - iso-8859-16 + - gb2312 + - iso-8859-2 + - iso-8859-5 + - windows-1257 + - windows-1256 + - iso-8859-13 + - windows-874 + - windows-1253 + - iso-8859-3 + - euc-jp + - utf-8 + - gbk + - windows-1251 + - big5 + - iso-8859-1 + - shift_jis + - euc-kr + - iso-8859-4 + - iso-8859-7 + - iso-8859-15 + type: string + blocking-settings: + properties: + evasions: + items: + properties: + description: + enum: + - '%u decoding' + - Apache whitespace + - Bad unescape + - Bare byte decoding + - Directory traversals + - IIS backslashes + - IIS Unicode codepoints + - Multiple decoding + - Multiple slashes + - Semicolon path parameters + - Trailing dot + - Trailing slash + type: string + enabled: + type: boolean + maxDecodingPasses: + type: integer + type: object + type: array + http-protocols: + items: + properties: + description: + enum: + - Unescaped space in URL + - Unparsable request content + - Several Content-Length headers + - 'POST request with Content-Length: 0' + - Null in request + - No Host header in HTTP/1.1 request + - Multiple host headers + - Host header contains IP address + - High ASCII characters in headers + - Header name with no header value + - CRLF characters before request start + - Content length should be a positive number + - Chunked request with Content-Length header + - Check maximum number of cookies + - Check maximum number of parameters + - Check maximum number of headers + - Body in GET or HEAD requests + - Bad multipart/form-data request parsing + - Bad multipart parameters parsing + - Bad HTTP version + - Bad host header value + type: string + enabled: + type: boolean + maxCookies: + maximum: 100 + minimum: 1 + type: integer + maxHeaders: + maximum: 150 + minimum: 1 + type: integer + maxParams: + maximum: 5000 + minimum: 1 + type: integer + type: object + type: array + violations: + items: + properties: + alarm: + type: boolean + block: + type: boolean + description: + type: string + name: + enum: + - VIOL_ACCESS_INVALID + - VIOL_ACCESS_MALFORMED + - VIOL_ACCESS_MISSING + - VIOL_ACCESS_UNAUTHORIZED + - VIOL_ASM_COOKIE_HIJACKING + - VIOL_ASM_COOKIE_MODIFIED + - VIOL_BLACKLISTED_IP + - VIOL_COOKIE_EXPIRED + - VIOL_COOKIE_LENGTH + - VIOL_COOKIE_MALFORMED + - VIOL_COOKIE_MODIFIED + - VIOL_CSRF + - VIOL_DATA_GUARD + - VIOL_ENCODING + - VIOL_EVASION + - VIOL_FILE_UPLOAD + - VIOL_FILE_UPLOAD_IN_BODY + - VIOL_FILETYPE + - VIOL_GRAPHQL_ERROR_RESPONSE + - VIOL_GRAPHQL_FORMAT + - VIOL_GRAPHQL_INTROSPECTION_QUERY + - VIOL_GRAPHQL_MALFORMED + - VIOL_GRPC_FORMAT + - VIOL_GRPC_MALFORMED + - VIOL_GRPC_METHOD + - VIOL_HEADER_LENGTH + - VIOL_HEADER_METACHAR + - VIOL_HEADER_REPEATED + - VIOL_HTTP_PROTOCOL + - VIOL_HTTP_RESPONSE_STATUS + - VIOL_JSON_FORMAT + - VIOL_JSON_MALFORMED + - VIOL_JSON_SCHEMA + - VIOL_MANDATORY_HEADER + - VIOL_MANDATORY_PARAMETER + - VIOL_MANDATORY_REQUEST_BODY + - VIOL_METHOD + - VIOL_PARAMETER + - VIOL_PARAMETER_ARRAY_VALUE + - VIOL_PARAMETER_DATA_TYPE + - VIOL_PARAMETER_EMPTY_VALUE + - VIOL_PARAMETER_LOCATION + - VIOL_PARAMETER_MULTIPART_NULL_VALUE + - VIOL_PARAMETER_NAME_METACHAR + - VIOL_PARAMETER_NUMERIC_VALUE + - VIOL_PARAMETER_REPEATED + - VIOL_PARAMETER_STATIC_VALUE + - VIOL_PARAMETER_VALUE_BASE64 + - VIOL_PARAMETER_VALUE_LENGTH + - VIOL_PARAMETER_VALUE_METACHAR + - VIOL_PARAMETER_VALUE_REGEXP + - VIOL_POST_DATA_LENGTH + - VIOL_QUERY_STRING_LENGTH + - VIOL_RATING_NEED_EXAMINATION + - VIOL_RATING_THREAT + - VIOL_REQUEST_LENGTH + - VIOL_REQUEST_MAX_LENGTH + - VIOL_THREAT_CAMPAIGN + - VIOL_URL + - VIOL_URL_CONTENT_TYPE + - VIOL_URL_LENGTH + - VIOL_URL_METACHAR + - VIOL_XML_FORMAT + - VIOL_XML_MALFORMED + type: string + type: object + type: array + type: object + blockingSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + bot-defense: + properties: + mitigations: properties: - $action: - enum: - - delete - type: string - allowRenderingInFrames: - enum: - - never - - only-same - type: string - allowRenderingInFramesOnlyFrom: - type: string - attackSignaturesCheck: - type: boolean - clickjackingProtection: - type: boolean - description: - type: string - disallowFileUploadOfExecutables: - type: boolean - html5CrossOriginRequestsEnforcement: - properties: - allowOriginsEnforcementMode: - enum: - - replace-with - - unmodified - type: string - checkAllowedMethods: - type: boolean - crossDomainAllowedOrigin: - items: - properties: - includeSubDomains: - type: boolean - originName: - type: string - originPort: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - originProtocol: - enum: - - http - - http/https - - https - type: string - type: object - type: array - enforcementMode: - enum: - - disabled - - enforce - type: string - type: object - isAllowed: - type: boolean - mandatoryBody: - type: boolean - metacharOverrides: + anomalies: items: properties: - isAllowed: - type: boolean - metachar: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - default + - detect + - ignore + type: string + name: + type: string + scoreThreshold: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: array + browsers: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + type: string + maxVersion: + maximum: 2147483647 + minimum: 0 + type: integer + minVersion: + maximum: 2147483647 + minimum: 0 + type: integer + name: type: string type: object type: array - metacharsOnUrlCheck: + classes: + items: + properties: + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + enum: + - browser + - malicious-bot + - suspicious-browser + - trusted-bot + - unknown + - untrusted-bot + type: string + type: object + type: array + signatures: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + type: string + type: object + type: array + type: object + settings: + properties: + caseSensitiveHttpHeaders: type: boolean - method: + isEnabled: + type: boolean + type: object + type: object + browser-definitions: + items: + properties: + $action: + enum: + - delete + type: string + isUserDefined: + type: boolean + matchRegex: + type: string + matchString: + type: string + name: + type: string + type: object + type: array + caseInsensitive: + type: boolean + character-sets: + items: + properties: + characterSet: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + characterSetType: + enum: + - gwt-content + - header + - json-content + - parameter-name + - parameter-value + - plain-text-content + - url + - xml-content + type: string + type: object + type: array + characterSetReference: + properties: + link: + pattern: ^http + type: string + type: object + cookie-settings: + properties: + maximumCookieHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + cookieReference: + properties: + link: + pattern: ^http + type: string + type: object + cookieSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + cookies: + items: + properties: + $action: + enum: + - delete + type: string + accessibleOnlyThroughTheHttpProtocol: + type: boolean + attackSignaturesCheck: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + enforcementType: + type: string + insertSameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + maskValueInLogs: + type: boolean + name: + type: string + securedOverHttpsConnection: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + wildcardOrder: + type: integer + type: object + type: array + csrf-protection: + properties: + enabled: + type: boolean + expirationTimeInSeconds: + pattern: disabled|\d+ + type: string + sslOnly: + type: boolean + type: object + csrf-urls: + items: + properties: + $action: + enum: + - delete + type: string + enforcementAction: + enum: + - verify-origin + - none + type: string + method: + enum: + - GET + - POST + - any + type: string + url: + type: string + wildcardOrder: + type: integer + type: object + type: array + data-guard: + properties: + creditCardNumbers: + type: boolean + customPatterns: + type: boolean + customPatternsList: + items: + type: string + type: array + enabled: + type: boolean + enforcementMode: + enum: + - ignore-urls-in-list + - enforce-urls-in-list + type: string + enforcementUrls: + items: + type: string + type: array + firstCustomCharactersToExpose: + type: integer + lastCcnDigitsToExpose: + type: integer + lastCustomCharactersToExpose: + type: integer + lastSsnDigitsToExpose: + type: integer + maskData: + type: boolean + usSocialSecurityNumbers: + type: boolean + type: object + dataGuardReference: + properties: + link: + pattern: ^http + type: string + type: object + description: + type: string + enablePassiveMode: + type: boolean + enforcementMode: + enum: + - transparent + - blocking + type: string + enforcer-settings: + properties: + enforcerStateCookies: + properties: + httpOnlyAttribute: + type: boolean + sameSiteAttribute: enum: + - lax + - none + - none-value + - strict + type: string + secureAttribute: + enum: + - always + - never + type: string + type: object + type: object + filetypeReference: + properties: + link: + pattern: ^http + type: string + type: object + filetypes: + items: + properties: + $action: + enum: + - delete + type: string + allowed: + type: boolean + checkPostDataLength: + type: boolean + checkQueryStringLength: + type: boolean + checkRequestLength: + type: boolean + checkUrlLength: + type: boolean + name: + type: string + postDataLength: + type: integer + queryStringLength: + type: integer + requestLength: + type: integer + responseCheck: + type: boolean + type: + enum: + - explicit + - wildcard + type: string + urlLength: + type: integer + wildcardOrder: + type: integer + type: object + type: array + fullPath: + type: string + general: + properties: + allowedResponseCodes: + items: + format: int32 + maximum: 999 + minimum: 100 + type: integer + type: array + customXffHeaders: + items: + type: string + type: array + maskCreditCardNumbersInRequest: + type: boolean + trustXff: + type: boolean + type: object + generalReference: + properties: + link: + pattern: ^http + type: string + type: object + graphql-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowIntrospectionQueries: + type: boolean + maximumBatchedQueries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumQueryCost: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateParsingWarnings: + type: boolean + type: object + description: + type: string + metacharElementCheck: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + name: + type: string + responseEnforcement: + properties: + blockDisallowedPatterns: + type: boolean + disallowedPatterns: + items: + type: string + type: array + type: object + sensitiveData: + items: + properties: + parameterName: + type: string + type: object + type: array + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: object + type: array + grpc-profiles: + items: + properties: + $action: + enum: + - delete + type: string + associateUrls: + type: boolean + attackSignaturesCheck: + type: boolean + decodeStringValuesAsBase64: + enum: + - disabled + - enabled + type: string + defenseAttributes: + properties: + allowUnknownFields: + type: boolean + maximumDataLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + description: + type: string + hasIdlFiles: + type: boolean + idlFiles: + items: + properties: + idlFile: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + importUrl: + type: string + isPrimary: + type: boolean + primaryIdlFileName: + type: string + type: object + type: array + metacharCheck: + type: boolean + metacharElementCheck: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: object + type: array + header-settings: + properties: + maximumHttpHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + headerReference: + properties: + link: + pattern: ^http + type: string + type: object + headerSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + headers: + items: + properties: + $action: + enum: + - delete + type: string + allowRepeatedOccurrences: + type: boolean + base64Decoding: + type: boolean + checkSignatures: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + htmlNormalization: + type: boolean + mandatory: + type: boolean + maskValueInLogs: + type: boolean + name: + type: string + normalizationViolations: + type: boolean + percentDecoding: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlNormalization: + type: boolean + wildcardOrder: + type: integer + type: object + type: array + host-names: + items: + properties: + $action: + enum: + - delete + type: string + includeSubdomains: + type: boolean + name: + type: string + type: object + type: array + idl-files: + items: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + json-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + maximumArrayLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLengthOfJSONData: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateJSONParsingWarnings: + type: boolean + type: object + description: + type: string + handleJsonValuesAsParameters: + type: boolean + hasValidationFiles: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + validationFiles: + items: + properties: + importUrl: + type: string + isPrimary: + type: boolean + jsonValidationFile: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: object + type: array + type: object + type: array + json-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + jsonProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + jsonValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + methodReference: + properties: + link: + pattern: ^http + type: string + type: object + methods: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + name: + type: string + open-api-files: + items: + properties: + link: + pattern: ^http + type: string + type: object + type: array + parameterReference: + properties: + link: + pattern: ^http + type: string + type: object + parameters: + items: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: - ACL - BCOPY - BDELETE @@ -1564,595 +1240,933 @@ spec: - VERSION_CONTROL - X-MS-ENUMATTS - '*' - type: string - methodOverrides: - items: - properties: - allowed: - type: boolean - method: - enum: - - ACL - - BCOPY - - BDELETE - - BMOVE - - BPROPFIND - - BPROPPATCH - - CHECKIN - - CHECKOUT - - CONNECT - - COPY - - DELETE - - GET - - HEAD - - LINK - - LOCK - - MERGE - - MKCOL - - MKWORKSPACE - - MOVE - - NOTIFY - - OPTIONS - - PATCH - - POLL - - POST - - PROPFIND - - PROPPATCH - - PUT - - REPORT - - RPC_IN_DATA - - RPC_OUT_DATA - - SEARCH - - SUBSCRIBE - - TRACE - - TRACK - - UNLINK - - UNLOCK - - UNSUBSCRIBE - - VERSION_CONTROL - - X-MS-ENUMATTS - type: string - type: object - type: array - methodsOverrideOnUrlCheck: - type: boolean - name: - type: string - operationId: - type: string - positionalParameters: - items: - properties: - parameter: - properties: - $action: - enum: - - delete - type: string - allowEmptyValue: - type: boolean - allowRepeatedParameterName: - type: boolean - arraySerializationFormat: - enum: - - csv - - form - - label - - matrix - - multi - - multipart - - pipe - - ssv - - tsv - type: string - attackSignaturesCheck: - type: boolean - checkMaxValue: - type: boolean - checkMaxValueLength: - type: boolean - checkMetachars: - type: boolean - checkMinValue: - type: boolean - checkMinValueLength: - type: boolean - checkMultipleOfValue: - type: boolean - contentProfile: - properties: - name: - type: string - type: object - dataType: - enum: - - alpha-numeric - - binary - - boolean - - decimal - - email - - integer - - none - - phone - type: string - decodeValueAsBase64: - enum: - - enabled - - disabled - - required - type: string - disallowFileUploadOfExecutables: - type: boolean - enableRegularExpression: - type: boolean - exclusiveMax: - type: boolean - exclusiveMin: - type: boolean - isBase64: - type: boolean - isCookie: - type: boolean - isHeader: - type: boolean - level: - enum: - - global - - url - type: string - mandatory: - type: boolean - maximumLength: - type: integer - maximumValue: - type: integer - metacharsOnParameterValueCheck: - type: boolean - minimumLength: - type: integer - minimumValue: - type: integer - multipleOf: - type: integer - name: - type: string - nameMetacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - objectSerializationStyle: - type: string - parameterEnumValues: - items: - type: string - type: array - parameterLocation: - enum: - - any - - cookie - - form-data - - header - - path - - query - type: string - regularExpression: - type: string - sensitiveParameter: - type: boolean - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - staticValues: - type: string - type: - enum: - - explicit - - wildcard - type: string - url: - properties: - method: - enum: - - ACL - - BCOPY - - BDELETE - - BMOVE - - BPROPFIND - - BPROPPATCH - - CHECKIN - - CHECKOUT - - CONNECT - - COPY - - DELETE - - GET - - HEAD - - LINK - - LOCK - - MERGE - - MKCOL - - MKWORKSPACE - - MOVE - - NOTIFY - - OPTIONS - - PATCH - - POLL - - POST - - PROPFIND - - PROPPATCH - - PUT - - REPORT - - RPC_IN_DATA - - RPC_OUT_DATA - - SEARCH - - SUBSCRIBE - - TRACE - - TRACK - - UNLINK - - UNLOCK - - UNSUBSCRIBE - - VERSION_CONTROL - - X-MS-ENUMATTS - - '*' - type: string - name: - type: string - protocol: - enum: - - http - - https - type: string - type: - enum: - - explicit - - wildcard - type: string - type: object - valueMetacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - valueType: - enum: - - array - - auto-detect - - dynamic-content - - dynamic-parameter-name - - ignore - - json - - object - - openapi-array - - static-content - - user-input - - xml - type: string - wildcardOrder: - type: integer - type: object - urlSegmentIndex: - type: integer - type: object - type: array - protocol: - enum: + type: string + name: + type: string + protocol: + enum: - http - https - type: string - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - type: - enum: + type: string + type: + enum: - explicit - wildcard - type: string - urlContentProfiles: - items: - properties: - contentProfile: - properties: - name: - type: string - type: object - headerName: - type: string - headerOrder: - anyOf: + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + type: array + response-pages: + items: + properties: + ajaxActionType: + enum: + - alert-popup + - custom + - redirect + type: string + ajaxCustomContent: + type: string + ajaxEnabled: + type: boolean + ajaxPopupMessage: + type: string + ajaxRedirectUrl: + type: string + grpcStatusCode: + pattern: ABORTED|ALREADY_EXISTS|CANCELLED|DATA_LOSS|DEADLINE_EXCEEDED|FAILED_PRECONDITION|INTERNAL|INVALID_ARGUMENT|NOT_FOUND|OK|OUT_OF_RANGE|PERMISSION_DENIED|RESOURCE_EXHAUSTED|UNAUTHENTICATED|UNAVAILABLE|UNIMPLEMENTED|UNKNOWN|d+ + type: string + grpcStatusMessage: + type: string + responseActionType: + enum: + - custom + - default + - erase-cookies + - redirect + - soap-fault + type: string + responseContent: + type: string + responseHeader: + type: string + responsePageType: + enum: + - ajax + - ajax-login + - captcha + - captcha-fail + - default + - failed-login-honeypot + - failed-login-honeypot-ajax + - hijack + - leaked-credentials + - leaked-credentials-ajax + - mobile + - persistent-flow + - xml + - grpc + type: string + responseRedirectUrl: + type: string + type: object + type: array + responsePageReference: + properties: + link: + pattern: ^http + type: string + type: object + sensitive-parameters: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + sensitiveParameterReference: + properties: + link: + pattern: ^http + type: string + type: object + server-technologies: + items: + properties: + $action: + enum: + - delete + type: string + serverTechnologyName: + enum: + - Jenkins + - SharePoint + - Oracle Application Server + - Python + - Oracle Identity Manager + - Spring Boot + - CouchDB + - SQLite + - Handlebars + - Mustache + - Prototype + - Zend + - Redis + - Underscore.js + - Ember.js + - ZURB Foundation + - ef.js + - Vue.js + - UIKit + - TYPO3 CMS + - RequireJS + - React + - MooTools + - Laravel + - GraphQL + - Google Web Toolkit + - Express.js + - CodeIgniter + - Backbone.js + - AngularJS + - JavaScript + - Nginx + - Jetty + - Joomla + - JavaServer Faces (JSF) + - Ruby + - MongoDB + - Django + - Node.js + - Citrix + - JBoss + - Elasticsearch + - Apache Struts + - XML + - PostgreSQL + - IBM DB2 + - Sybase/ASE + - CGI + - Proxy Servers + - SSI (Server Side Includes) + - Cisco + - Novell + - Macromedia JRun + - BEA Systems WebLogic Server + - Lotus Domino + - MySQL + - Oracle + - Microsoft SQL Server + - PHP + - Outlook Web Access + - Apache/NCSA HTTP Server + - Apache Tomcat + - WordPress + - Macromedia ColdFusion + - Unix/Linux + - Microsoft Windows + - ASP.NET + - Front Page Server Extensions (FPSE) + - IIS + - WebDAV + - ASP + - Java Servlets/JSP + - jQuery + type: string + type: object + type: array + serverTechnologyReference: + properties: + link: + pattern: ^http + type: string + type: object + signature-requirements: + items: + properties: + $action: + enum: + - delete + type: string + tag: + type: string + type: object + type: array + signature-sets: + items: + properties: + $action: + enum: + - delete + type: string + alarm: + type: boolean + block: + type: boolean + name: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + signature-settings: + properties: + attackSignatureFalsePositiveMode: + enum: + - detect + - detect-and-allow + - disabled + type: string + minimumAccuracyForAutoAddedSignatures: + enum: + - high + - low + - medium + type: string + type: object + signatureReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSetReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + signatures: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + softwareVersion: + type: string + template: + properties: + name: + type: string + type: object + threat-campaigns: + items: + properties: + isEnabled: + type: boolean + name: + type: string + type: object + type: array + threatCampaignReference: + properties: + link: + pattern: ^http + type: string + type: object + urlReference: + properties: + link: + pattern: ^http + type: string + type: object + urls: + items: + properties: + $action: + enum: + - delete + type: string + allowRenderingInFrames: + enum: + - never + - only-same + type: string + allowRenderingInFramesOnlyFrom: + type: string + attackSignaturesCheck: + type: boolean + clickjackingProtection: + type: boolean + description: + type: string + disallowFileUploadOfExecutables: + type: boolean + html5CrossOriginRequestsEnforcement: + properties: + allowOriginsEnforcementMode: + enum: + - replace-with + - unmodified + type: string + checkAllowedMethods: + type: boolean + crossDomainAllowedOrigin: + items: + properties: + includeSubDomains: + type: boolean + originName: + type: string + originPort: + anyOf: - type: integer - type: string - x-kubernetes-int-or-string: true - headerValue: - type: string - name: - type: string - type: - enum: - - apply-content-signatures - - apply-value-and-content-signatures - - disallow - - do-nothing + x-kubernetes-int-or-string: true + originProtocol: + enum: + - http + - http/https + - https + type: string + type: object + type: array + enforcementMode: + enum: + - disabled + - enforce + type: string + type: object + isAllowed: + type: boolean + mandatoryBody: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + metacharsOnUrlCheck: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + methodOverrides: + items: + properties: + allowed: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + type: string + type: object + type: array + methodsOverrideOnUrlCheck: + type: boolean + name: + type: string + operationId: + type: string + positionalParameters: + items: + properties: + parameter: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie - form-data - - gwt + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore - json + - object + - openapi-array + - static-content + - user-input - xml - - grpc - type: string - type: object - type: array - wildcardOrder: - type: integer - type: object - type: array - whitelist-ips: - items: - properties: - $action: - enum: - - delete - type: string - blockRequests: - enum: - - always - - never - - policy-default - type: string - ipAddress: - pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' - type: string - ipMask: - pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' - type: string - neverLogRequests: - type: boolean - type: object - type: array - whitelistIpReference: - properties: - link: - pattern: ^http - type: string - type: object - xml-profiles: - items: - properties: - $action: - enum: - - delete - type: string - attackSignaturesCheck: - type: boolean - defenseAttributes: - properties: - allowCDATA: - type: boolean - allowDTDs: - type: boolean - allowExternalReferences: - type: boolean - allowProcessingInstructions: - type: boolean - maximumAttributeValueLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumAttributesPerElement: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumChildrenPerElement: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumDocumentDepth: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumDocumentSize: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumElements: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumNSDeclarations: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumNameLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumNamespaceLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - tolerateCloseTagShorthand: - type: boolean - tolerateLeadingWhiteSpace: - type: boolean - tolerateNumericNames: - type: boolean + type: string + wildcardOrder: + type: integer + type: object + urlSegmentIndex: + type: integer type: object - description: - type: string - enableWss: - type: boolean - followSchemaLinks: - type: boolean - name: - type: string - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - useXmlResponsePage: - type: boolean - type: object - type: array - xml-validation-files: - items: - properties: - $action: - enum: - - delete - type: string - contents: - type: string - fileName: - type: string - isBase64: - type: boolean - type: object - type: array - xmlProfileReference: - properties: - link: - pattern: ^http + type: array + protocol: + enum: + - http + - https type: string - type: object - xmlValidationFileReference: - properties: - link: - pattern: ^http + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard type: string + urlContentProfiles: + items: + properties: + contentProfile: + properties: + name: + type: string + type: object + headerName: + type: string + headerOrder: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + headerValue: + type: string + name: + type: string + type: + enum: + - apply-content-signatures + - apply-value-and-content-signatures + - disallow + - do-nothing + - form-data + - gwt + - json + - xml + - grpc + type: string + type: object + type: array + wildcardOrder: + type: integer type: object - graphql-profiles: - items: - properties: - $action: - enum: - - delete - type: string - attackSignaturesCheck: - type: boolean - defenseAttributes: + type: array + whitelist-ips: + items: + properties: + $action: + enum: + - delete + type: string + blockRequests: + enum: + - always + - never + - policy-default + type: string + ipAddress: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + ipMask: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + neverLogRequests: + type: boolean + type: object + type: array + whitelistIpReference: + properties: + link: + pattern: ^http + type: string + type: object + xml-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowCDATA: + type: boolean + allowDTDs: + type: boolean + allowExternalReferences: + type: boolean + allowProcessingInstructions: + type: boolean + maximumAttributeValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumAttributesPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumChildrenPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentSize: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumElements: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNSDeclarations: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNameLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNamespaceLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateCloseTagShorthand: + type: boolean + tolerateLeadingWhiteSpace: + type: boolean + tolerateNumericNames: + type: boolean + type: object + description: + type: string + enableWss: + type: boolean + followSchemaLinks: + type: boolean + name: + type: string + signatureOverrides: + items: properties: - allowIntrospectionQueries: - type: boolean - maximumBatchedQueries: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumQueryCost: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumStructureDepth: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumTotalLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maximumValueLength: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - tolerateParsingWarnings: + enabled: type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string type: object - description: - type: string - metacharElementCheck: - type: boolean - metacharOverrides: - items: - properties: - isAllowed: - type: boolean - metachar: - type: string - type: object - type: array - responseEnforcement: - properties: - blockDisallowedPatterns: - type: boolean - disallowedPatterns: - items: - type: string - type: array - type: object - sensetiveData: - items: - properties: - parameterName: - type: string - type: object - type: array - signatureOverrides: - items: - properties: - enabled: - type: boolean - name: - type: string - signatureId: - type: integer - tag: - type: string - type: object - type: array - name: - type: string - type: object - type: array - type: object - type: object - type: object - served: true - storage: true + type: array + useXmlResponsePage: + type: boolean + type: object + type: array + xml-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + xmlProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + xmlValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml b/charts/f5/nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml index 34eb0784f..6d71ed633 100644 --- a/charts/f5/nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml +++ b/charts/f5/nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: apusersigs.appprotect.f5.com spec: group: appprotect.f5.com @@ -15,79 +14,85 @@ spec: preserveUnknownFields: false scope: Namespaced versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: APUserSig is the Schema for the apusersigs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: APUserSigSpec defines the desired state of APUserSig + - name: v1beta1 + schema: + openAPIV3Schema: + description: APUserSig is the Schema for the apusersigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APUserSigSpec defines the desired state of APUserSig + properties: properties: - properties: - type: string - signatures: - items: - properties: - accuracy: - enum: - - high - - medium - - low - type: string - attackType: + type: string + signatures: + items: + properties: + accuracy: + enum: + - high + - medium + - low + type: string + attackType: + properties: + name: + type: string + type: object + description: + type: string + name: + type: string + references: + properties: + type: + enum: + - bugtraq + - cve + - nessus + - url + type: string + value: + type: string + type: object + risk: + enum: + - high + - medium + - low + type: string + rule: + type: string + signatureType: + enum: + - request + - response + type: string + systems: + items: properties: name: type: string type: object - description: - type: string - name: - type: string - references: - properties: - type: - enum: - - bugtraq - - cve - - nessus - - url - type: string - value: - type: string - type: object - risk: - enum: - - high - - medium - - low - type: string - rule: - type: string - signatureType: - enum: - - request - - response - type: string - systems: - items: - properties: - name: - type: string - type: object - type: array - type: object - type: array - tag: - type: string - type: object - type: object - served: true - storage: true + type: array + type: object + type: array + softwareVersion: + type: string + tag: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/crds/k8s.nginx.org_policies.yaml b/charts/f5/nginx-ingress/crds/k8s.nginx.org_policies.yaml index de6bef324..f275d3a44 100644 --- a/charts/f5/nginx-ingress/crds/k8s.nginx.org_policies.yaml +++ b/charts/f5/nginx-ingress/crds/k8s.nginx.org_policies.yaml @@ -67,6 +67,25 @@ spec: type: string type: array type: object + apiKey: + description: APIKey defines an API Key policy. + properties: + clientSecret: + type: string + suppliedIn: + description: SuppliedIn defines the locations API Key should be + supplied in. + properties: + header: + items: + type: string + type: array + query: + items: + type: string + type: array + type: object + type: object basicAuth: description: |- BasicAuth holds HTTP Basic authentication configuration @@ -172,6 +191,8 @@ spec: type: string rejectCode: type: integer + scale: + type: boolean zoneSize: type: string type: object diff --git a/charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml b/charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml index 7fde72e89..0125eef8a 100644 --- a/charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml +++ b/charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml @@ -148,6 +148,16 @@ spec: type: string code: type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array type: type: string type: object @@ -276,6 +286,16 @@ spec: type: string code: type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array type: type: string type: object @@ -383,6 +403,16 @@ spec: type: string code: type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array type: type: string type: object @@ -489,6 +519,16 @@ spec: type: string code: type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array type: type: string type: object diff --git a/charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml b/charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml index 1c28ddec6..774449f8c 100644 --- a/charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml +++ b/charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml @@ -210,6 +210,16 @@ spec: type: string code: type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array type: type: string type: object @@ -338,6 +348,16 @@ spec: type: string code: type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array type: type: string type: object @@ -445,6 +465,16 @@ spec: type: string code: type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array type: type: string type: object @@ -551,6 +581,16 @@ spec: type: string code: type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array type: type: string type: object diff --git a/charts/f5/nginx-ingress/templates/_helpers.tpl b/charts/f5/nginx-ingress/templates/_helpers.tpl index 497e1f6cd..051cd17b0 100644 --- a/charts/f5/nginx-ingress/templates/_helpers.tpl +++ b/charts/f5/nginx-ingress/templates/_helpers.tpl @@ -152,10 +152,27 @@ Expand wildcard TLS name. Expand image name. */}} {{- define "nginx-ingress.image" -}} -{{- if .Values.controller.image.digest -}} -{{- printf "%s@%s" .Values.controller.image.repository .Values.controller.image.digest -}} +{{ include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.image "default" .Chart.AppVersion ) }} +{{- end -}} + +{{- define "nap-enforcer.image" -}} +{{ include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.appprotect.enforcer.image "default" .Chart.AppVersion ) }} +{{- end -}} + +{{- define "nap-config-manager.image" -}} +{{ include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.appprotect.configManager.image "default" .Chart.AppVersion ) }} +{{- end -}} + +{{/* +Accepts an image struct like .Values.controller.image along with a default value to use +if the digest or tag is not set. Can be called like: +include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.image "default" .Chart.AppVersion +*/}} +{{- define "nginx-ingress.image-digest-or-tag" -}} +{{- if .image.digest -}} +{{- printf "%s@%s" .image.repository .image.digest -}} {{- else -}} -{{- printf "%s:%s" .Values.controller.image.repository (include "nginx-ingress.tag" .) -}} +{{- printf "%s:%s" .image.repository (default .default .image.tag) -}} {{- end -}} {{- end -}} @@ -198,6 +215,9 @@ Build the args for the service binary. {{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} - -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} {{ end }} +{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.v5 }} +- -app-protect-enforcer-address="{{ .Values.controller.appprotect.enforcer.host | default "127.0.0.1" }}:{{ .Values.controller.appprotect.enforcer.port | default 50000 }}" +{{- end }} - -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} {{- if .Values.controller.appprotectdos.enable }} - -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} @@ -312,6 +332,9 @@ List of volumes for controller. - name: nginx-log emptyDir: {} {{- end }} +{{- if .Values.controller.appprotect.v5 }} +{{- toYaml .Values.controller.appprotect.volumes }} +{{- end }} {{- if .Values.controller.volumes }} {{ toYaml .Values.controller.volumes }} {{- end }} @@ -361,6 +384,16 @@ volumeMounts: - mountPath: /var/log/nginx name: nginx-log {{- end }} +{{- if .Values.controller.appprotect.v5 }} +- name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config +- name: app-protect-config + mountPath: /opt/app_protect/config + # app-protect-bundles is mounted so that Ingress Controller + # can verify that referenced bundles are present +- name: app-protect-bundles + mountPath: /etc/app_protect/bundles +{{- end }} {{- if .Values.controller.volumeMounts }} {{ toYaml .Values.controller.volumeMounts }} {{- end }} @@ -378,6 +411,38 @@ volumeMounts: {{- end -}} {{- end -}} +{{- define "nginx-ingress.appprotect.v5" -}} +{{- if .Values.controller.appprotect.v5}} +- name: waf-enforcer + image: {{ include "nap-enforcer.image" . }} + imagePullPolicy: "{{ .Values.controller.appprotect.enforcer.image.pullPolicy }}" +{{- if .Values.controller.appprotect.enforcer.securityContext }} + securityContext: +{{ toYaml .Values.controller.appprotect.enforcer.securityContext | nindent 6 }} +{{- end }} + env: + - name: ENFORCER_PORT + value: "{{ .Values.controller.appprotect.enforcer.port | default 50000 }}" + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config +- name: waf-config-mgr + image: {{ include "nap-config-manager.image" . }} + imagePullPolicy: "{{ .Values.controller.appprotect.configManager.image.pullPolicy }}" +{{- if .Values.controller.appprotect.configManager.securityContext }} + securityContext: +{{ toYaml .Values.controller.appprotect.configManager.securityContext | nindent 6 }} +{{- end }} + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config + - name: app-protect-config + mountPath: /opt/app_protect/config + - name: app-protect-bundles + mountPath: /etc/app_protect/bundles +{{- end}} +{{- end -}} + {{- define "nginx-ingress.agentConfiguration" -}} log: level: {{ .Values.nginxAgent.logLevel }} diff --git a/charts/f5/nginx-ingress/templates/clusterrole.yaml b/charts/f5/nginx-ingress/templates/clusterrole.yaml index a231ca820..42566f9e4 100644 --- a/charts/f5/nginx-ingress/templates/clusterrole.yaml +++ b/charts/f5/nginx-ingress/templates/clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if .Values.rbac.create }} +{{- if and .Values.rbac.create .Values.rbac.clusterrole.create }} kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -68,6 +68,7 @@ rules: - ingressclasses verbs: - get + - list {{- if .Values.controller.reportIngressStatus.enable }} - apiGroups: - networking.k8s.io diff --git a/charts/f5/nginx-ingress/templates/clusterrolebiding.yaml b/charts/f5/nginx-ingress/templates/clusterrolebinding.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/clusterrolebiding.yaml rename to charts/f5/nginx-ingress/templates/clusterrolebinding.yaml diff --git a/charts/f5/nginx-ingress/templates/controller-daemonset.yaml b/charts/f5/nginx-ingress/templates/controller-daemonset.yaml index 8da65c468..268f127f8 100644 --- a/charts/f5/nginx-ingress/templates/controller-daemonset.yaml +++ b/charts/f5/nginx-ingress/templates/controller-daemonset.yaml @@ -134,6 +134,9 @@ spec: {{- if .Values.controller.extraContainers }} {{ toYaml .Values.controller.extraContainers | nindent 6 }} {{- end }} + +{{- include "nginx-ingress.appprotect.v5" . | nindent 6 }} + {{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} initContainers: {{- end }} diff --git a/charts/f5/nginx-ingress/templates/controller-deployment.yaml b/charts/f5/nginx-ingress/templates/controller-deployment.yaml index c8bc8f833..95bf3bb16 100644 --- a/charts/f5/nginx-ingress/templates/controller-deployment.yaml +++ b/charts/f5/nginx-ingress/templates/controller-deployment.yaml @@ -141,6 +141,9 @@ spec: {{- if .Values.controller.extraContainers }} {{ toYaml .Values.controller.extraContainers | nindent 6 }} {{- end }} + +{{- include "nginx-ingress.appprotect.v5" . | nindent 6 }} + {{- if or ( eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} initContainers: {{- end }} diff --git a/charts/f5/nginx-ingress/templates/controller-rolebiding.yaml b/charts/f5/nginx-ingress/templates/controller-rolebinding.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/controller-rolebiding.yaml rename to charts/f5/nginx-ingress/templates/controller-rolebinding.yaml diff --git a/charts/f5/nginx-ingress/values-icp.yaml b/charts/f5/nginx-ingress/values-icp.yaml index 404bbe6f6..d973006e6 100644 --- a/charts/f5/nginx-ingress/values-icp.yaml +++ b/charts/f5/nginx-ingress/values-icp.yaml @@ -4,7 +4,7 @@ controller: nginxplus: true image: repository: mycluster.icp:8500/kube-system/nginx-plus-ingress - tag: "3.5.2" + tag: "3.6.0" nodeSelector: beta.kubernetes.io/arch: "amd64" proxy: true diff --git a/charts/f5/nginx-ingress/values-plus.yaml b/charts/f5/nginx-ingress/values-plus.yaml index c5d24f9aa..f51a2347c 100644 --- a/charts/f5/nginx-ingress/values-plus.yaml +++ b/charts/f5/nginx-ingress/values-plus.yaml @@ -3,4 +3,4 @@ controller: nginxplus: true image: repository: nginx-plus-ingress - tag: "3.5.2" + tag: "3.6.0" diff --git a/charts/f5/nginx-ingress/values.schema.json b/charts/f5/nginx-ingress/values.schema.json index 4d8f0400c..6c53cfe6b 100644 --- a/charts/f5/nginx-ingress/values.schema.json +++ b/charts/f5/nginx-ingress/values.schema.json @@ -46,13 +46,13 @@ "type": "object", "default": {}, "title": "The selectorLabels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" }, "annotations": { "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "nginxplus": { "type": "boolean", @@ -119,6 +119,15 @@ true ] }, + "v5": { + "type": "boolean", + "default": false, + "title": "Enables App Protect WAF v5.", + "examples": [ + false, + true + ] + }, "logLevel": { "type": "string", "default": "", @@ -139,6 +148,201 @@ "debug", "trace" ] + }, + "volumes": { + "type": "array", + "default": [ + { + "name": "app-protect-bd-config", + "emptyDir": {} + }, + { + "name": "app-protect-config", + "emptyDir": {} + }, + { + "name": "app-protect-bundles", + "emptyDir": {} + } + ], + "title": "Volumes for App Protect WAF v5", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + } + }, + "enforcer": { + "type": "object", + "properties": { + "host": { + "type": "string", + "default": "127.0.0.1", + "title": "Port which the App Protect WAF v5 Enforcer process runs on", + "examples": [ + "127.0.0.1" + ] + }, + "port": { + "type": "integer", + "default": 50000, + "title": "Port which the App Protect WAF v5 Enforcer process runs on", + "examples": [ + 50000 + ] + }, + "image": { + "type": "object", + "default": {}, + "title": "The image Schema", + "required": [ + "repository" + ], + "properties": { + "repository": { + "type": "string", + "default": "private-registry.nginx.com/nap/waf-enforcer", + "title": "The repository of the App Protect WAF v5 Enforcer image", + "examples": [ + "private-registry.nginx.com/nap/waf-enforcer" + ] + }, + "tag": { + "type": "string", + "default": "5.2.0", + "title": "The tag of the App Protect WAF v5 Enforcer image", + "examples": [ + "5.2.0" + ] + }, + "digest": { + "type": "string", + "default": "", + "title": "The digest of the App Protect WAF v5 Enforcer image", + "examples": [ + "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" + ] + }, + "pullPolicy": { + "type": "string", + "default": "IfNotPresent", + "title": "The pullPolicy for the App Protect WAF v5 Enforcer image", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + }, + { + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + ], + "examples": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "examples": [ + { + "repository": "private-registry.nginx.com/nap/waf-enforcer", + "tag": "5.2.0", + "pullPolicy": "IfNotPresent" + } + ] + }, + "securityContext": { + "type": "object", + "default": {}, + "title": "The securityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + } + } + }, + "configManager": { + "type": "object", + "properties": { + "image": { + "type": "object", + "default": {}, + "title": "The image Schema", + "required": [ + "repository" + ], + "properties": { + "repository": { + "type": "string", + "default": "private-registry.nginx.com/nap/waf-config-mgr", + "title": "The repository of the App Protect WAF v5 Config Manager image", + "examples": [ + "private-registry.nginx.com/nap/waf-config-mgr" + ] + }, + "tag": { + "type": "string", + "default": "5.2.0", + "title": "The tag of the App Protect WAF v5 Config Manager image", + "examples": [ + "5.2.0" + ] + }, + "digest": { + "type": "string", + "default": "", + "title": "The digest of the App Protect WAF v5 Config Manager image", + "examples": [ + "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" + ] + }, + "pullPolicy": { + "type": "string", + "default": "IfNotPresent", + "title": "The pullPolicy for the App Protect WAF v5 Config Manager image", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + }, + { + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + ], + "examples": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "examples": [ + { + "repository": "private-registry.nginx.com/nap/waf-config-mgr", + "tag": "5.2.0", + "pullPolicy": "IfNotPresent" + } + ] + }, + "securityContext": { + "type": "object", + "default": { + "allowPrivilegeEscalation": false, + "runAsUser": 101, + "runAsNonRoot": true, + "capabilities": { + "drop": [ + "all" + ] + } + }, + "title": "The securityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + } + } } }, "examples": [ @@ -226,7 +430,7 @@ "^.*$": { "anyOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" }, { "type": "boolean" @@ -242,7 +446,7 @@ "title": "The containerPort Schema", "patternProperties": { "^.*$": { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" } }, "additionalProperties": false @@ -251,7 +455,7 @@ "type": "string", "allOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" }, { "enum": [ @@ -301,7 +505,7 @@ "title": "The customPorts to expose on the NGINX Ingress Controller pod", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" }, "examples": [ [ @@ -336,10 +540,10 @@ }, "tag": { "type": "string", - "default": "3.5.2", + "default": "3.6.0", "title": "The tag of the Ingress Controller image", "examples": [ - "3.5.2" + "3.6.0" ] }, "digest": { @@ -356,7 +560,7 @@ "title": "The pullPolicy for the Ingress Controller image", "allOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" }, { "enum": [ @@ -376,7 +580,7 @@ "examples": [ { "repository": "nginx/nginx-ingress", - "tag": "3.5.2", + "tag": "3.6.0", "pullPolicy": "IfNotPresent" } ] @@ -385,7 +589,7 @@ "type": "object", "default": {}, "title": "The lifecycle Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" }, "customConfigMap": { "type": "string", @@ -413,7 +617,7 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "entries": { "type": "object", @@ -500,43 +704,43 @@ "type": "object", "default": {}, "title": "The nodeSelector Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" }, "terminationGracePeriodSeconds": { "type": "integer", "default": 30, "title": "The terminationGracePeriodSeconds Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" }, "podSecurityContext": { "type": "object", "default": {}, "title": "The podSecurityContext Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext" }, "securityContext": { "type": "object", "default": {}, "title": "The securityContext Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" }, "initContainerSecurityContext": { "type": "object", "default": {}, "title": "The initContainerSecurityContext Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" }, "resources": { "type": "object", "default": {}, "title": "The resources Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" }, "initContainerResources": { "type": "object", "default": {}, "title": "The resources Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" }, "tolerations": { "type": "array", @@ -544,20 +748,20 @@ "title": "The tolerations Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" } }, "affinity": { "type": "object", "default": {}, "title": "The affinity Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" }, "topologySpreadConstraints": { "type": "object", "default": {}, "title": "The topologySpreadConstraints Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" }, "env": { "type": "array", @@ -565,7 +769,7 @@ "title": "The env Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" } }, "volumes": { @@ -574,7 +778,7 @@ "title": "The volumes Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" } }, "volumeMounts": { @@ -583,7 +787,7 @@ "title": "The volumeMounts Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" } }, "initContainers": { @@ -592,14 +796,14 @@ "title": "The initContainers Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" } }, "minReadySeconds": { "type": "integer", "default": 0, "title": "The minReadySeconds Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" }, "strategy": { "type": "object", @@ -607,7 +811,7 @@ "title": "The strategy Schema", "allOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" }, { "properties": { @@ -629,7 +833,7 @@ "title": "The extraContainers Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" } }, "replicaCount": { @@ -897,19 +1101,19 @@ "type": "string", "default": "", "title": "The type", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" }, "externalTrafficPolicy": { "type": "string", "default": "", "title": "The externalTrafficPolicy", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" }, "annotations": { "type": "object", "default": {}, "title": "The annotations", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "extraLabels": { "type": "object", @@ -925,13 +1129,13 @@ "type": "string", "default": "", "title": "The loadBalancerIP", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" }, "externalIPs": { "type": "array", "default": [], "title": "The externalIPs", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" }, "loadBalancerSourceRanges": { "type": "array", @@ -946,13 +1150,13 @@ "type": "boolean", "default": false, "title": "The allocateLoadBalancerNodePorts Schema", - "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" }, "ipFamilyPolicy": { "type": "string", "default": "", "title": "The ipFamilyPolicy Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", "examples": [ "" ] @@ -961,7 +1165,7 @@ "type": "array", "default": [], "title": "The ipFamilies Schema", - "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" }, "httpPort": { "type": "object", @@ -1065,7 +1269,7 @@ "title": "The customPorts", "items": { "type": "object", - "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" } } }, @@ -1107,7 +1311,7 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "name": { "type": "string", @@ -1252,7 +1456,7 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" } }, "examples": [ @@ -1276,13 +1480,13 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "extraLabels": { "type": "object", "default": {}, "title": "The extraLabels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" } }, "examples": [ @@ -1296,7 +1500,7 @@ "type": "string", "default": "", "title": "The priorityClassName", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" }, "podDisruptionBudget": { "type": "object", @@ -1313,13 +1517,13 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "minAvailable": { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" }, "maxUnavailable": { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" } }, "examples": [ @@ -1358,7 +1562,7 @@ "initialDelaySeconds": { "type": "integer", "default": 0, - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" } }, "examples": [ @@ -1466,7 +1670,7 @@ "customPorts": [], "image": { "repository": "nginx/nginx-ingress", - "tag": "3.5.2", + "tag": "3.6.0", "digest": "", "pullPolicy": "IfNotPresent" }, @@ -1681,7 +1885,7 @@ "type": "object", "default": {}, "title": "The labels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" } } }, @@ -1703,13 +1907,13 @@ "type": "object", "default": {}, "title": "The labels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" }, "selectorMatchLabels": { "type": "object", "default": {}, "title": "The selectorMatchLabels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" }, "endpoints": { "type": "array", @@ -2007,7 +2211,7 @@ "customPorts": [], "image": { "repository": "nginx/nginx-ingress", - "tag": "3.5.2", + "tag": "3.6.0", "digest": "", "pullPolicy": "IfNotPresent" }, diff --git a/charts/f5/nginx-ingress/values.yaml b/charts/f5/nginx-ingress/values.yaml index 8b8ff0c19..a3b888ab4 100644 --- a/charts/f5/nginx-ingress/values.yaml +++ b/charts/f5/nginx-ingress/values.yaml @@ -21,9 +21,65 @@ controller: appprotect: ## Enable the App Protect WAF module in the Ingress Controller. enable: false + ## Enables App Protect WAF v5. + v5: false ## Sets log level for App Protect WAF. Allowed values: fatal, error, warn, info, debug, trace # logLevel: fatal + # Volumes for App Protect WAF v5 + # Required volumes are: app-protect-bd-config, app-protect-config, and app-protect-bundles + volumes: + - name: app-protect-bd-config + emptyDir: {} + - name: app-protect-config + emptyDir: {} + - name: app-protect-bundles + emptyDir: {} + + ## Configuration for App Protect WAF v5 Enforcer + enforcer: + # Host that the App Protect WAF v5 Enforcer runs on. + # This will normally be "127.0.0.1" as the Enforcer container + # will run in the same pod as the Ingress Controller container. + host: "127.0.0.1" + # Port that the App Protect WAF v5 Enforcer runs on. + port: 50000 + image: + ## The image repository of the App Protect WAF v5 Enforcer. + repository: private-registry.nginx.com/nap/waf-enforcer + + ## The tag of the App Protect WAF v5 Enforcer image. + tag: "5.2.0" + ## The digest of the App Protect WAF v5 Enforcer image. + ## If digest is specified it has precedence over tag and will be used instead + # digest: "sha256:CHANGEME" + + ## The pull policy for the App Protect WAF v5 Enforcer image. + pullPolicy: IfNotPresent + securityContext: {} + + ## Configuration for App Protect WAF v5 Configuration Manager + configManager: + image: + ## The image repository of the App Protect WAF v5 Configuration Manager. + repository: private-registry.nginx.com/nap/waf-config-mgr + + ## The tag of the App Protect WAF v5 Configuration Manager image. + tag: "5.2.0" + ## The digest of the App Protect WAF v5 Configuration Manager image. + ## If digest is specified it has precedence over tag and will be used instead + # digest: "sha256:CHANGEME" + + ## The pull policy for the App Protect WAF v5 Configuration Manager image. + pullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - all + ## Support for App Protect DoS appprotectdos: ## Enable the App Protect DoS module in the Ingress Controller. @@ -78,7 +134,7 @@ controller: repository: nginx/nginx-ingress ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. - # tag: "3.5.2" + # tag: "3.6.0" ## The digest of the Ingress Controller image. ## If digest is specified it has precedence over tag and will be used instead # digest: "sha256:CHANGEME" @@ -173,7 +229,8 @@ controller: type: RuntimeDefault ## The security context for the Ingress Controller containers. - securityContext: {} # Remove curly brackets before adding values + securityContext: + {} # Remove curly brackets before adding values # allowPrivilegeEscalation: true # readOnlyRootFilesystem: true # runAsUser: 101 #nginx @@ -265,19 +322,19 @@ controller: ## The Ingress Controller processes all the resources that do not have the "ingressClassName" field for all versions of kubernetes. name: nginx - ## Creates a new IngressClass object with the name "controller.ingressClass.name". Set to false to use an existing IngressClass with the same name. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. + ## Creates a new IngressClass object with the name "controller.ingressClass.name". To use an existing IngressClass with the same name, set this value to false. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. create: true ## New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. Requires "controller.ingressClass.create". setAsDefaultIngress: false - ## Comma separated list of namespaces to watch for Ingress resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespaceLabel". + ## Comma separated list of namespaces to watch for Ingress resources. By default, the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespaceLabel". watchNamespace: "" - ## Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespace". + ## Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default, the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespace". watchNamespaceLabel: "" - ## Comma separated list of namespaces to watch for Secret resources. By default the Ingress Controller watches all namespaces. + ## Comma separated list of namespaces to watch for Secret resources. By default, the Ingress Controller watches all namespaces. watchSecretNamespace: "" ## Enable the custom resources. @@ -286,7 +343,7 @@ controller: ## Enable OIDC policies. enableOIDC: false - ## Include year in log header. This parameter will be removed in release 2.7 and the year will be included by default. + ## Include year in log header. This parameter will be removed in release 3.7 and the year will be included by default. includeYear: false ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources. @@ -501,6 +558,10 @@ rbac: ## Configures RBAC. create: true + clusterrole: + ## Create ClusterRole + create: true + prometheus: ## Expose NGINX or NGINX Plus metrics in the Prometheus format. create: true diff --git a/charts/haproxy/haproxy/Chart.yaml b/charts/haproxy/haproxy/Chart.yaml index 2012af0e6..10f2e5b31 100644 --- a/charts/haproxy/haproxy/Chart.yaml +++ b/charts/haproxy/haproxy/Chart.yaml @@ -1,12 +1,12 @@ annotations: artifacthub.io/changes: | - - Replace tpl with default for Ingress Controller image tag (#244) + - Use Ingress Controller 3.0.0 version for base image catalog.cattle.io/certified: partner catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller catalog.cattle.io/kube-version: '>=1.23.0-0' catalog.cattle.io/release-name: haproxy apiVersion: v2 -appVersion: 1.11.4 +appVersion: 3.0.0 description: A Helm chart for HAProxy Kubernetes Ingress Controller home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png @@ -21,4 +21,4 @@ name: haproxy sources: - https://github.com/haproxytech/kubernetes-ingress type: application -version: 1.39.4 +version: 1.40.0 diff --git a/charts/haproxy/haproxy/templates/controller-proxy-service.yaml b/charts/haproxy/haproxy/templates/controller-proxy-service.yaml index 3864528f1..161072a29 100644 --- a/charts/haproxy/haproxy/templates/controller-proxy-service.yaml +++ b/charts/haproxy/haproxy/templates/controller-proxy-service.yaml @@ -52,6 +52,18 @@ spec: nodePort: {{ .Values.controller.service.nodePorts.http }} {{- end }} {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} selector: app.kubernetes.io/name: {{ include "kubernetes-ingress.serviceProxyName" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/harbor/harbor/Chart.yaml b/charts/harbor/harbor/Chart.yaml index 1632e628e..044f3b1b1 100644 --- a/charts/harbor/harbor/Chart.yaml +++ b/charts/harbor/harbor/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.20-0' catalog.cattle.io/release-name: harbor apiVersion: v1 -appVersion: 2.10.2 +appVersion: 2.11.0 description: An open source trusted cloud native registry that stores, signs, and scans content home: https://goharbor.io @@ -14,14 +14,16 @@ keywords: - registry - harbor maintainers: -- email: yinw@vmware.com +- email: yan-yw.wang@broadcom.com + name: Yan Wang +- email: wenkai.yin@broadcom.com name: Wenkai Yin -- email: hweiwei@vmware.com - name: Weiwei He -- email: yshengwen@vmware.com +- email: miner.yang@broadcom.com + name: Miner Yang +- email: shengwen.yu@broadcom.com name: Shengwen Yu name: harbor sources: - https://github.com/goharbor/harbor - https://github.com/goharbor/harbor-helm -version: 1.14.2 +version: 1.15.0 diff --git a/charts/harbor/harbor/README.md b/charts/harbor/harbor/README.md index 472324a3f..a78cfa670 100644 --- a/charts/harbor/harbor/README.md +++ b/charts/harbor/harbor/README.md @@ -75,334 +75,345 @@ helm uninstall my-release The following table lists the configurable parameters of the Harbor chart and the default values. -| Parameter | Description | Default | -| -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | -| **Expose** | | | -| `expose.type` | How to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` | -| `expose.tls.enabled` | Enable TLS or not. Delete the `ssl-redirect` annotations in `expose.ingress.annotations` when TLS is disabled and `expose.type` is `ingress`. Note: if the `expose.type` is `ingress` and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details. | `true` | -| `expose.tls.certSource` | The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this option | `auto` | -| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | | -| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | | -| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` | -| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce`, `alb`, `f5-bigip` and `ncp` | `default` | -| `expose.ingress.kubeVersionOverride` | Allows the ability to override the kubernetes version used while templating the ingress | | -| `expose.ingress.annotations` | The annotations used commonly for ingresses | | -| `expose.ingress.harbor.annotations` | The annotations specific to harbor ingress | {} | -| `expose.ingress.harbor.labels` | The labels specific to harbor ingress | {} | -| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` | -| `expose.clusterIP.annotations` | The annotations attached to the ClusterIP service | {} | -| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | -| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `443` | -| `expose.nodePort.name` | The name of NodePort service | `harbor` | -| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving HTTP | `80` | -| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving HTTP | `30002` | -| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving HTTPS | `443` | -| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving HTTPS | `30003` | -| `expose.loadBalancer.name` | The name of service | `harbor` | -| `expose.loadBalancer.IP` | The IP of the loadBalancer. It only works when loadBalancer supports assigning IP | `""` | -| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | -| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `30002` | -| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} | -| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] | -| **Internal TLS** | | | -| `internalTLS.enabled` | Enable TLS for the components (core, jobservice, portal, registry, trivy) | `false` | -| `internalTLS.strong_ssl_ciphers` | Enable strong ssl ciphers for nginx and portal | `false` -| `internalTLS.certSource` | Method to provide TLS for the components, options are `auto`, `manual`, `secret`. | `auto` | -| `internalTLS.trustCa` | The content of trust CA, only available when `certSource` is `manual`. **Note**: all the internal certificates of the components must be issued by this CA | | -| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | | -| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | -| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | | -| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | | -| **IPFamily** | | | -| `ipFamily.ipv4.enabled` | if cluster is ipv4 enabled, all ipv4 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | -| `ipFamily.ipv6.enabled` | if cluster is ipv6 enabled, all ipv6 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | -| **Persistence** | | | -| `persistence.enabled` | Enable the data persistence or not | `true` | -| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` | -| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | -| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | -| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | -| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | -| `persistence.persistentVolumeClaim.registry.annotations` | The annotations of the volume | | -|`persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. | | -| `persistence.persistentVolumeClaim.jobservice.jobLog.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | -| `persistence.persistentVolumeClaim.jobservice.jobLog.subPath` | The sub path used in the volume | | -| `persistence.persistentVolumeClaim.jobservice.jobLog.accessMode` | The access mode of the volume | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.jobservice.jobLog.size` | The size of the volume | `1Gi` | -| `persistence.persistentVolumeClaim.jobservice.jobLog.annotations` | The annotations of the volume | | -| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | -| `persistence.persistentVolumeClaim.database.annotations` | The annotations of the volume | | -| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | -| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | -| `persistence.persistentVolumeClaim.redis.annotations` | The annotations of the volume | | -| `persistence.persistentVolumeClaim.trivy.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | -| `persistence.persistentVolumeClaim.trivy.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | -| `persistence.persistentVolumeClaim.trivy.subPath` | The sub path used in the volume | | -| `persistence.persistentVolumeClaim.trivy.accessMode` | The access mode of the volume | `ReadWriteOnce` | -| `persistence.persistentVolumeClaim.trivy.size` | The size of the volume | `1Gi` | -| `persistence.persistentVolumeClaim.trivy.annotations` | The annotations of the volume | | -| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more details | `false` | -| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and containers. | | -| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more details | `filesystem` | -| `persistence.imageChartStorage.gcs.existingSecret` | An existing secret containing the gcs service account json key. The key must be gcs-key.json. | `""` | -| `persistence.imageChartStorage.gcs.useWorkloadIdentity` | A boolean to allow the use of workloadidentity in a GKE cluster. To use it, create a kubernetes service account and set the name in the key `serviceAccountName` of each component, then allow automounting the service account. | `false` | -| **General** | | | -| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` | -| `caBundleSecretName` | The custom CA bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for core, jobservice, registry, trivy components. | | -| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | | -| `imagePullPolicy` | The image pull policy | | -| `imagePullSecrets` | The imagePullSecrets names for all deployments | | -| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` | -| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` | -| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | -| `existingSecretAdminPassword` | The name of secret where admin password can be found. | | -| `existingSecretAdminPasswordKey` | The name of the key in the secret where to find harbor admin password Harbor | `HARBOR_ADMIN_PASSWORD` | -| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the CA certificate when the certificate isn't generated automatically | | -| `secretKey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | -| `existingSecretSecretKey` | An existing secret containing the encoding secretKey | `""` | -| `proxy.httpProxy` | The URL of the HTTP proxy server | | -| `proxy.httpsProxy` | The URL of the HTTPS proxy server | | -| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | -| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy | -| `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` | -| **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | | -| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | -| `nginx.image.tag` | Image tag | `dev` | -| `nginx.replicas` | The replica count | `1` | -| `nginx.revisionHistoryLimit` | The revision history limit | `10` | -| `nginx.resources` | The [resources] to allocate for container | undefined | -| `nginx.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | -| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | -| `nginx.tolerations` | Tolerations for pod assignment | `[]` | -| `nginx.affinity` | Node/Pod affinities | `{}` | -| `nginx.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | -| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | -| `nginx.priorityClassName` | The priority class to run the pod as | | -| **Portal** | | | -| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | -| `portal.image.tag` | Tag for portal image | `dev` | -| `portal.replicas` | The replica count | `1` | -| `portal.revisionHistoryLimit` | The revision history limit | `10` | -| `portal.resources` | The [resources] to allocate for container | undefined | -| `portal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | -| `portal.nodeSelector` | Node labels for pod assignment | `{}` | -| `portal.tolerations` | Tolerations for pod assignment | `[]` | -| `portal.affinity` | Node/Pod affinities | `{}` | -| `portal.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | -| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | -| `portal.serviceAnnotations` | Annotations to add to the portal service | `{}` | -| `portal.priorityClassName` | The priority class to run the pod as | | -| **Core** | | | -| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | -| `core.image.tag` | Tag for Harbor core image | `dev` | -| `core.replicas` | The replica count | `1` | -| `core.revisionHistoryLimit` | The revision history limit | `10` | -| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` | -| `core.resources` | The [resources] to allocate for container | undefined | -| `core.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | -| `core.nodeSelector` | Node labels for pod assignment | `{}` | -| `core.tolerations` | Tolerations for pod assignment | `[]` | -| `core.affinity` | Node/Pod affinities | `{}` | -| `core.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | -| `core.podAnnotations` | Annotations to add to the core pod | `{}` | -| `core.serviceAnnotations` | Annotations to add to the core service | `{}` | -| `core.configureUserSettings` | A JSON string to set in the environment variable `CONFIG_OVERWRITE_JSON` to configure user settings. See the [official docs](https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#configure-users-settings-using-an-environment-variable). | | -| `core.quotaUpdateProvider` | The provider for updating project quota(usage), there are 2 options, redis or db. By default it is implemented by db but you can configure it to redis which can improve the performance of high concurrent pushing to the same project, and reduce the database connections spike and occupies. Using redis will bring up some delay for quota usage updation for display, so only suggest switch provider to redis if you were ran into the db connections spike around the scenario of high concurrent pushing to same project, no improvment for other scenes. | `db` | -| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | -| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | | -| `core.tokenKey` | PEM-formatted RSA private key used to sign service tokens. Only used if `core.secretName` is unset. If set, `core.tokenCert` MUST also be set. | | -| `core.tokenCert` | PEM-formatted certificate signed by `core.tokenKey` used to validate service tokens. Only used if `core.secretName` is unset. If set, `core.tokenKey` MUST also be set. | | -| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | | -| `core.priorityClassName` | The priority class to run the pod as | | -| `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | | -| `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` | -| `core.gdpr.auditLogsCompliant` | Enable GDPR compliant for audit logs by changing username to its CRC32 value if that user was deleted from the system | `false` | -| **Jobservice** | | | -| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | -| `jobservice.image.tag` | Tag for jobservice image | `dev` | -| `jobservice.replicas` | The replica count | `1` | -| `jobservice.revisionHistoryLimit` | The revision history limit | `10` | -| `jobservice.maxJobWorkers` | The max job workers | `10` | -| `jobservice.jobLoggers` | The loggers for jobs: `file`, `database` or `stdout` | `[file]` | -| `jobservice.loggerSweeperDuration` | The jobLogger sweeper duration in days (ignored if `jobLoggers` is set to `stdout`) | `14` | -| `jobservice.notification.webhook_job_max_retry` | The maximum retry of webhook sending notifications | `3` | -| `jobservice.notification.webhook_job_http_client_timeout` | The http client timeout value of webhook sending notifications | `3` | -| `jobservice.reaper.max_update_hours` | the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 | `24` | -| `jobservice.reaper.max_dangling_hours` | the max time for execution in running state without new task created | `168` | -| `jobservice.resources` | The [resources] to allocate for container | undefined | -| `jobservice.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | -| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | -| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | -| `jobservice.affinity` | Node/Pod affinities | `{}` | -| `jobservice.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | -| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | -| `jobservice.priorityClassName` | The priority class to run the pod as | | -| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | -| **Registry** | | | -| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | -| `registry.registry.image.tag` | Tag for registry image | `dev` | -| `registry.registry.resources` | The [resources] to allocate for container | undefined | -| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | -| `registry.controller.image.tag` | Tag for registry controller image | `dev` | -| `registry.controller.resources` | The [resources] to allocate for container | undefined | -| `registry.replicas` | The replica count | `1` | -| `registry.revisionHistoryLimit` | The revision history limit | `10` | -| `registry.nodeSelector` | Node labels for pod assignment | `{}` | -| `registry.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | -| `registry.tolerations` | Tolerations for pod assignment | `[]` | -| `registry.affinity` | Node/Pod affinities | `{}` | -| `registry.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | -| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | | -| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | -| `registry.priorityClassName` | The priority class to run the pod as | | -| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | -| `registry.credentials.username` | The username that harbor core uses internally to access the registry instance. Together with the `registry.credentials.password`, a htpasswd  is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` | -| `registry.credentials.password` | The password that harbor core uses internally to access the registry instance. Together with the `registry.credentials.username`, a htpasswd  is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` | -| `registry.credentials.existingSecret` | An existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). The key must be `REGISTRY_PASSWD` | `""` | -| `registry.credentials.htpasswdString` | Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. | undefined | -| `registry.relativeurls` | If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy | `false` | -| `registry.upload_purging.enabled` | If true, enable purge _upload directories | `true` | -| `registry.upload_purging.age` | Remove files in _upload directories which exist for a period of time, default is one week. | `168h` | -| `registry.upload_purging.interval` | The interval of the purge operations | `24h` | -| `registry.upload_purging.dryrun` | If true, enable dryrun for purging _upload, default false | `false` | -| **[Trivy][trivy]** | | | -| `trivy.enabled` | The flag to enable Trivy scanner | `true` | -| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` | -| `trivy.image.tag` | Tag for Trivy adapter image | `dev` | -| `trivy.resources` | The [resources] to allocate for Trivy adapter container | | -| `trivy.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | -| `trivy.replicas` | The number of Pod replicas | `1` | -| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` | -| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` | -| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | -| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | -| `trivy.insecure` | The flag to skip verifying registry certificate | `false` | -| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | -| `trivy.skipJavaDBUpdate` | If the flag is enabled you have to manually download the `trivy-java.db` file [Trivy Java DB][trivy-java-db] and mount it in the `/home/scanner/.cache/trivy/java-db/trivy-java.db` path | `false` | -| `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` | -| `trivy.securityCheck` | Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. | `vuln` | -| `trivy.timeout` | The duration to wait for scan completion | `5m0s` | -| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | | -| `trivy.priorityClassName` | The priority class to run the pod as | | -| `trivy.topologySpreadConstraints` | The priority class to run the pod as | | -| **Database** | | | -| `database.type` | If external database is used, set it to `external` | `internal` | -| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | -| `database.internal.image.tag` | Tag for database image | `dev` | -| `database.internal.password` | The password for database | `changeit` | -| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` | -| `database.internal.resources` | The [resources] to allocate for container | undefined | -| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | -| `database.internal.initContainer.migrator.resources` | The [resources] to allocate for the database migrator initContainer | undefined | -| `database.internal.initContainer.permissions.resources` | The [resources] to allocate for the database permissions initContainer | undefined | -| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | -| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | -| `database.internal.affinity` | Node/Pod affinities | `{}` | -| `database.internal.priorityClassName` | The priority class to run the pod as | | -| `database.internal.livenessProbe.timeoutSeconds` | The timeout used in liveness probe; 1 to 5 seconds | 1 | -| `database.internal.readinessProbe.timeoutSeconds` | The timeout used in readiness probe; 1 to 5 seconds | 1 | -| `database.external.host` | The hostname of external database | `192.168.0.1` | -| `database.external.port` | The port of external database | `5432` | -| `database.external.username` | The username of external database | `user` | -| `database.external.password` | The password of external database | `password` | -| `database.external.coreDatabase` | The database used by core service | `registry` | -| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` | -| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` | -| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` | -| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` | -| `database.podAnnotations` | Annotations to add to the database pod | `{}` | -| **Redis** | | | -| `redis.type` | If external redis is used, set it to `external` | `internal` | -| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | -| `redis.internal.image.tag` | Tag for redis image | `dev` | -| `redis.internal.resources` | The [resources] to allocate for container | undefined | -| `redis.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | -| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | -| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | -| `redis.internal.affinity` | Node/Pod affinities | `{}` | -| `redis.internal.priorityClassName` | The priority class to run the pod as | | -| `redis.internal.jobserviceDatabaseIndex` | The database index for jobservice | `1` | -| `redis.internal.registryDatabaseIndex` | The database index for registry | `2` | -| `redis.internal.trivyAdapterIndex` | The database index for trivy adapter | `5` | -| `redis.internal.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | -| `redis.internal.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | -| `redis.external.addr` | The addr of external Redis: :. When using sentinel, it should be :,:,: | `192.168.0.2:6379` | -| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | | -| `redis.external.coreDatabaseIndex` | The database index for core | `0` | -| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | -| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | -| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` | -| `redis.external.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | -| `redis.external.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | -| `redis.external.username` | The username of external Redis | | -| `redis.external.password` | The password of external Redis | | -| `redis.external.existingSecret` | Use an existing secret to connect to redis. The key must be `REDIS_PASSWORD`. | `""` | -| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | -| **Exporter** | | | -| `exporter.replicas` | The replica count | `1` | -| `exporter.revisionHistoryLimit` | The revision history limit | `10` | -| `exporter.podAnnotations` | Annotations to add to the exporter pod | `{}` | -| `exporter.image.repository` | Repository for redis image | `goharbor/harbor-exporter` | -| `exporter.image.tag` | Tag for exporter image | `dev` | -| `exporter.nodeSelector` | Node labels for pod assignment | `{}` | -| `exporter.tolerations` | Tolerations for pod assignment | `[]` | -| `exporter.affinity` | Node/Pod affinities | `{}` | -| `exporter.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | -| `exporter.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | -| `exporter.cacheDuration` | the cache duration for information that exporter collected from Harbor | `30` | -| `exporter.cacheCleanInterval` | cache clean interval for information that exporter collected from Harbor | `14400` | -| `exporter.priorityClassName` | The priority class to run the pod as | | -| **Metrics** | | | -| `metrics.enabled` | if enable harbor metrics | `false` | -| `metrics.core.path` | the url path for core metrics | `/metrics` | -| `metrics.core.port` | the port for core metrics | `8001` | -| `metrics.registry.path` | the url path for registry metrics | `/metrics` | -| `metrics.registry.port` | the port for registry metrics | `8001` | -| `metrics.exporter.path` | the url path for exporter metrics | `/metrics` | -| `metrics.exporter.port` | the port for exporter metrics | `8001` | -| `metrics.serviceMonitor.enabled` | create prometheus serviceMonitor. Requires prometheus CRD's | `false` | -| `metrics.serviceMonitor.additionalLabels` | additional labels to upsert to the manifest | `""` | -| `metrics.serviceMonitor.interval` | scrape period for harbor metrics | `""` | -| `metrics.serviceMonitor.metricRelabelings` | metrics relabel to add/mod/del before ingestion | `[]` | -| `metrics.serviceMonitor.relabelings` | relabels to add/mod/del to sample before scrape | `[]` | -| **Trace** | | | -| `trace.enabled` | Enable tracing or not | `false` | -| `trace.provider` | The tracing provider: `jaeger` or `otel`. `jaeger` should be 1.26+ | `jaeger` | -| `trace.sample_rate` | Set `sample_rate` to 1 if you want sampling 100% of trace data; set 0.5 if you want sampling 50% of trace data, and so forth | `1` | -| `trace.namespace` | Namespace used to differentiate different harbor services | | -| `trace.attributes` | `attributes` is a key value dict contains user defined attributes used to initialize trace provider | | -| `trace.jaeger.endpoint` | The endpoint of jaeger | `http://hostname:14268/api/traces` | -| `trace.jaeger.username` | The username of jaeger | | -| `trace.jaeger.password` | The password of jaeger | | -| `trace.jaeger.agent_host` | The agent host of jaeger | | -| `trace.jaeger.agent_port` | The agent port of jaeger | `6831` | -| `trace.otel.endpoint` | The endpoint of otel | `hostname:4318` | -| `trace.otel.url_path` | The URL path of otel | `/v1/traces` | -| `trace.otel.compression` | Whether enable compression or not for otel | `false` | -| `trace.otel.insecure` | Whether establish insecure connection or not for otel | `true` | -| `trace.otel.timeout` | The timeout in seconds of otel | `10` | -| **Cache** | | | -| `cache.enabled` | Enable cache layer or not | `false` | -| `cache.expireHours` | The expire hours of cache layer | `24` | +| Parameter | Description | Default | +|-----------------------------------------------------------------------| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | +| **Expose** | | | +| `expose.type` | How to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` | +| `expose.tls.enabled` | Enable TLS or not. Delete the `ssl-redirect` annotations in `expose.ingress.annotations` when TLS is disabled and `expose.type` is `ingress`. Note: if the `expose.type` is `ingress` and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details. | `true` | +| `expose.tls.certSource` | The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this option | `auto` | +| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | | +| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | | +| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` | +| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce`, `alb`, `f5-bigip` and `ncp` | `default` | +| `expose.ingress.kubeVersionOverride` | Allows the ability to override the kubernetes version used while templating the ingress | | +| `expose.ingress.annotations` | The annotations used commonly for ingresses | | +| `expose.ingress.labels` | The labels specific to ingress | {} | +| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` | +| `expose.clusterIP.annotations` | The annotations attached to the ClusterIP service | {} | +| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.clusterIP.annotations` | The annotations used commonly for clusterIP | | +| `expose.clusterIP.labels` | The labels specific to clusterIP | {} | +| `expose.nodePort.name` | The name of NodePort service | `harbor` | +| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving HTTP | `30002` | +| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving HTTPS | `30003` | +| `expose.nodePort.annotations` | The annotations used commonly for nodePort | | +| `expose.nodePort.labels` | The labels specific to nodePort | {} | +| `expose.loadBalancer.name` | The name of service | `harbor` | +| `expose.loadBalancer.IP` | The IP of the loadBalancer. It only works when loadBalancer supports assigning IP | `""` | +| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `30002` | +| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} | +| `expose.loadBalancer.labels` | The labels specific to loadBalancer | {} | +| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] | +| **Internal TLS** | | | +| `internalTLS.enabled` | Enable TLS for the components (core, jobservice, portal, registry, trivy) | `false` | +| `internalTLS.strong_ssl_ciphers` | Enable strong ssl ciphers for nginx and portal | `false` +| `internalTLS.certSource` | Method to provide TLS for the components, options are `auto`, `manual`, `secret`. | `auto` | +| `internalTLS.trustCa` | The content of trust CA, only available when `certSource` is `manual`. **Note**: all the internal certificates of the components must be issued by this CA | | +| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | | +| **IPFamily** | | | +| `ipFamily.ipv4.enabled` | if cluster is ipv4 enabled, all ipv4 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| `ipFamily.ipv6.enabled` | if cluster is ipv6 enabled, all ipv6 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| **Persistence** | | | +| `persistence.enabled` | Enable the data persistence or not | `true` | +| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` | +| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | +| `persistence.persistentVolumeClaim.registry.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.database.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.redis.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.trivy.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.trivy.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.trivy.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.trivy.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.trivy.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.trivy.annotations` | The annotations of the volume | | +| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more details | `false` | +| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and containers. | | +| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more details | `filesystem` | +| `persistence.imageChartStorage.gcs.existingSecret` | An existing secret containing the gcs service account json key. The key must be gcs-key.json. | `""` | +| `persistence.imageChartStorage.gcs.useWorkloadIdentity` | A boolean to allow the use of workloadidentity in a GKE cluster. To use it, create a kubernetes service account and set the name in the key `serviceAccountName` of each component, then allow automounting the service account. | `false` | +| **General** | | | +| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` | +| `caBundleSecretName` | The custom CA bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for core, jobservice, registry, trivy components. | | +| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | | +| `imagePullPolicy` | The image pull policy | | +| `imagePullSecrets` | The imagePullSecrets names for all deployments | | +| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` | +| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` | +| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | +| `existingSecretAdminPassword` | The name of secret where admin password can be found. | | +| `existingSecretAdminPasswordKey` | The name of the key in the secret where to find harbor admin password Harbor | `HARBOR_ADMIN_PASSWORD` | +| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the CA certificate when the certificate isn't generated automatically | | +| `secretKey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | +| `existingSecretSecretKey` | An existing secret containing the encoding secretKey | `""` | +| `proxy.httpProxy` | The URL of the HTTP proxy server | | +| `proxy.httpsProxy` | The URL of the HTTPS proxy server | | +| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | +| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy | +| `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` | +| **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | | +| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | +| `nginx.image.tag` | Image tag | `dev` | +| `nginx.replicas` | The replica count | `1` | +| `nginx.revisionHistoryLimit` | The revision history limit | `10` | +| `nginx.resources` | The [resources] to allocate for container | undefined | +| `nginx.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | +| `nginx.tolerations` | Tolerations for pod assignment | `[]` | +| `nginx.affinity` | Node/Pod affinities | `{}` | +| `nginx.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | +| `nginx.priorityClassName` | The priority class to run the pod as | | +| **Portal** | | | +| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | +| `portal.image.tag` | Tag for portal image | `dev` | +| `portal.replicas` | The replica count | `1` | +| `portal.revisionHistoryLimit` | The revision history limit | `10` | +| `portal.resources` | The [resources] to allocate for container | undefined | +| `portal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `portal.nodeSelector` | Node labels for pod assignment | `{}` | +| `portal.tolerations` | Tolerations for pod assignment | `[]` | +| `portal.affinity` | Node/Pod affinities | `{}` | +| `portal.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | +| `portal.serviceAnnotations` | Annotations to add to the portal service | `{}` | +| `portal.priorityClassName` | The priority class to run the pod as | | +| `portal.initContainers` | Init containers to be run before the controller's container starts. | `[]` | +| **Core** | | | +| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | +| `core.image.tag` | Tag for Harbor core image | `dev` | +| `core.replicas` | The replica count | `1` | +| `core.revisionHistoryLimit` | The revision history limit | `10` | +| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` | +| `core.resources` | The [resources] to allocate for container | undefined | +| `core.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `core.nodeSelector` | Node labels for pod assignment | `{}` | +| `core.tolerations` | Tolerations for pod assignment | `[]` | +| `core.affinity` | Node/Pod affinities | `{}` | +| `core.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `core.podAnnotations` | Annotations to add to the core pod | `{}` | +| `core.serviceAnnotations` | Annotations to add to the core service | `{}` | +| `core.configureUserSettings` | A JSON string to set in the environment variable `CONFIG_OVERWRITE_JSON` to configure user settings. See the [official docs](https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#configure-users-settings-using-an-environment-variable). | | +| `core.quotaUpdateProvider` | The provider for updating project quota(usage), there are 2 options, redis or db. By default it is implemented by db but you can configure it to redis which can improve the performance of high concurrent pushing to the same project, and reduce the database connections spike and occupies. Using redis will bring up some delay for quota usage updation for display, so only suggest switch provider to redis if you were ran into the db connections spike around the scenario of high concurrent pushing to same project, no improvment for other scenes. | `db` | +| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | | +| `core.tokenKey` | PEM-formatted RSA private key used to sign service tokens. Only used if `core.secretName` is unset. If set, `core.tokenCert` MUST also be set. | | +| `core.tokenCert` | PEM-formatted certificate signed by `core.tokenKey` used to validate service tokens. Only used if `core.secretName` is unset. If set, `core.tokenKey` MUST also be set. | | +| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | | +| `core.priorityClassName` | The priority class to run the pod as | | +| `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | | +| `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` | +| `core.gdpr.auditLogsCompliant` | Enable GDPR compliant for audit logs by changing username to its CRC32 value if that user was deleted from the system | `false` | +| `core.initContainers` | Init containers to be run before the controller's container starts. | `[]` | +| **Jobservice** | | | +| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | +| `jobservice.image.tag` | Tag for jobservice image | `dev` | +| `jobservice.replicas` | The replica count | `1` | +| `jobservice.revisionHistoryLimit` | The revision history limit | `10` | +| `jobservice.maxJobWorkers` | The max job workers | `10` | +| `jobservice.jobLoggers` | The loggers for jobs: `file`, `database` or `stdout` | `[file]` | +| `jobservice.loggerSweeperDuration` | The jobLogger sweeper duration in days (ignored if `jobLoggers` is set to `stdout`) | `14` | +| `jobservice.notification.webhook_job_max_retry` | The maximum retry of webhook sending notifications | `3` | +| `jobservice.notification.webhook_job_http_client_timeout` | The http client timeout value of webhook sending notifications | `3` | +| `jobservice.reaper.max_update_hours` | the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 | `24` | +| `jobservice.reaper.max_dangling_hours` | the max time for execution in running state without new task created | `168` | +| `jobservice.resources` | The [resources] to allocate for container | undefined | +| `jobservice.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | +| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | +| `jobservice.affinity` | Node/Pod affinities | `{}` | +| `jobservice.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | +| `jobservice.priorityClassName` | The priority class to run the pod as | | +| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `jobservice.initContainers` | Init containers to be run before the controller's container starts. | `[]` | +| **Registry** | | | +| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | +| `registry.registry.image.tag` | Tag for registry image | `dev` | +| `registry.registry.resources` | The [resources] to allocate for container | undefined | +| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | +| `registry.controller.image.tag` | Tag for registry controller image | `dev` | +| `registry.controller.resources` | The [resources] to allocate for container | undefined | +| `registry.replicas` | The replica count | `1` | +| `registry.revisionHistoryLimit` | The revision history limit | `10` | +| `registry.nodeSelector` | Node labels for pod assignment | `{}` | +| `registry.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `registry.tolerations` | Tolerations for pod assignment | `[]` | +| `registry.affinity` | Node/Pod affinities | `{}` | +| `registry.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | | +| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | +| `registry.priorityClassName` | The priority class to run the pod as | | +| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `registry.credentials.username` | The username that harbor core uses internally to access the registry instance. Together with the `registry.credentials.password`, a htpasswd is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` | +| `registry.credentials.password` | The password that harbor core uses internally to access the registry instance. Together with the `registry.credentials.username`, a htpasswd is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` | +| `registry.credentials.existingSecret` | An existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). The key must be `REGISTRY_PASSWD` | `""` | +| `registry.credentials.htpasswdString` | Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. | undefined | +| `registry.relativeurls` | If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy | `false` | +| `registry.upload_purging.enabled` | If true, enable purge _upload directories | `true` | +| `registry.upload_purging.age` | Remove files in _upload directories which exist for a period of time, default is one week. | `168h` | +| `registry.upload_purging.interval` | The interval of the purge operations | `24h` | +| `registry.upload_purging.dryrun` | If true, enable dryrun for purging _upload, default false | `false` | +| `registry.initContainers` | Init containers to be run before the controller's container starts. | `[]` | +| **[Trivy][trivy]** | | | +| `trivy.enabled` | The flag to enable Trivy scanner | `true` | +| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` | +| `trivy.image.tag` | Tag for Trivy adapter image | `dev` | +| `trivy.resources` | The [resources] to allocate for Trivy adapter container | | +| `trivy.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `trivy.replicas` | The number of Pod replicas | `1` | +| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` | +| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` | +| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | +| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | +| `trivy.insecure` | The flag to skip verifying registry certificate | `false` | +| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | +| `trivy.skipJavaDBUpdate` | If the flag is enabled you have to manually download the `trivy-java.db` file [Trivy Java DB][trivy-java-db] and mount it in the `/home/scanner/.cache/trivy/java-db/trivy-java.db` path | `false` | +| `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` | +| `trivy.securityCheck` | Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. | `vuln` | +| `trivy.timeout` | The duration to wait for scan completion | `5m0s` | +| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | | +| `trivy.priorityClassName` | The priority class to run the pod as | | +| `trivy.topologySpreadConstraints` | The priority class to run the pod as | | +| `trivy.initContainers` | Init containers to be run before the controller's container starts. | `[]` | +| **Database** | | | +| `database.type` | If external database is used, set it to `external` | `internal` | +| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | +| `database.internal.image.tag` | Tag for database image | `dev` | +| `database.internal.password` | The password for database | `changeit` | +| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` | +| `database.internal.resources` | The [resources] to allocate for container | undefined | +| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `database.internal.initContainer.migrator.resources` | The [resources] to allocate for the database migrator initContainer | undefined | +| `database.internal.initContainer.permissions.resources` | The [resources] to allocate for the database permissions initContainer | undefined | +| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `database.internal.affinity` | Node/Pod affinities | `{}` | +| `database.internal.priorityClassName` | The priority class to run the pod as | | +| `database.internal.livenessProbe.timeoutSeconds` | The timeout used in liveness probe; 1 to 5 seconds | 1 | +| `database.internal.readinessProbe.timeoutSeconds` | The timeout used in readiness probe; 1 to 5 seconds | 1 | +| `database.internal.extrInitContainers` | Extra init containers to be run before the database's container starts. | `[]` | +| `database.external.host` | The hostname of external database | `192.168.0.1` | +| `database.external.port` | The port of external database | `5432` | +| `database.external.username` | The username of external database | `user` | +| `database.external.password` | The password of external database | `password` | +| `database.external.coreDatabase` | The database used by core service | `registry` | +| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` | +| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` | +| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` | +| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` | +| `database.podAnnotations` | Annotations to add to the database pod | `{}` | +| **Redis** | | | +| `redis.type` | If external redis is used, set it to `external` | `internal` | +| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | +| `redis.internal.image.tag` | Tag for redis image | `dev` | +| `redis.internal.resources` | The [resources] to allocate for container | undefined | +| `redis.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `redis.internal.affinity` | Node/Pod affinities | `{}` | +| `redis.internal.priorityClassName` | The priority class to run the pod as | | +| `redis.internal.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.internal.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.internal.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.internal.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | +| `redis.internal.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.internal.initContainers` | Init containers to be run before the redis's container starts. | `[]` | +| `redis.external.addr` | The addr of external Redis: :. When using sentinel, it should be :,:,: | `192.168.0.2:6379` | +| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | | +| `redis.external.coreDatabaseIndex` | The database index for core | `0` | +| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.external.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | +| `redis.external.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.external.username` | The username of external Redis | | +| `redis.external.password` | The password of external Redis | | +| `redis.external.existingSecret` | Use an existing secret to connect to redis. The key must be `REDIS_PASSWORD`. | `""` | +| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | +| **Exporter** | | | +| `exporter.replicas` | The replica count | `1` | +| `exporter.revisionHistoryLimit` | The revision history limit | `10` | +| `exporter.podAnnotations` | Annotations to add to the exporter pod | `{}` | +| `exporter.image.repository` | Repository for redis image | `goharbor/harbor-exporter` | +| `exporter.image.tag` | Tag for exporter image | `dev` | +| `exporter.nodeSelector` | Node labels for pod assignment | `{}` | +| `exporter.tolerations` | Tolerations for pod assignment | `[]` | +| `exporter.affinity` | Node/Pod affinities | `{}` | +| `exporter.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `exporter.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `exporter.cacheDuration` | the cache duration for information that exporter collected from Harbor | `30` | +| `exporter.cacheCleanInterval` | cache clean interval for information that exporter collected from Harbor | `14400` | +| `exporter.priorityClassName` | The priority class to run the pod as | | +| **Metrics** | | | +| `metrics.enabled` | if enable harbor metrics | `false` | +| `metrics.core.path` | the url path for core metrics | `/metrics` | +| `metrics.core.port` | the port for core metrics | `8001` | +| `metrics.registry.path` | the url path for registry metrics | `/metrics` | +| `metrics.registry.port` | the port for registry metrics | `8001` | +| `metrics.exporter.path` | the url path for exporter metrics | `/metrics` | +| `metrics.exporter.port` | the port for exporter metrics | `8001` | +| `metrics.serviceMonitor.enabled` | create prometheus serviceMonitor. Requires prometheus CRD's | `false` | +| `metrics.serviceMonitor.additionalLabels` | additional labels to upsert to the manifest | `""` | +| `metrics.serviceMonitor.interval` | scrape period for harbor metrics | `""` | +| `metrics.serviceMonitor.metricRelabelings` | metrics relabel to add/mod/del before ingestion | `[]` | +| `metrics.serviceMonitor.relabelings` | relabels to add/mod/del to sample before scrape | `[]` | +| **Trace** | | | +| `trace.enabled` | Enable tracing or not | `false` | +| `trace.provider` | The tracing provider: `jaeger` or `otel`. `jaeger` should be 1.26+ | `jaeger` | +| `trace.sample_rate` | Set `sample_rate` to 1 if you want sampling 100% of trace data; set 0.5 if you want sampling 50% of trace data, and so forth | `1` | +| `trace.namespace` | Namespace used to differentiate different harbor services | | +| `trace.attributes` | `attributes` is a key value dict contains user defined attributes used to initialize trace provider | | +| `trace.jaeger.endpoint` | The endpoint of jaeger | `http://hostname:14268/api/traces` | +| `trace.jaeger.username` | The username of jaeger | | +| `trace.jaeger.password` | The password of jaeger | | +| `trace.jaeger.agent_host` | The agent host of jaeger | | +| `trace.jaeger.agent_port` | The agent port of jaeger | `6831` | +| `trace.otel.endpoint` | The endpoint of otel | `hostname:4318` | +| `trace.otel.url_path` | The URL path of otel | `/v1/traces` | +| `trace.otel.compression` | Whether enable compression or not for otel | `false` | +| `trace.otel.insecure` | Whether establish insecure connection or not for otel | `true` | +| `trace.otel.timeout` | The timeout in seconds of otel | `10` | +| **Cache** | | | +| `cache.enabled` | Enable cache layer or not | `false` | +| `cache.expireHours` | The expire hours of cache layer | `24` | [resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ [trivy]: https://github.com/aquasecurity/trivy diff --git a/charts/harbor/harbor/templates/_helpers.tpl b/charts/harbor/harbor/templates/_helpers.tpl index b3430a1f3..f6249b399 100644 --- a/charts/harbor/harbor/templates/_helpers.tpl +++ b/charts/harbor/harbor/templates/_helpers.tpl @@ -25,12 +25,27 @@ If release name contains chart name it will be used as a full name. {{- end }} {{- end }} +{{/* Helm required labels: legacy */}} +{{- define "harbor.legacy.labels" -}} +heritage: {{ .Release.Service }} +release: {{ .Release.Name }} +chart: {{ .Chart.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + {{/* Helm required labels */}} {{- define "harbor.labels" -}} heritage: {{ .Release.Service }} release: {{ .Release.Name }} chart: {{ .Chart.Name }} app: "{{ template "harbor.name" . }}" +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/name: {{ include "harbor.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/part-of: {{ include "harbor.name" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} {{- end -}} {{/* matchLabels */}} @@ -563,4 +578,4 @@ app: "{{ template "harbor.name" . }}" {{/* Allow KubeVersion to be overridden. */}} {{- define "harbor.ingress.kubeVersion" -}} {{- default .Capabilities.KubeVersion.Version .Values.expose.ingress.kubeVersionOverride -}} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/charts/harbor/harbor/templates/core/core-dpl.yaml b/charts/harbor/harbor/templates/core/core-dpl.yaml index 9a92b45a4..2ee8fd59c 100644 --- a/charts/harbor/harbor/templates/core/core-dpl.yaml +++ b/charts/harbor/harbor/templates/core/core-dpl.yaml @@ -5,6 +5,7 @@ metadata: labels: {{ include "harbor.labels" . | indent 4 }} component: core + app.kubernetes.io/component: core spec: replicas: {{ .Values.core.replicas }} revisionHistoryLimit: {{ .Values.core.revisionHistoryLimit }} @@ -15,8 +16,9 @@ spec: template: metadata: labels: -{{ include "harbor.matchLabels" . | indent 8 }} +{{ include "harbor.labels" . | indent 8 }} component: core + app.kubernetes.io/component: core {{- if .Values.core.podLabels }} {{ toYaml .Values.core.podLabels | indent 8 }} {{- end }} @@ -55,6 +57,10 @@ spec: component: core {{- end }} {{- end }} + {{- with .Values.core.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: core image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} @@ -144,6 +150,9 @@ spec: {{- with .Values.core.extraEnvVars }} {{- toYaml . | nindent 10 }} {{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} ports: - containerPort: {{ template "harbor.core.containerPort" . }} volumeMounts: diff --git a/charts/harbor/harbor/templates/core/core-pre-upgrade-job.yaml b/charts/harbor/harbor/templates/core/core-pre-upgrade-job.yaml index 43c9d3596..ce0b13134 100644 --- a/charts/harbor/harbor/templates/core/core-pre-upgrade-job.yaml +++ b/charts/harbor/harbor/templates/core/core-pre-upgrade-job.yaml @@ -47,6 +47,9 @@ spec: secretKeyRef: name: {{ .Values.database.external.existingSecret }} key: password + {{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} {{- end }} volumeMounts: - name: config diff --git a/charts/harbor/harbor/templates/database/database-ss.yaml b/charts/harbor/harbor/templates/database/database-ss.yaml index 3b08b07ef..71c5eb1e0 100644 --- a/charts/harbor/harbor/templates/database/database-ss.yaml +++ b/charts/harbor/harbor/templates/database/database-ss.yaml @@ -7,6 +7,7 @@ metadata: labels: {{ include "harbor.labels" . | indent 4 }} component: database + app.kubernetes.io/component: database spec: replicas: 1 serviceName: "{{ template "harbor.database" . }}" @@ -19,6 +20,7 @@ spec: labels: {{ include "harbor.labels" . | indent 8 }} component: database + app.kubernetes.io/component: database {{- if .Values.database.podLabels }} {{ toYaml .Values.database.podLabels | indent 8 }} {{- end }} @@ -41,23 +43,6 @@ spec: automountServiceAccountToken: {{ .Values.database.internal.automountServiceAccountToken | default false }} terminationGracePeriodSeconds: 120 initContainers: - # as we change the data directory to a sub folder to support psp, the init container here - # is used to migrate the existing data. See https://github.com/goharbor/harbor-helm/issues/756 - # for more detail. - # we may remove it after several releases - - name: "data-migrator" - image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - command: ["/bin/sh"] - args: ["-c", "[ -e /var/lib/postgresql/data/postgresql.conf ] && [ ! -d /var/lib/postgresql/data/pgdata ] && mkdir -m 0700 /var/lib/postgresql/data/pgdata && mv /var/lib/postgresql/data/* /var/lib/postgresql/data/pgdata/ || true"] -{{- if .Values.database.internal.initContainer.migrator.resources }} - resources: -{{ toYaml .Values.database.internal.initContainer.migrator.resources | indent 10 }} -{{- end }} - volumeMounts: - - name: database-data - mountPath: /var/lib/postgresql/data - subPath: {{ $database.subPath }} # with "fsGroup" set, each time a volume is mounted, Kubernetes must recursively chown() and chmod() all the files and directories inside the volume # this causes the postgresql reports the "data directory /var/lib/postgresql/data/pgdata has group or world access" issue when using some CSIs e.g. Ceph # use this init container to correct the permission @@ -65,6 +50,9 @@ spec: - name: "data-permissions-ensurer" image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} command: ["/bin/sh"] args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"] {{- if .Values.database.internal.initContainer.permissions.resources }} @@ -75,10 +63,16 @@ spec: - name: database-data mountPath: /var/lib/postgresql/data subPath: {{ $database.subPath }} + {{- with .Values.database.internal.extrInitContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} containers: - name: database image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} livenessProbe: exec: command: @@ -147,7 +141,7 @@ spec: - metadata: name: "database-data" labels: -{{ include "harbor.labels" . | indent 8 }} +{{ include "harbor.legacy.labels" . | indent 8 }} annotations: {{- range $key, $value := $database.annotations }} {{ $key }}: {{ $value | quote }} diff --git a/charts/harbor/harbor/templates/exporter/exporter-dpl.yaml b/charts/harbor/harbor/templates/exporter/exporter-dpl.yaml index 6d2e1f53a..01e9258ea 100644 --- a/charts/harbor/harbor/templates/exporter/exporter-dpl.yaml +++ b/charts/harbor/harbor/templates/exporter/exporter-dpl.yaml @@ -6,6 +6,7 @@ metadata: labels: {{ include "harbor.labels" . | indent 4 }} component: exporter + app.kubernetes.io/component: exporter spec: replicas: {{ .Values.exporter.replicas }} revisionHistoryLimit: {{ .Values.exporter.revisionHistoryLimit }} @@ -18,10 +19,13 @@ spec: labels: {{ include "harbor.labels" . | indent 8 }} component: exporter + app.kubernetes.io/component: exporter {{- if .Values.exporter.podLabels }} {{ toYaml .Values.exporter.podLabels | indent 8 }} {{- end }} annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/exporter/exporter-cm-env.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/exporter/exporter-secret.yaml") . | sha256sum }} {{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} {{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} @@ -97,8 +101,11 @@ spec: env: {{- toYaml . | nindent 10 }} {{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} ports: - - containerPort: {{ template "harbor.core.containerPort" . }} + - containerPort: {{ .Values.metrics.exporter.port }} volumeMounts: {{- if .Values.caBundleSecretName }} {{ include "harbor.caBundleVolumeMount" . | indent 8 }} diff --git a/charts/harbor/harbor/templates/ingress/ingress.yaml b/charts/harbor/harbor/templates/ingress/ingress.yaml index e4c06939c..73472c605 100644 --- a/charts/harbor/harbor/templates/ingress/ingress.yaml +++ b/charts/harbor/harbor/templates/ingress/ingress.yaml @@ -37,8 +37,8 @@ metadata: name: "{{ template "harbor.ingress" . }}" labels: {{ include "harbor.labels" . | indent 4 }} -{{- if $ingress.harbor.labels }} -{{ toYaml $ingress.harbor.labels | indent 4 }} +{{- if $ingress.labels }} +{{ toYaml $ingress.labels | indent 4 }} {{- end }} annotations: {{ toYaml $ingress.annotations | indent 4 }} @@ -51,9 +51,6 @@ metadata: ncp/http-redirect: "true" {{- end }} {{- end }} -{{- if $ingress.harbor.annotations }} -{{ toYaml $ingress.harbor.annotations | indent 4 }} -{{- end }} spec: {{- if $ingress.className }} ingressClassName: {{ $ingress.className }} diff --git a/charts/harbor/harbor/templates/jobservice/jobservice-dpl.yaml b/charts/harbor/harbor/templates/jobservice/jobservice-dpl.yaml index e39e77e6e..1bb669082 100644 --- a/charts/harbor/harbor/templates/jobservice/jobservice-dpl.yaml +++ b/charts/harbor/harbor/templates/jobservice/jobservice-dpl.yaml @@ -5,6 +5,7 @@ metadata: labels: {{ include "harbor.labels" . | indent 4 }} component: jobservice + app.kubernetes.io/component: jobservice spec: replicas: {{ .Values.jobservice.replicas }} revisionHistoryLimit: {{ .Values.jobservice.revisionHistoryLimit }} @@ -22,6 +23,7 @@ spec: labels: {{ include "harbor.labels" . | indent 8 }} component: jobservice + app.kubernetes.io/component: jobservice {{- if .Values.jobservice.podLabels }} {{ toYaml .Values.jobservice.podLabels | indent 8 }} {{- end }} @@ -61,6 +63,10 @@ spec: component: jobservice {{- end }} {{- end }} + {{- with .Values.jobservice.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: jobservice image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }} @@ -116,6 +122,9 @@ spec: {{- with .Values.jobservice.extraEnvVars }} {{- toYaml . | nindent 10 }} {{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} envFrom: - configMapRef: name: "{{ template "harbor.jobservice" . }}-env" diff --git a/charts/harbor/harbor/templates/jobservice/jobservice-pvc.yaml b/charts/harbor/harbor/templates/jobservice/jobservice-pvc.yaml index a6b8b8bd3..3f7d00b67 100644 --- a/charts/harbor/harbor/templates/jobservice/jobservice-pvc.yaml +++ b/charts/harbor/harbor/templates/jobservice/jobservice-pvc.yaml @@ -14,6 +14,7 @@ metadata: labels: {{ include "harbor.labels" . | indent 4 }} component: jobservice + app.kubernetes.io/component: jobservice spec: accessModes: - {{ $jobLog.accessMode }} diff --git a/charts/harbor/harbor/templates/nginx/deployment.yaml b/charts/harbor/harbor/templates/nginx/deployment.yaml index 8290d497b..3abc94198 100644 --- a/charts/harbor/harbor/templates/nginx/deployment.yaml +++ b/charts/harbor/harbor/templates/nginx/deployment.yaml @@ -6,6 +6,7 @@ metadata: labels: {{ include "harbor.labels" . | indent 4 }} component: nginx + app.kubernetes.io/component: nginx spec: replicas: {{ .Values.nginx.replicas }} revisionHistoryLimit: {{ .Values.nginx.revisionHistoryLimit }} @@ -18,6 +19,7 @@ spec: labels: {{ include "harbor.labels" . | indent 8 }} component: nginx + app.kubernetes.io/component: nginx {{- if .Values.nginx.podLabels }} {{ toYaml .Values.nginx.podLabels | indent 8 }} {{- end }} @@ -87,10 +89,14 @@ spec: env: {{- toYaml . | nindent 10 }} {{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} ports: - containerPort: 8080 + {{- if .Values.expose.tls.enabled }} - containerPort: 8443 - - containerPort: 4443 + {{- end }} volumeMounts: - name: config mountPath: /etc/nginx/nginx.conf diff --git a/charts/harbor/harbor/templates/nginx/service.yaml b/charts/harbor/harbor/templates/nginx/service.yaml index 205a805ea..691584ce0 100644 --- a/charts/harbor/harbor/templates/nginx/service.yaml +++ b/charts/harbor/harbor/templates/nginx/service.yaml @@ -7,6 +7,9 @@ metadata: name: {{ $clusterIP.name }} labels: {{ include "harbor.labels" . | indent 4 }} +{{- if .Values.expose.clusterIP.labels }} +{{ toYaml $clusterIP.labels | indent 4 }} +{{- end }} {{- with $clusterIP.annotations }} annotations: {{- toYaml . | nindent 4 }} @@ -30,6 +33,13 @@ spec: name: {{ $nodePort.name }} labels: {{ include "harbor.labels" . | indent 4 }} +{{- if .Values.expose.nodePort.labels }} +{{ toYaml $nodePort.labels | indent 4 }} +{{- end }} +{{- with $nodePort.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} spec: type: NodePort ports: @@ -52,6 +62,9 @@ spec: name: {{ $loadBalancer.name }} labels: {{ include "harbor.labels" . | indent 4 }} +{{- if .Values.expose.loadBalancer.labels }} +{{ toYaml $loadBalancer.labels | indent 4 }} +{{- end }} {{- with $loadBalancer.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/harbor/harbor/templates/portal/deployment.yaml b/charts/harbor/harbor/templates/portal/deployment.yaml index 959a3fd7b..4dea94438 100644 --- a/charts/harbor/harbor/templates/portal/deployment.yaml +++ b/charts/harbor/harbor/templates/portal/deployment.yaml @@ -5,6 +5,7 @@ metadata: labels: {{ include "harbor.labels" . | indent 4 }} component: portal + app.kubernetes.io/component: portal spec: replicas: {{ .Values.portal.replicas }} revisionHistoryLimit: {{ .Values.portal.revisionHistoryLimit }} @@ -15,8 +16,9 @@ spec: template: metadata: labels: -{{ include "harbor.matchLabels" . | indent 8 }} +{{ include "harbor.labels" . | indent 8 }} component: portal + app.kubernetes.io/component: portal {{- if .Values.portal.podLabels }} {{ toYaml .Values.portal.podLabels | indent 8 }} {{- end }} @@ -52,6 +54,10 @@ spec: component: portal {{- end }} {{- end }} + {{- with .Values.portal.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: portal image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }} @@ -64,6 +70,9 @@ spec: env: {{- toYaml . | nindent 10 }} {{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} livenessProbe: httpGet: path: / diff --git a/charts/harbor/harbor/templates/redis/statefulset.yaml b/charts/harbor/harbor/templates/redis/statefulset.yaml index 371b0fd5a..1d37fb184 100644 --- a/charts/harbor/harbor/templates/redis/statefulset.yaml +++ b/charts/harbor/harbor/templates/redis/statefulset.yaml @@ -7,6 +7,7 @@ metadata: labels: {{ include "harbor.labels" . | indent 4 }} component: redis + app.kubernetes.io/component: redis spec: replicas: 1 serviceName: {{ template "harbor.redis" . }} @@ -19,6 +20,7 @@ spec: labels: {{ include "harbor.labels" . | indent 8 }} component: redis + app.kubernetes.io/component: redis {{- if .Values.redis.podLabels }} {{ toYaml .Values.redis.podLabels | indent 8 }} {{- end }} @@ -39,10 +41,17 @@ spec: {{- end }} automountServiceAccountToken: {{ .Values.redis.internal.automountServiceAccountToken | default false }} terminationGracePeriodSeconds: 120 + {{- with .Values.redis.internal.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: redis image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} livenessProbe: tcpSocket: port: 6379 @@ -95,7 +104,7 @@ spec: - metadata: name: data labels: -{{ include "harbor.labels" . | indent 8 }} +{{ include "harbor.legacy.labels" . | indent 8 }} annotations: {{- range $key, $value := $redis.annotations }} {{ $key }}: {{ $value | quote }} diff --git a/charts/harbor/harbor/templates/registry/registry-dpl.yaml b/charts/harbor/harbor/templates/registry/registry-dpl.yaml index dc4a83347..0965cf2e2 100644 --- a/charts/harbor/harbor/templates/registry/registry-dpl.yaml +++ b/charts/harbor/harbor/templates/registry/registry-dpl.yaml @@ -7,6 +7,7 @@ metadata: labels: {{ include "harbor.labels" . | indent 4 }} component: registry + app.kubernetes.io/component: registry spec: replicas: {{ .Values.registry.replicas }} revisionHistoryLimit: {{ .Values.registry.revisionHistoryLimit }} @@ -24,6 +25,7 @@ spec: labels: {{ include "harbor.labels" . | indent 8 }} component: registry + app.kubernetes.io/component: registry {{- if .Values.registry.podLabels }} {{ toYaml .Values.registry.podLabels | indent 8 }} {{- end }} @@ -64,6 +66,10 @@ spec: component: registry {{- end }} {{- end }} + {{- with .Values.registry.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: registry image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }} @@ -86,6 +92,9 @@ spec: resources: {{ toYaml .Values.registry.registry.resources | indent 10 }} {{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} args: ["serve", "/etc/registry/config.yml"] envFrom: - secretRef: @@ -166,7 +175,7 @@ spec: {{- end }} ports: - containerPort: {{ template "harbor.registry.containerPort" . }} - - containerPort: 5001 + - containerPort: {{ ternary .Values.metrics.registry.port 5001 .Values.metrics.enabled }} volumeMounts: - name: registry-data mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} @@ -222,6 +231,9 @@ spec: resources: {{ toYaml .Values.registry.controller.resources | indent 10 }} {{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} envFrom: - configMapRef: name: "{{ template "harbor.registryCtl" . }}" diff --git a/charts/harbor/harbor/templates/registry/registry-pvc.yaml b/charts/harbor/harbor/templates/registry/registry-pvc.yaml index 2112e2287..5d6d4d3dd 100644 --- a/charts/harbor/harbor/templates/registry/registry-pvc.yaml +++ b/charts/harbor/harbor/templates/registry/registry-pvc.yaml @@ -15,6 +15,7 @@ metadata: labels: {{ include "harbor.labels" . | indent 4 }} component: registry + app.kubernetes.io/component: registry spec: accessModes: - {{ $registry.accessMode }} diff --git a/charts/harbor/harbor/templates/trivy/trivy-sts.yaml b/charts/harbor/harbor/templates/trivy/trivy-sts.yaml index 7ee4e1068..c876ba387 100644 --- a/charts/harbor/harbor/templates/trivy/trivy-sts.yaml +++ b/charts/harbor/harbor/templates/trivy/trivy-sts.yaml @@ -7,6 +7,7 @@ metadata: labels: {{ include "harbor.labels" . | indent 4 }} component: trivy + app.kubernetes.io/component: trivy spec: replicas: {{ .Values.trivy.replicas }} serviceName: {{ template "harbor.trivy" . }} @@ -19,6 +20,7 @@ spec: labels: {{ include "harbor.labels" . | indent 8 }} component: trivy + app.kubernetes.io/component: trivy {{- if .Values.trivy.podLabels }} {{ toYaml .Values.trivy.podLabels | indent 8 }} {{- end }} @@ -54,13 +56,17 @@ spec: component: trivy {{- end }} {{- end }} + {{- with .Values.trivy.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: trivy image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} - securityContext: - privileged: false - allowPrivilegeEscalation: false + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} env: {{- if has "trivy" .Values.proxy.components }} - name: HTTP_PROXY @@ -203,7 +209,7 @@ spec: - metadata: name: data labels: -{{ include "harbor.labels" . | indent 8 }} +{{ include "harbor.legacy.labels" . | indent 8 }} annotations: {{- range $key, $value := $trivy.annotations }} {{ $key }}: {{ $value | quote }} diff --git a/charts/harbor/harbor/values.yaml b/charts/harbor/harbor/values.yaml index 688b42c3a..529ec928b 100644 --- a/charts/harbor/harbor/values.yaml +++ b/charts/harbor/harbor/values.yaml @@ -46,23 +46,22 @@ expose: ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "0" - harbor: - # harbor ingress-specific annotations - annotations: {} - # harbor ingress-specific labels - labels: {} + # ingress-specific labels + labels: {} clusterIP: # The name of ClusterIP service name: harbor # The ip address of the ClusterIP service (leave empty for acquiring dynamic ip) staticClusterIP: "" - # Annotations on the ClusterIP service - annotations: {} ports: # The service port Harbor listens on when serving HTTP httpPort: 80 # The service port Harbor listens on when serving HTTPS httpsPort: 443 + # Annotations on the ClusterIP service + annotations: {} + # ClusterIP-specific labels + labels: {} nodePort: # The name of NodePort service name: harbor @@ -77,6 +76,10 @@ expose: port: 443 # The node port Harbor listens on when serving HTTPS nodePort: 30003 + # Annotations on the nodePort service + annotations: {} + # nodePort-specific labels + labels: {} loadBalancer: # The name of LoadBalancer service name: harbor @@ -87,7 +90,10 @@ expose: httpPort: 80 # The service port Harbor listens on when serving HTTPS httpsPort: 443 + # Annotations on the loadBalancer service annotations: {} + # loadBalancer-specific labels + labels: {} sourceRanges: [] # The external URL for Harbor core service. It is used to @@ -105,69 +111,6 @@ expose: # If Harbor is deployed behind the proxy, set it as the URL of proxy externalURL: https://core.harbor.domain -# The internal TLS used for harbor components secure communicating. In order to enable https -# in each component tls cert files need to provided in advance. -internalTLS: - # If internal TLS enabled - enabled: false - # enable strong ssl ciphers (default: false) - strong_ssl_ciphers: false - # There are three ways to provide tls - # 1) "auto" will generate cert automatically - # 2) "manual" need provide cert file manually in following value - # 3) "secret" internal certificates from secret - certSource: "auto" - # The content of trust ca, only available when `certSource` is "manual" - trustCa: "" - # core related cert configuration - core: - # secret name for core's tls certs - secretName: "" - # Content of core's TLS cert file, only available when `certSource` is "manual" - crt: "" - # Content of core's TLS key file, only available when `certSource` is "manual" - key: "" - # jobservice related cert configuration - jobservice: - # secret name for jobservice's tls certs - secretName: "" - # Content of jobservice's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of jobservice's TLS key file, only available when `certSource` is "manual" - key: "" - # registry related cert configuration - registry: - # secret name for registry's tls certs - secretName: "" - # Content of registry's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of registry's TLS key file, only available when `certSource` is "manual" - key: "" - # portal related cert configuration - portal: - # secret name for portal's tls certs - secretName: "" - # Content of portal's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of portal's TLS key file, only available when `certSource` is "manual" - key: "" - # trivy related cert configuration - trivy: - # secret name for trivy's tls certs - secretName: "" - # Content of trivy's TLS key file, only available when `certSource` is "manual" - crt: "" - # Content of trivy's TLS key file, only available when `certSource` is "manual" - key: "" - -ipFamily: - # ipv6Enabled set to true if ipv6 is enabled in cluster, currently it affected the nginx related component - ipv6: - enabled: true - # ipv4Enabled set to true if ipv4 is enabled in cluster, currently it affected the nginx related component - ipv4: - enabled: true - # The persistence is enabled by default and a default StorageClass # is needed in the k8s cluster to provision volumes dynamically. # Specify another StorageClass in the "storageClass" or set "existingClaim" @@ -230,7 +173,7 @@ persistence: annotations: {} # Define which storage backend is used for registry to store # images and charts. Refer to - # https://github.com/distribution/distribution/blob/main/docs/configuration.md#storage + # https://github.com/distribution/distribution/blob/main/docs/content/about/configuration.md#storage # for the detail. imageChartStorage: # Specify whether to disable `redirect` for images and chart storage, for @@ -324,6 +267,76 @@ persistence: #chunksize: 10M #rootdirectory: rootdirectory +# The initial password of Harbor admin. Change it from portal after launching Harbor +# or give an existing secret for it +# key in secret is given via (default to HARBOR_ADMIN_PASSWORD) +# existingSecretAdminPassword: +existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD +harborAdminPassword: "Harbor12345" + +# The internal TLS used for harbor components secure communicating. In order to enable https +# in each component tls cert files need to provided in advance. +internalTLS: + # If internal TLS enabled + enabled: false + # enable strong ssl ciphers (default: false) + strong_ssl_ciphers: false + # There are three ways to provide tls + # 1) "auto" will generate cert automatically + # 2) "manual" need provide cert file manually in following value + # 3) "secret" internal certificates from secret + certSource: "auto" + # The content of trust ca, only available when `certSource` is "manual" + trustCa: "" + # core related cert configuration + core: + # secret name for core's tls certs + secretName: "" + # Content of core's TLS cert file, only available when `certSource` is "manual" + crt: "" + # Content of core's TLS key file, only available when `certSource` is "manual" + key: "" + # jobservice related cert configuration + jobservice: + # secret name for jobservice's tls certs + secretName: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + key: "" + # registry related cert configuration + registry: + # secret name for registry's tls certs + secretName: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + key: "" + # portal related cert configuration + portal: + # secret name for portal's tls certs + secretName: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + key: "" + # trivy related cert configuration + trivy: + # secret name for trivy's tls certs + secretName: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + key: "" + +ipFamily: + # ipv6Enabled set to true if ipv6 is enabled in cluster, currently it affected the nginx related component + ipv6: + enabled: true + # ipv4Enabled set to true if ipv4 is enabled in cluster, currently it affected the nginx related component + ipv4: + enabled: true + imagePullPolicy: IfNotPresent # Use this set to assign a list of default pullSecrets @@ -339,13 +352,6 @@ updateStrategy: # debug, info, warning, error or fatal logLevel: info -# The initial password of Harbor admin. Change it from portal after launching Harbor -# or give an existing secret for it -# key in secret is given via (default to HARBOR_ADMIN_PASSWORD) -# existingSecretAdminPassword: -existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD -harborAdminPassword: "Harbor12345" - # The name of the secret which contains key named "ca.crt". Setting this enables the # download link on portal to download the CA certificate when the certificate isn't # generated automatically @@ -381,11 +387,103 @@ enableMigrateHelmHook: false # contains a base64 encoded CA Certificate named `ca.crt`. # uaaSecretName: +metrics: + enabled: false + core: + path: /metrics + port: 8001 + registry: + path: /metrics + port: 8001 + jobservice: + path: /metrics + port: 8001 + exporter: + path: /metrics + port: 8001 + ## Create prometheus serviceMonitor to scrape harbor metrics. + ## This requires the monitoring.coreos.com/v1 CRD. Please see + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md + ## + serviceMonitor: + enabled: false + additionalLabels: {} + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: "" + # Metric relabel configs to apply to samples before ingestion. + metricRelabelings: + [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + # Relabel configs to apply to samples before ingestion. + relabelings: + [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + +trace: + enabled: false + # trace provider: jaeger or otel + # jaeger should be 1.26+ + provider: jaeger + # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth + sample_rate: 1 + # namespace used to differentiate different harbor services + # namespace: + # attributes is a key value dict contains user defined attributes used to initialize trace provider + # attributes: + # application: harbor + jaeger: + # jaeger supports two modes: + # collector mode(uncomment endpoint and uncomment username, password if needed) + # agent mode(uncomment agent_host and agent_port) + endpoint: http://hostname:14268/api/traces + # username: + # password: + # agent_host: hostname + # export trace data by jaeger.thrift in compact mode + # agent_port: 6831 + otel: + endpoint: hostname:4318 + url_path: /v1/traces + compression: false + insecure: true + # timeout is in seconds + timeout: 10 + +# cache layer configurations +# if this feature enabled, harbor will cache the resource +# `project/project_metadata/repository/artifact/manifest` in the redis +# which help to improve the performance of high concurrent pulling manifest. +cache: + # default is not enabled. + enabled: false + # default keep cache for one day. + expireHours: 24 + +## set Container Security Context to comply with PSP restricted policy if necessary +## each of the conatiner will apply the same security context +## containerSecurityContext:{} is initially an empty yaml that you could edit it on demand, we just filled with a common template for convenience +containerSecurityContext: + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL + # If service exposed via "ingress", the Nginx will not be used nginx: image: repository: goharbor/nginx-photon - tag: v2.10.2 + tag: v2.11.0 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -416,7 +514,7 @@ nginx: portal: image: repository: goharbor/harbor-portal - tag: v2.10.2 + tag: v2.11.0 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -445,11 +543,18 @@ portal: serviceAnnotations: {} ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] core: image: repository: goharbor/harbor-core - tag: v2.10.2 + tag: v2.11.0 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -480,6 +585,15 @@ core: podLabels: {} ## Additional service annotations serviceAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] ## User settings configuration json string configureUserSettings: # The provider for updating project quota(usage), there are 2 options, redis or db. @@ -516,8 +630,6 @@ core: existingXsrfSecret: "" # If using existingSecret, the key existingXsrfSecretKey: CSRF_KEY - ## The priority class to run the pod as - priorityClassName: # The time duration for async update artifact pull_time and repository # pull_count, the unit is second. Will be 10 seconds if it isn't set. # eg. artifactPullAsyncFlushDuration: 10 @@ -529,30 +641,13 @@ core: jobservice: image: repository: goharbor/harbor-jobservice - tag: v2.10.2 - replicas: 1 - revisionHistoryLimit: 10 + tag: v2.11.0 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token automountServiceAccountToken: false - maxJobWorkers: 10 - # The logger for jobs: "file", "database" or "stdout" - jobLoggers: - - file - # - database - # - stdout - # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`) - loggerSweeperDuration: 14 #days - notification: - webhook_job_max_retry: 3 - webhook_job_http_client_timeout: 3 # in seconds - reaper: - # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 - max_update_hours: 24 - # the max time for execution in running state without new task created - max_dangling_hours: 168 - + replicas: 1 + revisionHistoryLimit: 10 # resources: # requests: # memory: 256Mi @@ -571,6 +666,31 @@ jobservice: podAnnotations: {} ## Additional deployment labels podLabels: {} + ## The priority class to run the pod as + priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] + maxJobWorkers: 10 + # The logger for jobs: "file", "database" or "stdout" + jobLoggers: + - file + # - database + # - stdout + # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`) + loggerSweeperDuration: 14 #days + notification: + webhook_job_max_retry: 3 + webhook_job_http_client_timeout: 3 # in seconds + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: 24 + # the max time for execution in running state without new task created + max_dangling_hours: 168 # Secret is used when job service communicates with other components. # If a secret key is not specified, Helm will generate one. # Must be a string of 16 chars. @@ -579,18 +699,12 @@ jobservice: existingSecret: "" # Key within the existing secret for the job service secret existingSecretKey: JOBSERVICE_SECRET - ## The priority class to run the pod as - priorityClassName: registry: - # set the service account to be used, default if left empty - serviceAccountName: "" - # mount the service account token - automountServiceAccountToken: false registry: image: repository: goharbor/registry-photon - tag: v2.10.2 + tag: v2.11.0 # resources: # requests: # memory: 256Mi @@ -599,13 +713,16 @@ registry: controller: image: repository: goharbor/harbor-registryctl - tag: v2.10.2 - + tag: v2.11.0 # resources: # requests: # memory: 256Mi # cpu: 100m extraEnvVars: [] + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false replicas: 1 revisionHistoryLimit: 10 nodeSelector: {} @@ -623,6 +740,13 @@ registry: podLabels: {} ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] # Secret is used to secure the upload state from client # and registry storage backend. # See: https://github.com/distribution/distribution/blob/main/docs/configuration.md#http @@ -670,13 +794,43 @@ trivy: # repository the repository for Trivy adapter image repository: goharbor/trivy-adapter-photon # tag the tag for Trivy adapter image - tag: v2.10.2 + tag: v2.11.0 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token automountServiceAccountToken: false # replicas the number of Pod replicas replicas: 1 + resources: + requests: + cpu: 200m + memory: 512Mi + limits: + cpu: 1 + memory: 1Gi + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] # debugMode the flag to enable Trivy debug mode with more verbose scanning log debugMode: false # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. @@ -712,7 +866,7 @@ trivy: # skipJavaDBUpdate If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the # `/home/scanner/.cache/trivy/java-db/trivy-java.db` path # - skipJavaDBUpdate: false + skipJavaDBUpdate: false # The offlineScan option prevents Trivy from sending API requests to identify dependencies. # # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it. @@ -725,48 +879,19 @@ trivy: securityCheck: "vuln" # The duration to wait for scan completion timeout: 5m0s - resources: - requests: - cpu: 200m - memory: 512Mi - limits: - cpu: 1 - memory: 1Gi - extraEnvVars: [] - nodeSelector: {} - tolerations: [] - affinity: {} - # Spread Pods across failure-domains like regions, availability zones or nodes - topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: topology.kubernetes.io/zone - # nodeTaintsPolicy: Honor - # whenUnsatisfiable: DoNotSchedule - ## Additional deployment annotations - podAnnotations: {} - ## Additional deployment labels - podLabels: {} - ## The priority class to run the pod as - priorityClassName: database: # if external database is used, set "type" to "external" # and fill the connection information in "external" section type: internal internal: + image: + repository: goharbor/harbor-db + tag: v2.11.0 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token automountServiceAccountToken: false - image: - repository: goharbor/harbor-db - tag: v2.10.2 - # The initial superuser password for internal database - password: "changeit" - # The size limit for Shared memory, pgSQL use it for shared_buffer - # More details see: - # https://github.com/goharbor/harbor/issues/15034 - shmSizeLimit: 512Mi # resources: # requests: # memory: 256Mi @@ -783,6 +908,19 @@ database: affinity: {} ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + extrInitContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] + # The initial superuser password for internal database + password: "changeit" + # The size limit for Shared memory, pgSQL use it for shared_buffer + # More details see: + # https://github.com/goharbor/harbor/issues/15034 + shmSizeLimit: 512Mi initContainer: migrator: {} # resources: @@ -815,7 +953,7 @@ database: maxIdleConns: 100 # The maximum number of open connections to the database per pod (core+exporter). # If it <= 0, then there is no limit on the number of open connections. - # Note: the default number of connections is 1024 for postgre of harbor. + # Note: the default number of connections is 1024 for harbor's postgres. maxOpenConns: 900 ## Additional deployment annotations podAnnotations: {} @@ -827,13 +965,13 @@ redis: # and fill the connection information in "external" section type: internal internal: + image: + repository: goharbor/redis-photon + tag: v2.11.0 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token automountServiceAccountToken: false - image: - repository: goharbor/redis-photon - tag: v2.10.2 # resources: # requests: # memory: 256Mi @@ -844,6 +982,13 @@ redis: affinity: {} ## The priority class to run the pod as priorityClassName: + # containers to be run before the controller's container starts. + initContainers: [] + # Example: + # + # - name: wait + # image: busybox + # command: [ 'sh', '-c', "sleep 20" ] # # jobserviceDatabaseIndex defaults to "1" # # registryDatabaseIndex defaults to "2" # # trivyAdapterIndex defaults to "5" @@ -882,6 +1027,12 @@ redis: podLabels: {} exporter: + image: + repository: goharbor/harbor-exporter + tag: v2.11.0 + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false replicas: 1 revisionHistoryLimit: 10 # resources: @@ -892,101 +1043,16 @@ exporter: podAnnotations: {} ## Additional deployment labels podLabels: {} - serviceAccountName: "" - # mount the service account token - automountServiceAccountToken: false - image: - repository: goharbor/harbor-exporter - tag: v2.10.2 nodeSelector: {} tolerations: [] affinity: {} # Spread Pods across failure-domains like regions, availability zones or nodes topologySpreadConstraints: [] + ## The priority class to run the pod as + priorityClassName: # - maxSkew: 1 # topologyKey: topology.kubernetes.io/zone # nodeTaintsPolicy: Honor # whenUnsatisfiable: DoNotSchedule cacheDuration: 23 cacheCleanInterval: 14400 - ## The priority class to run the pod as - priorityClassName: - -metrics: - enabled: false - core: - path: /metrics - port: 8001 - registry: - path: /metrics - port: 8001 - jobservice: - path: /metrics - port: 8001 - exporter: - path: /metrics - port: 8001 - ## Create prometheus serviceMonitor to scrape harbor metrics. - ## This requires the monitoring.coreos.com/v1 CRD. Please see - ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md - ## - serviceMonitor: - enabled: false - additionalLabels: {} - # Scrape interval. If not set, the Prometheus default scrape interval is used. - interval: "" - # Metric relabel configs to apply to samples before ingestion. - metricRelabelings: - [] - # - action: keep - # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' - # sourceLabels: [__name__] - # Relabel configs to apply to samples before ingestion. - relabelings: - [] - # - sourceLabels: [__meta_kubernetes_pod_node_name] - # separator: ; - # regex: ^(.*)$ - # targetLabel: nodename - # replacement: $1 - # action: replace - -trace: - enabled: false - # trace provider: jaeger or otel - # jaeger should be 1.26+ - provider: jaeger - # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth - sample_rate: 1 - # namespace used to differentiate different harbor services - # namespace: - # attributes is a key value dict contains user defined attributes used to initialize trace provider - # attributes: - # application: harbor - jaeger: - # jaeger supports two modes: - # collector mode(uncomment endpoint and uncomment username, password if needed) - # agent mode(uncomment agent_host and agent_port) - endpoint: http://hostname:14268/api/traces - # username: - # password: - # agent_host: hostname - # export trace data by jaeger.thrift in compact mode - # agent_port: 6831 - otel: - endpoint: hostname:4318 - url_path: /v1/traces - compression: false - insecure: true - # timeout is in seconds - timeout: 10 - -# cache layer configurations -# if this feature enabled, harbor will cache the resource -# `project/project_metadata/repository/artifact/manifest` in the redis -# which help to improve the performance of high concurrent pulling manifest. -cache: - # default is not enabled. - enabled: false - # default keep cache for one day. - expireHours: 24 diff --git a/charts/instana/instana-agent/Chart.yaml b/charts/instana/instana-agent/Chart.yaml index 0d72fa206..acee3cb61 100644 --- a/charts/instana/instana-agent/Chart.yaml +++ b/charts/instana/instana-agent/Chart.yaml @@ -9,7 +9,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21-0' catalog.cattle.io/release-name: instana-agent apiVersion: v2 -appVersion: 1.270.0 +appVersion: 1.275.0 description: Instana Agent for Kubernetes home: https://www.instana.com/ icon: https://agents.instana.io/helm/stan-logo-2020.png @@ -23,4 +23,4 @@ maintainers: name: instana-agent sources: - https://github.com/instana/instana-agent-docker -version: 1.2.72 +version: 1.2.73 diff --git a/charts/instana/instana-agent/README.md b/charts/instana/instana-agent/README.md index 708bbdac9..bad3ca77c 100644 --- a/charts/instana/instana-agent/README.md +++ b/charts/instana/instana-agent/README.md @@ -117,6 +117,7 @@ The following table lists the configurable parameters of the Instana chart and t | `agent.pod.requests.memory` | Container memory requests in MiB | `768Mi` | | `agent.pod.tolerations` | Tolerations for pod assignment | `[]` | | `agent.pod.affinity` | Affinity for pod assignment | `{}` | +| `agent.serviceMesh.enabled` | Activate Instana Agent JVM monitoring service mesh support for Istio or OpenShift ServiceMesh | `true` | | `agent.env` | Additional environment variables for the agent | `{}` | | `agent.redactKubernetesSecrets` | Enable additional secrets redaction for selected Kubernetes resources | `nil` See [Kubernetes secrets](https://docs.instana.io/setup_and_manage/host_agent/on/kubernetes/#secrets) for more details. | | `cluster.name` | Display name of the monitored cluster | Value of `zone.name` | @@ -366,6 +367,20 @@ zones: ## Changelog +### 1.2.73 + +* Fix label for `io.instana/zone` to reflect the real agent mode +* Change the charts flag from ENABLE_AGENT_SOCKET to serviceMesh.enabled +* Add type: DirectoryOrCreate to DaemonSet definitions to ensure required directories exist + +### 1.2.72 + +* Add minReadySeconds field to agent daemonset yaml + +### 1.2.71 + +* Fix usage of digest for pulling images + ### 1.2.70 * Allow the configuration of `minReadySeconds` for the agent daemonset and deployment diff --git a/charts/instana/instana-agent/templates/_helpers.tpl b/charts/instana/instana-agent/templates/_helpers.tpl index 220bfff07..4d4e0b8e9 100644 --- a/charts/instana/instana-agent/templates/_helpers.tpl +++ b/charts/instana/instana-agent/templates/_helpers.tpl @@ -251,6 +251,10 @@ Composes a container image from a dict containing a "name" field (required), "ta - name: INSTANA_AGENT_HTTP_LISTEN value: {{ .Values.agent.listenAddress | quote }} {{- end }} +{{- if .Values.agent.serviceMesh.enabled }} +- name: ENABLE_AGENT_SOCKET + value: {{ .Values.agent.serviceMesh.enabled | quote }} +{{- end }} {{- if .Values.agent.redactKubernetesSecrets }} - name: INSTANA_KUBERNETES_REDACT_SECRETS value: {{ .Values.agent.redactKubernetesSecrets | quote }} diff --git a/charts/instana/instana-agent/templates/agent-daemonset-with-zones.yaml b/charts/instana/instana-agent/templates/agent-daemonset-with-zones.yaml index 71bd2d973..6e1fe2474 100644 --- a/charts/instana/instana-agent/templates/agent-daemonset-with-zones.yaml +++ b/charts/instana/instana-agent/templates/agent-daemonset-with-zones.yaml @@ -35,7 +35,7 @@ spec: {{- toYaml $.Values.agent.pod.labels | nindent 8 }} {{- end }} {{- include "instana-agent.commonLabels" $ | nindent 8 }} - instana/agent-mode: {{ $.Values.agent.mode | default "APM" | quote }} + instana/agent-mode: {{ $mode | default "APM" | quote }} annotations: {{- if $.Values.agent.pod.annotations }} {{- toYaml $.Values.agent.pod.annotations | nindent 8 }} diff --git a/charts/instana/instana-agent/templates/agent-daemonset.yaml b/charts/instana/instana-agent/templates/agent-daemonset.yaml index e575c4a37..bbc3c7a0e 100644 --- a/charts/instana/instana-agent/templates/agent-daemonset.yaml +++ b/charts/instana/instana-agent/templates/agent-daemonset.yaml @@ -173,12 +173,15 @@ spec: - name: var-run-kubo hostPath: path: /var/vcap/sys/run/docker + type: DirectoryOrCreate - name: var-run-containerd hostPath: path: /var/vcap/sys/run/containerd + type: DirectoryOrCreate - name: var-containerd-config hostPath: path: /var/vcap/jobs/containerd/config + type: DirectoryOrCreate {{- end }} - name: sys hostPath: @@ -192,6 +195,7 @@ spec: - name: var-data hostPath: path: /var/data + type: DirectoryOrCreate - name: machine-id hostPath: path: /etc/machine-id diff --git a/charts/instana/instana-agent/templates/k8s-sensor-role.yaml b/charts/instana/instana-agent/templates/k8s-sensor-role.yaml index 147f5ad06..7e036482e 100644 --- a/charts/instana/instana-agent/templates/k8s-sensor-role.yaml +++ b/charts/instana/instana-agent/templates/k8s-sensor-role.yaml @@ -85,16 +85,7 @@ rules: - watch - apiGroups: - - autoscaling/v1 - resources: - - horizontalpodautoscalers - verbs: - - get - - list - - watch - - - apiGroups: - - autoscaling/v2 + - autoscaling resources: - horizontalpodautoscalers verbs: diff --git a/charts/instana/instana-agent/values.yaml b/charts/instana/instana-agent/values.yaml index 0fd9bbf8e..1784c88ae 100644 --- a/charts/instana/instana-agent/values.yaml +++ b/charts/instana/instana-agent/values.yaml @@ -7,7 +7,7 @@ agent: # agent.key is the secret token which your agent uses to authenticate to Instana's servers. key: null - # agent.downloadKey is key, sometimes known ass "sales key", that allows you to download, + # agent.downloadKey is key, sometimes known as "sales key", that allows you to download, # software from Instana. # downloadKey: null @@ -174,6 +174,10 @@ agent: host: repository: null + # agent.serviceMesh.enabled sets the ENABLE_AGENT_SOCKET environment variable. + serviceMesh: + enabled: true + cluster: # cluster.name represents the name that will be assigned to this cluster in Instana name: null @@ -254,10 +258,10 @@ k8s_sensor: # k8s_sensor.deployment.pod.requests.memory is the requested memory allocation in MiB for the agent pods. memory: 128Mi # k8s_sensor.deployment.pod.requests.cpu are the requested CPU units allocation for the agent pods. - cpu: 10m + cpu: 120m limits: # k8s_sensor.deployment.pod.limits.memory set the memory allocation limits in MiB for the agent pods. - memory: 1536Mi + memory: 2048Mi # k8s_sensor.deployment.pod.limits.cpu sets the CPU units allocation limits for the agent pods. cpu: 500m affinity: diff --git a/charts/jenkins/jenkins/CHANGELOG.md b/charts/jenkins/jenkins/CHANGELOG.md index 65a6c3c32..ec9108110 100644 --- a/charts/jenkins/jenkins/CHANGELOG.md +++ b/charts/jenkins/jenkins/CHANGELOG.md @@ -12,6 +12,18 @@ Use the following links to reference issues, PRs, and commits prior to v2.6.0. The changelog until v1.5.7 was auto-generated based on git commits. Those entries include a reference to the git commit to be able to get more details. +## 5.3.3 + +Update `jenkins/inbound-agent` to version `3256.v88a_f6e922152-1` + +## 5.3.2 + +Update `kubernetes` to version `4248.vfa_9517757b_b_a_` + +## 5.3.1 + +Fix Tiltfile deprecated value reference + ## 5.3.0 Add `controller.topologySpreadConstraints` diff --git a/charts/jenkins/jenkins/Chart.yaml b/charts/jenkins/jenkins/Chart.yaml index f7f018d4b..fabb3fd4b 100644 --- a/charts/jenkins/jenkins/Chart.yaml +++ b/charts/jenkins/jenkins/Chart.yaml @@ -1,14 +1,14 @@ annotations: artifacthub.io/category: integration-delivery artifacthub.io/changes: | - - Add `controller.topologySpreadConstraints` + - Update `jenkins/inbound-agent` to version `3256.v88a_f6e922152-1` artifacthub.io/images: | - name: jenkins image: docker.io/jenkins/jenkins:2.452.2-jdk17 - name: k8s-sidecar image: docker.io/kiwigrid/k8s-sidecar:1.27.4 - name: inbound-agent - image: jenkins/inbound-agent:3248.v65ecb_254c298-1 + image: jenkins/inbound-agent:3256.v88a_f6e922152-1 artifacthub.io/license: Apache-2.0 artifacthub.io/links: | - name: Chart Source @@ -50,4 +50,4 @@ sources: - https://github.com/maorfr/kube-tasks - https://github.com/jenkinsci/configuration-as-code-plugin type: application -version: 5.3.0 +version: 5.3.3 diff --git a/charts/jenkins/jenkins/VALUES.md b/charts/jenkins/jenkins/VALUES.md index ee4867c1b..4399dcde2 100644 --- a/charts/jenkins/jenkins/VALUES.md +++ b/charts/jenkins/jenkins/VALUES.md @@ -28,7 +28,7 @@ The following tables list the configurable parameters of the Jenkins chart and t | [agent.hostNetworking](./values.yaml#L937) | bool | Enables the agent to use the host network | `false` | | [agent.idleMinutes](./values.yaml#L1072) | int | Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it | `0` | | [agent.image.repository](./values.yaml#L916) | string | Repository to pull the agent jnlp image from | `"jenkins/inbound-agent"` | -| [agent.image.tag](./values.yaml#L918) | string | Tag of the image to pull | `"3248.v65ecb_254c298-1"` | +| [agent.image.tag](./values.yaml#L918) | string | Tag of the image to pull | `"3256.v88a_f6e922152-1"` | | [agent.imagePullSecretName](./values.yaml#L925) | string | Name of the secret to be used to pull the image | `nil` | | [agent.inheritYamlMergeStrategy](./values.yaml#L1092) | bool | Controls whether the defined yaml merge strategy will be inherited if another defined pod template is configured to inherit from the current one | `false` | | [agent.jenkinsTunnel](./values.yaml#L897) | string | Overrides the Kubernetes Jenkins tunnel | `nil` | @@ -157,7 +157,7 @@ The following tables list the configurable parameters of the Jenkins chart and t | [controller.initializeOnce](./values.yaml#L414) | bool | Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` | `false` | | [controller.installLatestPlugins](./values.yaml#L403) | bool | Download the minimum required version or latest version of all dependencies | `true` | | [controller.installLatestSpecifiedPlugins](./values.yaml#L406) | bool | Set to true to download the latest version of any plugin that is requested to have the latest version | `false` | -| [controller.installPlugins](./values.yaml#L395) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4246.v5a_12b_1fe120e","workflow-aggregator:596.v8c21c963d92d","git:5.2.2","configuration-as-code:1810.v9b_c30a_249a_4c"]` | +| [controller.installPlugins](./values.yaml#L395) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4248.vfa_9517757b_b_a_","workflow-aggregator:596.v8c21c963d92d","git:5.2.2","configuration-as-code:1810.v9b_c30a_249a_4c"]` | | [controller.javaOpts](./values.yaml#L156) | string | Append to `JAVA_OPTS` env var | `nil` | | [controller.jenkinsAdminEmail](./values.yaml#L96) | string | Email address for the administrator of the Jenkins instance | `nil` | | [controller.jenkinsHome](./values.yaml#L101) | string | Custom Jenkins home path | `"/var/jenkins_home"` | diff --git a/charts/jenkins/jenkins/values.yaml b/charts/jenkins/jenkins/values.yaml index 706795e3c..e0a530de6 100644 --- a/charts/jenkins/jenkins/values.yaml +++ b/charts/jenkins/jenkins/values.yaml @@ -393,7 +393,7 @@ controller: # Plugins will be installed during Jenkins controller start # -- List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` installPlugins: - - kubernetes:4246.v5a_12b_1fe120e + - kubernetes:4248.vfa_9517757b_b_a_ - workflow-aggregator:596.v8c21c963d92d - git:5.2.2 - configuration-as-code:1810.v9b_c30a_249a_4c @@ -915,7 +915,7 @@ agent: # -- Repository to pull the agent jnlp image from repository: "jenkins/inbound-agent" # -- Tag of the image to pull - tag: "3248.v65ecb_254c298-1" + tag: "3256.v88a_f6e922152-1" # -- Configure working directory for default agent workingDir: "/home/jenkins/agent" nodeUsageMode: "NORMAL" diff --git a/charts/jfrog/artifactory-ha/CHANGELOG.md b/charts/jfrog/artifactory-ha/CHANGELOG.md index 805eb8eef..03b9e0d9c 100644 --- a/charts/jfrog/artifactory-ha/CHANGELOG.md +++ b/charts/jfrog/artifactory-ha/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Artifactory-ha Chart Changelog All changes to this chart will be documented in this file -## [107.84.15] - May 29, 2024 +## [107.84.16] - June 27, 2024 * Added image section for `initContainers` instead of `initContainerImage` * Renamed `router.image.imagePullPolicy` to `router.image.pullPolicy` * Removed loggers.image section @@ -23,6 +23,7 @@ All changes to this chart will be documented in this file * Fixed resource constraints for "setup" initContainer of nginx deployment [GH-962] (https://github.com/jfrog/charts/issues/962) * Added .Values.artifactory.unifiedSecretsPrependReleaseName` for unified secret to prepend release name * Fixed maxCacheSize and cacheProviderDir mix up under azure-blob-storage-v2-direct template in binarystore.xml +* Fixed #adding colon in image registry which breaks deployment [GH-1892](https://github.com/jfrog/charts/pull/1892) ## [107.83.0] - Mar 12, 2024 * Added image section for `metadata` and `observability` diff --git a/charts/jfrog/artifactory-ha/Chart.yaml b/charts/jfrog/artifactory-ha/Chart.yaml index 3f815b756..32968a304 100644 --- a/charts/jfrog/artifactory-ha/Chart.yaml +++ b/charts/jfrog/artifactory-ha/Chart.yaml @@ -1,11 +1,11 @@ annotations: - artifactoryServiceVersion: 7.84.18 + artifactoryServiceVersion: 7.84.19 catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Artifactory HA catalog.cattle.io/kube-version: '>= 1.19.0-0' catalog.cattle.io/release-name: artifactory-ha apiVersion: v2 -appVersion: 7.84.15 +appVersion: 7.84.16 dependencies: - condition: postgresql.enabled name: postgresql @@ -27,4 +27,4 @@ name: artifactory-ha sources: - https://github.com/jfrog/charts type: application -version: 107.84.15 +version: 107.84.16 diff --git a/charts/jfrog/artifactory-ha/templates/_helpers.tpl b/charts/jfrog/artifactory-ha/templates/_helpers.tpl index 1ad5af4de..a0d318ba6 100644 --- a/charts/jfrog/artifactory-ha/templates/_helpers.tpl +++ b/charts/jfrog/artifactory-ha/templates/_helpers.tpl @@ -321,8 +321,7 @@ Return the proper artifactory chart image names Return the proper artifactory app version */}} {{- define "artifactory-ha.app.version" -}} -{{- $image := split ":" ((include "artifactory-ha.getImageInfoByValue" (list . "artifactory")) | toString) -}} -{{- $tag := $image._1 -}} +{{- $tag := (splitList ":" ((include "artifactory-ha.getImageInfoByValue" (list . "artifactory" )))) | last | toString -}} {{- printf "%s" $tag -}} {{- end -}} diff --git a/charts/jfrog/artifactory-ha/templates/artifactory-license-secret.yaml b/charts/jfrog/artifactory-ha/templates/artifactory-license-secret.yaml index 73f900863..0018fa044 100644 --- a/charts/jfrog/artifactory-ha/templates/artifactory-license-secret.yaml +++ b/charts/jfrog/artifactory-ha/templates/artifactory-license-secret.yaml @@ -1,4 +1,4 @@ -{{ if and (not .Values.artifactory.unifiedSecretInstallation) (not .Values.artifactory.license.secret) (not .Values.artifactory.license.licenseKey) }} +{{ if and (not .Values.artifactory.unifiedSecretInstallation) (not .Values.artifactory.license.secret) }} {{- with .Values.artifactory.license.licenseKey }} apiVersion: v1 kind: Secret diff --git a/charts/jfrog/artifactory-jcr/CHANGELOG.md b/charts/jfrog/artifactory-jcr/CHANGELOG.md index 67cc60efd..86f4200d5 100644 --- a/charts/jfrog/artifactory-jcr/CHANGELOG.md +++ b/charts/jfrog/artifactory-jcr/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Container Registry Chart Changelog All changes to this chart will be documented in this file. -## [107.84.15] - Feb 20, 2024 +## [107.84.16] - Feb 20, 2024 * Updated `artifactory.installerInfo` content ## [107.80.0] - Feb 1, 2024 diff --git a/charts/jfrog/artifactory-jcr/Chart.yaml b/charts/jfrog/artifactory-jcr/Chart.yaml index 80c06e89d..71e43201c 100644 --- a/charts/jfrog/artifactory-jcr/Chart.yaml +++ b/charts/jfrog/artifactory-jcr/Chart.yaml @@ -4,11 +4,11 @@ annotations: catalog.cattle.io/kube-version: '>= 1.19.0-0' catalog.cattle.io/release-name: artifactory-jcr apiVersion: v2 -appVersion: 7.84.15 +appVersion: 7.84.16 dependencies: - name: artifactory repository: file://./charts/artifactory - version: 107.84.15 + version: 107.84.16 description: JFrog Container Registry home: https://jfrog.com/container-registry/ icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-jcr/logo/jcr-logo.png @@ -27,4 +27,4 @@ name: artifactory-jcr sources: - https://github.com/jfrog/charts type: application -version: 107.84.15 +version: 107.84.16 diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md b/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md index 26d470edd..6479311f5 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Artifactory Chart Changelog All changes to this chart will be documented in this file. -## [107.84.15] - May 29, 2024 +## [107.84.16] - June 27, 2024 * Added image section for `initContainers` instead of `initContainerImage` * Renamed `router.image.imagePullPolicy` to `router.image.pullPolicy` * Removed image section for `loggers` @@ -21,6 +21,7 @@ All changes to this chart will be documented in this file. * Fixed resource constraints for "setup" initContainer of nginx deployment [GH-962] (https://github.com/jfrog/charts/issues/962) * Added .Values.artifactory.unifiedSecretPrependReleaseName` for unified secret to prepend release name * Fixed maxCacheSize and cacheProviderDir mix up under azure-blob-storage-v2-direct template in binarystore.xml +* Fixed #adding colon in image registry which breaks deployment [GH-1892](https://github.com/jfrog/charts/pull/1892) ## [107.82.0] - Mar 04, 2024 * Added `disableRouterBypass` flag as experimental feature, to disable the artifactoryPath /artifactory/ and route all traffic through the Router. diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml index 9447a68c0..220bf9c65 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 7.84.15 +appVersion: 7.84.16 dependencies: - condition: postgresql.enabled name: postgresql @@ -21,4 +21,4 @@ name: artifactory sources: - https://github.com/jfrog/charts type: application -version: 107.84.15 +version: 107.84.16 diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/_helpers.tpl b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/_helpers.tpl index 1cf6cc365..9aa1940d9 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/_helpers.tpl +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/_helpers.tpl @@ -255,8 +255,7 @@ Return the proper artifactory chart image names Return the proper artifactory app version */}} {{- define "artifactory.app.version" -}} -{{- $image := split ":" ((include "artifactory.getImageInfoByValue" (list . "artifactory")) | toString) -}} -{{- $tag := $image._1 -}} +{{- $tag := (splitList ":" ((include "artifactory.getImageInfoByValue" (list . "artifactory" )))) | last | toString -}} {{- printf "%s" $tag -}} {{- end -}} diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/artifactory-license-secret.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/artifactory-license-secret.yaml index ba83aaf24..dda734033 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/artifactory-license-secret.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/artifactory-license-secret.yaml @@ -1,4 +1,4 @@ -{{ if and (not .Values.artifactory.unifiedSecretInstallation) (not .Values.artifactory.license.secret) (not .Values.artifactory.license.licenseKey) }} +{{ if and (not .Values.artifactory.unifiedSecretInstallation) (not .Values.artifactory.license.secret) }} {{- with .Values.artifactory.license.licenseKey }} apiVersion: v1 kind: Secret diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/artifactory-statefulset.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/artifactory-statefulset.yaml index 93b2ad50f..73fdb7df7 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/artifactory-statefulset.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/artifactory-statefulset.yaml @@ -8,6 +8,7 @@ metadata: component: {{ .Values.artifactory.name }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} + version: {{ include "artifactory.app.version" . }} {{- with .Values.artifactory.labels }} {{ toYaml . | indent 4 }} {{- end }} diff --git a/charts/kasten/k10/Chart.lock b/charts/kasten/k10/Chart.lock index 6b208c6f1..ac2067d13 100644 --- a/charts/kasten/k10/Chart.lock +++ b/charts/kasten/k10/Chart.lock @@ -6,4 +6,4 @@ dependencies: repository: "" version: 25.18.0 digest: sha256:e35117c8aba9f6bde24ae45b5e05b0342b03029dfb2676236c389572cc502066 -generated: "2024-05-31T17:50:43.005351945Z" +generated: "2024-06-28T20:08:59.490170032Z" diff --git a/charts/kasten/k10/Chart.yaml b/charts/kasten/k10/Chart.yaml index cf4af9345..94ad46efc 100644 --- a/charts/kasten/k10/Chart.yaml +++ b/charts/kasten/k10/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.17.0-0' catalog.cattle.io/release-name: k10 apiVersion: v2 -appVersion: 7.0.0 +appVersion: 7.0.2 dependencies: - condition: grafana.enabled name: grafana @@ -21,4 +21,4 @@ maintainers: - email: contact@kasten.io name: kastenIO name: k10 -version: 7.0.1 +version: 7.0.201 diff --git a/charts/kasten/k10/README.md b/charts/kasten/k10/README.md index 8bc71bf34..502569fb8 100644 --- a/charts/kasten/k10/README.md +++ b/charts/kasten/k10/README.md @@ -116,6 +116,8 @@ Parameter | Description | Default `secrets.azureResourceMgrEndpoint` | Resource management endpoint for the Azure Stack instance | `None` `secrets.azureADEndpoint` | Azure Active Directory login endpoint | `None` `secrets.azureADResourceID` | Azure Active Directory resource ID to obtain AD tokens | `None` +`secrets.microsoftEntraIDEndpoint` | Microsoft Entra ID login endpoint | `None` +`secrets.microsoftEntraIDResourceID` | Microsoft Entra ID resource ID to obtain AD tokens | `None` `secrets.azureCloudEnvID` | Azure Cloud Environment ID | `None` `secrets.vsphereEndpoint` | vSphere endpoint for login | `None` `secrets.vsphereUsername` | vSphere username for login | `None` @@ -285,6 +287,7 @@ Parameter | Description | Default `priorityClassName.` | Overrides the default [priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) name for the specified deployment | `{}` `ephemeralPVCOverhead` | Set the percentage increase for the ephemeral Persistent Volume Claim's storage request, e.g. PVC size = (file raw size) * (1 + `ephemeralPVCOverhead`) | `0.1` `datastore.parallelUploads` | Specifies how many files can be uploaded in parallel to the data store | `8` +`datastore.parallelDownloads` | Specifies how many files can be downloaded in parallel from the data store | `8` `kastenDisasterRecovery.quickMode.enabled` | Enables K10 Quick Disaster Recovery | `false` `fips.enabled` | Specifies whether K10 should be run in the FIPS mode of operation | `false` ## Helm tips and tricks diff --git a/charts/kasten/k10/templates/NOTES.txt b/charts/kasten/k10/templates/NOTES.txt index c47a034a5..80ae42f3b 100644 --- a/charts/kasten/k10/templates/NOTES.txt +++ b/charts/kasten/k10/templates/NOTES.txt @@ -73,3 +73,16 @@ Removal warning: The helm field `restore.copyImagePullSecrets` has been removed Deprecation warning: The `garbagecollector.importRunActions`, `garbagecollector.backupRunActions`, `garbagecollector.retireActions` blocks within the helm chart values have been replaced with `garbagecollector.actions`. {{- end }} + +{{- if .Values.secrets.azureADEndpoint }} +-------------------- +Deprecation warning: The helm field `secret.azureADEndpoint` is deprecated and will be removed in upcoming release, we recommend you to use correct respective field, i.e., `secrets.microsoftEntraIDEndpoint`. +-------------------- +{{- end }} + + +{{- if .Values.secrets.azureADResourceID }} +-------------------- +Deprecation warning: The helm field `secret.azureADResourceID` is deprecated and will be removed in upcoming release, we recommend you to use correct respective field, i.e., `secrets.microsoftEntraIDResourceID` +-------------------- +{{- end }} \ No newline at end of file diff --git a/charts/kasten/k10/templates/_definitions.tpl b/charts/kasten/k10/templates/_definitions.tpl index a4adcb1c3..2381053d9 100644 --- a/charts/kasten/k10/templates/_definitions.tpl +++ b/charts/kasten/k10/templates/_definitions.tpl @@ -223,3 +223,9 @@ state-svc: {{- define "k10.gatewayRequestHeadersVarName" -}}EXTAUTH_REQUEST_HEADERS{{- end -}} {{- define "k10.gatewayAuthHeadersVarName" -}}EXTAUTH_AUTH_HEADERS{{- end -}} {{- define "k10.gatewayPortVarName" -}}PORT{{- end -}} +{{- define "k10.azureClientIDEnvVar" -}}AZURE_CLIENT_ID{{- end -}} +{{- define "k10.azureTenantIDEnvVar" -}}AZURE_TENANT_ID{{- end -}} +{{- define "k10.azureClientSecretEnvVar" -}}AZURE_CLIENT_SECRET{{- end -}} +{{- define "k10.oidcSecretName" -}}k10-oidc-auth{{- end -}} +{{- define "k10.oidcCustomerSecretName" -}}k10-oidc-auth-creds{{- end -}} +{{- define "k10.secretsDir" -}}/var/run/secrets/kasten.io{{- end -}} diff --git a/charts/kasten/k10/templates/_helpers.tpl b/charts/kasten/k10/templates/_helpers.tpl index 0ca52b49e..9a58728d9 100644 --- a/charts/kasten/k10/templates/_helpers.tpl +++ b/charts/kasten/k10/templates/_helpers.tpl @@ -1326,4 +1326,4 @@ Returns a billing identifier label to be added to workloads for azure marketplac {{- if .Values.global.azMarketPlace }} azure-extensions-usage-release-identifier: {{.Release.Name}} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kasten/k10/templates/_k10_container.tpl b/charts/kasten/k10/templates/_k10_container.tpl index 3efe70b72..aaf23cfbb 100644 --- a/charts/kasten/k10/templates/_k10_container.tpl +++ b/charts/kasten/k10/templates/_k10_container.tpl @@ -121,36 +121,36 @@ stating that types are not same for the equality check {{- if list "dashboardbff" "executor" "garbagecollector" "controllermanager" "kanister" | has $service}} {{- if or (eq (include "check.azuresecret" .) "true") (eq (include "check.azurecreds" .) "true" ) }} {{- if eq (include "check.azuresecret" .) "true" }} - - name: AZURE_CLIENT_ID + - name: {{ include "k10.azureClientIDEnvVar" . }} valueFrom: secretKeyRef: name: {{ .Values.secrets.azureClientSecretName }} key: azure_client_id - - name: AZURE_TENANT_ID + - name: {{ include "k10.azureTenantIDEnvVar" . }} valueFrom: secretKeyRef: name: {{ .Values.secrets.azureClientSecretName }} key: azure_tenant_id - - name: AZURE_CLIENT_SECRET + - name: {{ include "k10.azureClientSecretEnvVar" . }} valueFrom: secretKeyRef: name: {{ .Values.secrets.azureClientSecretName }} key: azure_client_secret {{- else }} {{- if or (eq (include "check.azureMSIWithClientID" .) "true") (eq (include "check.azureClientSecretCreds" .) "true") }} - - name: AZURE_CLIENT_ID + - name: {{ include "k10.azureClientIDEnvVar" . }} valueFrom: secretKeyRef: name: azure-creds key: azure_client_id {{- end }} {{- if eq (include "check.azureClientSecretCreds" .) "true" }} - - name: AZURE_TENANT_ID + - name: {{ include "k10.azureTenantIDEnvVar" . }} valueFrom: secretKeyRef: name: azure-creds key: azure_tenant_id - - name: AZURE_CLIENT_SECRET + - name: {{ include "k10.azureClientSecretEnvVar" . }} valueFrom: secretKeyRef: name: azure-creds @@ -178,19 +178,19 @@ stating that types are not same for the equality check name: azure-creds key: azure_resource_manager_endpoint {{- end }} -{{- if .Values.secrets.azureADEndpoint }} +{{- if or .Values.secrets.azureADEndpoint .Values.secrets.microsoftEntraIDEndpoint }} - name: AZURE_AD_ENDPOINT valueFrom: secretKeyRef: name: azure-creds - key: azure_ad_endpoint + key: entra_id_endpoint {{- end }} -{{- if .Values.secrets.azureADResourceID }} +{{- if or .Values.secrets.azureADResourceID .Values.secrets.microsoftEntraIDResourceID }} - name: AZURE_AD_RESOURCE valueFrom: secretKeyRef: name: azure-creds - key: azure_ad_resource_id + key: entra_id_resource_id {{- end }} {{- if .Values.secrets.azureCloudEnvID }} - name: AZURE_CLOUD_ENV_ID @@ -414,6 +414,11 @@ There are 3 valid states of the secret provided by customer: configMapKeyRef: name: k10-config key: k10DataStoreParallelUpload + - name: K10_DATA_STORE_PARALLEL_DOWNLOAD + valueFrom: + configMapKeyRef: + name: k10-config + key: k10DataStoreParallelDownload - name: K10_DATA_STORE_GENERAL_CONTENT_CACHE_SIZE_MB valueFrom: configMapKeyRef: @@ -830,19 +835,19 @@ There are 3 valid states of the secret provided by customer: readOnly: true {{- end }} {{- if (or .Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" .) "true")) }} - - name: k10-oidc-auth - mountPath: "/var/run/secrets/kasten.io/k10-oidc-auth" + - name: {{ include "k10.oidcSecretName" .}} + mountPath: {{ printf "%s/%s" (include "k10.secretsDir" .) (include "k10.oidcSecretName" .) }} readOnly: true {{- if .Values.auth.oidcAuth.clientSecretName }} - - name: k10-oidc-auth-creds - mountPath: "/var/run/secrets/kasten.io/k10-oidc-auth-creds" + - name: {{ include "k10.oidcCustomerSecretName" .}} + mountPath: {{ printf "%s/%s" (include "k10.secretsDir" .) (include "k10.oidcCustomerSecretName" .) }} readOnly: true {{- end }} {{- end }} {{- end }} {{- if eq (include "check.googleCredsOrSecret" .) "true"}} - name: service-account - mountPath: "/var/run/secrets/kasten.io" + mountPath: {{ include "k10.secretsDir" .}} {{- end }} {{- if and (list "controllermanager" "executor" | has $pod) (eq (include "check.projectSAToken" .) "true")}} - name: bound-sa-token diff --git a/charts/kasten/k10/templates/_k10_image_tag.tpl b/charts/kasten/k10/templates/_k10_image_tag.tpl index 003f7d1f8..03b50ed72 100644 --- a/charts/kasten/k10/templates/_k10_image_tag.tpl +++ b/charts/kasten/k10/templates/_k10_image_tag.tpl @@ -1 +1 @@ -{{- define "k10.imageTag" -}}7.0.0{{- end -}} \ No newline at end of file +{{- define "k10.imageTag" -}}7.0.2{{- end -}} \ No newline at end of file diff --git a/charts/kasten/k10/templates/_k10_metering.tpl b/charts/kasten/k10/templates/_k10_metering.tpl index 3af798b01..ed7255f18 100644 --- a/charts/kasten/k10/templates/_k10_metering.tpl +++ b/charts/kasten/k10/templates/_k10_metering.tpl @@ -314,6 +314,10 @@ spec: {{- if .Values.metering.licenseConfigSecretName }} - name: awsmp-product-license mountPath: "/var/run/secrets/product-license" +{{- end }} +{{- if .Values.features }} + - name: k10-features + mountPath: "/mnt/k10-features" {{- end }} volumes: - name: meter-config @@ -324,6 +328,11 @@ spec: path: config.yaml - key: prometheusTargets path: prometheusTargets.yaml +{{- if .Values.features }} + - name: k10-features + configMap: + name: k10-features +{{- end }} {{- if $.stateful }} - name: {{ $service }}-persistent-storage persistentVolumeClaim: diff --git a/charts/kasten/k10/templates/_k10_template.tpl b/charts/kasten/k10/templates/_k10_template.tpl index 330c6f2ed..0f1157181 100644 --- a/charts/kasten/k10/templates/_k10_template.tpl +++ b/charts/kasten/k10/templates/_k10_template.tpl @@ -139,24 +139,24 @@ spec: secretName: {{ default "k10-basic-auth" .Values.auth.basicAuth.secretName }} {{- end }} {{- if .Values.auth.oidcAuth.enabled }} - - name: k10-oidc-auth + - name: {{ include "k10.oidcSecretName" .}} secret: - secretName: {{ default "k10-oidc-auth" .Values.auth.oidcAuth.secretName }} + secretName: {{ default (include "k10.oidcSecretName" .) .Values.auth.oidcAuth.secretName }} {{- if .Values.auth.oidcAuth.clientSecretName }} - - name: k10-oidc-auth-creds + - name: {{ include "k10.oidcCustomerSecretName" . }} secret: secretName: {{ .Values.auth.oidcAuth.clientSecretName }} {{- end }} {{- end }} {{- if .Values.auth.openshift.enabled }} - - name: k10-oidc-auth + - name: {{ include "k10.oidcSecretName" .}} secret: - secretName: {{ default "k10-oidc-auth" .Values.auth.openshift.secretName }} + secretName: {{ default (include "k10.oidcSecretName" .) .Values.auth.openshift.secretName }} {{- end }} {{- if .Values.auth.ldap.enabled }} - - name: k10-oidc-auth + - name: {{ include "k10.oidcSecretName" .}} secret: - secretName: {{ default "k10-oidc-auth" .Values.auth.ldap.secretName }} + secretName: {{ default (include "k10.oidcSecretName" .) .Values.auth.ldap.secretName }} - name: k10-logos-dex configMap: name: k10-logos-dex diff --git a/charts/kasten/k10/templates/k10-config.yaml b/charts/kasten/k10/templates/k10-config.yaml index bc7ede213..f7441d6a9 100644 --- a/charts/kasten/k10/templates/k10-config.yaml +++ b/charts/kasten/k10/templates/k10-config.yaml @@ -24,6 +24,7 @@ data: concurrentWorkloadSnapshots: {{ include "k10.defaultConcurrentWorkloadSnapshots" . | quote }} k10DataStoreDisableCompression: "false" k10DataStoreParallelUpload: {{ .Values.datastore.parallelUploads | quote }} + k10DataStoreParallelDownload: {{ .Values.datastore.parallelDownloads | quote }} k10DataStoreGeneralContentCacheSizeMB: {{ include "k10.defaultK10DataStoreGeneralContentCacheSizeMB" . | quote }} k10DataStoreGeneralMetadataCacheSizeMB: {{ include "k10.defaultK10DataStoreGeneralMetadataCacheSizeMB" . | quote }} k10DataStoreRestoreContentCacheSizeMB: {{ include "k10.defaultK10DataStoreRestoreContentCacheSizeMB" . | quote }} diff --git a/charts/kasten/k10/templates/secrets.yaml b/charts/kasten/k10/templates/secrets.yaml index b0444c291..16c83b3b6 100644 --- a/charts/kasten/k10/templates/secrets.yaml +++ b/charts/kasten/k10/templates/secrets.yaml @@ -69,8 +69,8 @@ data: azure_resource_group: {{ default "" .Values.secrets.azureResourceGroup | b64enc | quote }} azure_subscription_id: {{ default "" .Values.secrets.azureSubscriptionID | b64enc | quote }} azure_resource_manager_endpoint: {{ default "" .Values.secrets.azureResourceMgrEndpoint | b64enc | quote }} - azure_ad_endpoint: {{ default "" .Values.secrets.azureADEndpoint | b64enc | quote }} - azure_ad_resource_id: {{ default "" .Values.secrets.azureADResourceID | b64enc | quote }} + entra_id_endpoint: {{ default "" (default .Values.secrets.azureADEndpoint .Values.secrets.microsoftEntraIDEndpoint) | b64enc | quote }} + entra_id_resource_id: {{ default "" (default .Values.secrets.azureADResourceID .Values.secrets.microsoftEntraIDResourceID) | b64enc | quote }} azure_cloud_env_id: {{ default "" .Values.secrets.azureCloudEnvID | b64enc | quote }} {{- end }} {{- if and (eq (include "check.vspherecreds" .) "true") (not (eq (include "check.vsphereClientSecret" . ) "true")) }} @@ -121,7 +121,7 @@ kind: Secret metadata: labels: {{ include "helm.labels" . | indent 4 }} - name: k10-oidc-auth + name: {{ include "k10.oidcSecretName" .}} namespace: {{ .Release.Namespace }} data: provider-url: {{ required "auth.oidcAuth.providerURL field is required!" .Values.auth.oidcAuth.providerURL | b64enc | quote }} @@ -167,7 +167,7 @@ kind: Secret metadata: labels: {{ include "helm.labels" . | indent 4 }} - name: k10-oidc-auth + name: {{ include "k10.oidcSecretName" .}} namespace: {{ .Release.Namespace }} data: provider-url: {{ required "auth.openshift.dashboardURL field is required!" (printf "%s/dex" (trimSuffix "/" .Values.auth.openshift.dashboardURL)) | b64enc | quote }} @@ -198,7 +198,7 @@ kind: Secret metadata: labels: {{ include "helm.labels" . | indent 4 }} - name: k10-oidc-auth + name: {{ include "k10.oidcSecretName" .}} namespace: {{ .Release.Namespace }} data: provider-url: {{ required "auth.ldap.dashboardURL field is required!" (printf "%s/dex" (trimSuffix "/" .Values.auth.ldap.dashboardURL)) | b64enc | quote }} diff --git a/charts/kasten/k10/values.schema.json b/charts/kasten/k10/values.schema.json index 3651b5489..e93cbbfdf 100644 --- a/charts/kasten/k10/values.schema.json +++ b/charts/kasten/k10/values.schema.json @@ -1104,6 +1104,18 @@ "title": "Azure Active Directory resource ID", "description": "Azure Active Directory resource ID to obtain AD tokens" }, + "microsoftEntraIDEndpoint": { + "type": "string", + "default": "", + "title": "Microsoft Entra ID endpoint", + "description": "Microsoft Entra ID login endpoint" + }, + "microsoftEntraIDResourceID": { + "type": "string", + "default": "", + "title": "Microsoft Entra ID resource ID", + "description": "Microsoft Entra ID resource ID to obtain AD tokens" + }, "azureCloudEnvID": { "type": "string", "default": "", @@ -2105,6 +2117,12 @@ "default": 8, "title": "Parallelism for data store uploads", "description": "Specifies how many files can be uploaded in parallel to the data store" + }, + "parallelDownloads": { + "type": "integer", + "default": 8, + "title": "Parallelism for data store downloads", + "description": "Specifies how many files can be downloaded in parallel from the data store" } } }, @@ -2708,8 +2726,8 @@ "description": "Forces Kanister Execution Hooks to run with root privileges" }, "ephemeralPVCOverhead": { - "type": "number", - "default": 0.1, + "type": "string", + "default": "0.1", "title": "Storage overhead for ephemeral PVCs", "description": "Set the percentage increase for the ephemeral Persistent Volume Claim's storage request, e.g. pvc size = (file raw size) * (1 + `ephemeralPVCOverhead`)" }, diff --git a/charts/kasten/k10/values.yaml b/charts/kasten/k10/values.yaml index bfe0d7997..db6b41b61 100644 --- a/charts/kasten/k10/values.yaml +++ b/charts/kasten/k10/values.yaml @@ -219,6 +219,8 @@ secrets: azureResourceMgrEndpoint: '' azureADEndpoint: '' azureADResourceID: '' + microsoftEntraIDEndpoint: '' + microsoftEntraIDResourceID: '' azureCloudEnvID: '' apiTlsCrt: '' apiTlsKey: '' @@ -509,10 +511,11 @@ maxJobWaitDuration: "" forceRootInKanisterHooks: true -ephemeralPVCOverhead: 0.1 +ephemeralPVCOverhead: "0.1" datastore: parallelUploads: 8 + parallelDownloads: 8 kastenDisasterRecovery: quickMode: diff --git a/charts/kubecost/cost-analyzer/Chart.yaml b/charts/kubecost/cost-analyzer/Chart.yaml index 13a503bbf..03328c258 100644 --- a/charts/kubecost/cost-analyzer/Chart.yaml +++ b/charts/kubecost/cost-analyzer/Chart.yaml @@ -7,9 +7,8 @@ annotations: catalog.cattle.io/featured: "1" catalog.cattle.io/release-name: cost-analyzer apiVersion: v2 -appVersion: 2.2.5 -description: A Helm chart that sets up Kubecost, Prometheus, and Grafana to monitor - cloud costs. +appVersion: 2.3.1 +description: Kubecost Helm chart - monitor your cloud costs! icon: https://partner-charts.rancher.io/assets/logos/kubecost.png name: cost-analyzer -version: 2.2.5 +version: 2.3.1 diff --git a/charts/kubecost/cost-analyzer/ci/federatedetl-primary-netcosts-values.yaml b/charts/kubecost/cost-analyzer/ci/federatedetl-primary-netcosts-values.yaml index 6742df6f3..78ad05725 100644 --- a/charts/kubecost/cost-analyzer/ci/federatedetl-primary-netcosts-values.yaml +++ b/charts/kubecost/cost-analyzer/ci/federatedetl-primary-netcosts-values.yaml @@ -6,9 +6,6 @@ federatedETL: federatedCluster: true kubecostModel: containerStatsEnabled: true - cloudCost: - enabled: true # Set to true to enable CloudCost view that gives you visibility of your Cloud provider resources cost - etlCloudAsset: false # Set etlCloudAsset to false when cloudCost.enabled=true federatedStorageConfigSecret: federated-store serviceAccount: # this example uses AWS IRSA, which creates a service account with rights to the s3 bucket. If using keys+secrets in the federated-store, set create: true create: true diff --git a/charts/kubecost/cost-analyzer/grafana-templates/README.md b/charts/kubecost/cost-analyzer/grafana-dashboards/README.md similarity index 69% rename from charts/kubecost/cost-analyzer/grafana-templates/README.md rename to charts/kubecost/cost-analyzer/grafana-dashboards/README.md index c6f344209..160316ab6 100644 --- a/charts/kubecost/cost-analyzer/grafana-templates/README.md +++ b/charts/kubecost/cost-analyzer/grafana-dashboards/README.md @@ -2,14 +2,15 @@ ## Overview -Kubecost, by default, is bundled with a Grafana instance that already contains the dashboards in this repo. +Kubecost, by default, is bundled with a Grafana instance that already contains the dashboards in this folder. -The dashboards in this repo are templated for those wanting to load the dashboards into an existing Grafana instance. +The dashboards in this repo are imported into Kubecost, unless disabled with + + +The same dashboards have template versions in [grafana-templates/](grafana-templates/) for those wanting to load the dashboards into an existing Grafana instance. ## Caveats -Note that the only method to get accurate costs (reconciled with cloud provider billing) is to use the Kubecost API. Prometheus contains real-time metrics that can only estimate costs using custom pricing or onDemand cloud provider rates. - The primary purpose of the dashboards provided is to allow visibility into the metrics used by Kubecost to create the cost-model. The networkCosts-metrics dashboard requires the optional networkCosts daemonset to be [enabled](https://docs.kubecost.com/install-and-configure/advanced-configuration/network-costs-configuration). @@ -41,4 +42,4 @@ container_fs_usage_bytes ## Additional Information -Kubecost Grafana [Configuration Guide](https://docs.kubecost.com/install-and-configure/install/custom-grafana) \ No newline at end of file +Kubecost Grafana [Configuration Guide](https://docs.kubecost.com/install-and-configure/advanced-configuration/custom-grafana) \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/attached-disks.json b/charts/kubecost/cost-analyzer/grafana-dashboards/attached-disks.json similarity index 85% rename from charts/kubecost/cost-analyzer/attached-disks.json rename to charts/kubecost/cost-analyzer/grafana-dashboards/attached-disks.json index 4826836ba..49c8d6c1a 100644 --- a/charts/kubecost/cost-analyzer/attached-disks.json +++ b/charts/kubecost/cost-analyzer/grafana-dashboards/attached-disks.json @@ -24,15 +24,14 @@ "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 0, - "id": 15, - "iteration": 1674508602609, + "id": 16, "links": [], "liveNow": false, "panels": [ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "PBFA97CFB590B2093" }, "fieldConfig": { "defaults": { @@ -40,6 +39,9 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", "barAlignment": 0, @@ -51,6 +53,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -92,12 +95,12 @@ "y": 0 }, "id": 2, - "links": [], "options": { "legend": { "calcs": [], "displayMode": "list", - "placement": "bottom" + "placement": "bottom", + "showLegend": true }, "tooltip": { "mode": "multi", @@ -109,10 +112,10 @@ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "PBFA97CFB590B2093" }, "editorMode": "code", - "expr": "max(container_fs_limit_bytes{instance=~'$disk', device!=\"tmpfs\", id=\"/\", cluster_id=~'$cluster'}) by (cluster_id, instance)", + "expr": "sum(container_fs_limit_bytes{instance=~'$disk', device!=\"tmpfs\", id=\"/\", cluster_id=~'$cluster'}) by (cluster_id, instance)", "format": "time_series", "interval": "", "intervalFactor": 1, @@ -127,7 +130,7 @@ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "PBFA97CFB590B2093" }, "fieldConfig": { "defaults": { @@ -135,6 +138,9 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", "barAlignment": 0, @@ -146,6 +152,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -189,12 +196,12 @@ "y": 0 }, "id": 4, - "links": [], "options": { "legend": { "calcs": [], "displayMode": "list", - "placement": "bottom" + "placement": "bottom", + "showLegend": true }, "tooltip": { "mode": "multi", @@ -206,10 +213,10 @@ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "PBFA97CFB590B2093" }, "editorMode": "code", - "expr": "sum(container_fs_usage_bytes{instance=~'$disk',id=\"/\", cluster_id=~'$cluster'}) by (cluster_id, instance) / max(container_fs_limit_bytes{instance=~'$disk',device!=\"tmpfs\", id=\"/\", cluster_id=~'$cluster'}) by (cluster_id,instance)", + "expr": "sum(container_fs_usage_bytes{instance=~'$disk',id=\"/\", cluster_id=~'$cluster'}) by (cluster_id, instance) / sum(container_fs_limit_bytes{instance=~'$disk',device!=\"tmpfs\", id=\"/\", cluster_id=~'$cluster'}) by (cluster_id,instance)", "format": "time_series", "interval": "", "intervalFactor": 1, @@ -224,7 +231,7 @@ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "PBFA97CFB590B2093" }, "fieldConfig": { "defaults": { @@ -232,6 +239,9 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", "barAlignment": 0, @@ -243,6 +253,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -286,12 +297,12 @@ "y": 9 }, "id": 5, - "links": [], "options": { "legend": { "calcs": [], "displayMode": "list", - "placement": "bottom" + "placement": "bottom", + "showLegend": true }, "tooltip": { "mode": "multi", @@ -303,7 +314,7 @@ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "PBFA97CFB590B2093" }, "editorMode": "code", "expr": "1 - sum(container_fs_inodes_free{instance=~'$disk',id=\"/\", cluster_id=~'$cluster'}) by (cluster_id, instance) / sum(container_fs_inodes_total{instance=~'$disk',id=\"/\", cluster_id=~'$cluster'}) by (cluster_id, instance)", @@ -320,7 +331,7 @@ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "PBFA97CFB590B2093" }, "fieldConfig": { "defaults": { @@ -328,6 +339,9 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", "barAlignment": 0, @@ -339,6 +353,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -380,12 +395,12 @@ "y": 9 }, "id": 3, - "links": [], "options": { "legend": { "calcs": [], "displayMode": "list", - "placement": "bottom" + "placement": "bottom", + "showLegend": true }, "tooltip": { "mode": "multi", @@ -397,7 +412,7 @@ { "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "PBFA97CFB590B2093" }, "editorMode": "code", "expr": "sum(container_fs_usage_bytes{instance=~'$disk',id=\"/\", cluster_id=~'$cluster'}) by (cluster_id, instance)", @@ -413,9 +428,9 @@ "type": "timeseries" } ], - "schemaVersion": 36, - "style": "dark", + "schemaVersion": 39, "tags": [ + "kubecost", "cost", "utilization", "metrics" @@ -425,12 +440,30 @@ { "current": { "selected": false, + "text": "Prometheus", + "value": "PBFA97CFB590B2093" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "datasource", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": { + "selected": true, "text": "All", "value": "$__all" }, "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "PBFA97CFB590B2093" }, "definition": "label_values(cluster_id)", "hide": 0, @@ -450,13 +483,13 @@ }, { "current": { - "selected": false, - "text": "All", - "value": "$__all" + "selected": true, + "text": "ip-192-168-147-146.us-east-2.compute.internal", + "value": "ip-192-168-147-146.us-east-2.compute.internal" }, "datasource": { "type": "prometheus", - "uid": "${datasource}" + "uid": "PBFA97CFB590B2093" }, "definition": "label_values(container_fs_limit_bytes{cluster_id=~\"$cluster\"}, instance)", "hide": 0, @@ -511,6 +544,6 @@ "timezone": "", "title": "Attached disk metrics", "uid": "nBH7qBgMk", - "version": 4, + "version": 7, "weekStart": "" } \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/cluster-metrics.json b/charts/kubecost/cost-analyzer/grafana-dashboards/cluster-metrics.json similarity index 99% rename from charts/kubecost/cost-analyzer/cluster-metrics.json rename to charts/kubecost/cost-analyzer/grafana-dashboards/cluster-metrics.json index 2470de262..253556000 100644 --- a/charts/kubecost/cost-analyzer/cluster-metrics.json +++ b/charts/kubecost/cost-analyzer/grafana-dashboards/cluster-metrics.json @@ -21,7 +21,7 @@ "links": [], "panels": [ { - "content": "Note: this dashboard requires Kubecost metrics to be available in your Prometheus deployment. [Learn more](https://github.com/kubecost/cost-model/blob/master/PROMETHEUS.md)", + "content": "Deprecated - It is not expected to match Kubecost UI/API.", "gridPos": { "h": 2, "w": 24, @@ -1479,6 +1479,7 @@ "schemaVersion": 16, "style": "dark", "tags": [ + "kubecost", "cost", "utilization", "metrics" @@ -1676,7 +1677,7 @@ ] }, "timezone": "", - "title": "Kubecost cluster metrics", + "title": "Deprecated - Kubecost cluster metrics", "uid": "JOUdHGZZz", "version": 20 } diff --git a/charts/kubecost/cost-analyzer/cluster-utilization.json b/charts/kubecost/cost-analyzer/grafana-dashboards/cluster-utilization.json similarity index 99% rename from charts/kubecost/cost-analyzer/cluster-utilization.json rename to charts/kubecost/cost-analyzer/grafana-dashboards/cluster-utilization.json index 45090d9fc..8a17f26c0 100644 --- a/charts/kubecost/cost-analyzer/cluster-utilization.json +++ b/charts/kubecost/cost-analyzer/grafana-dashboards/cluster-utilization.json @@ -38,7 +38,7 @@ "id": 86, "links": [], "options": { - "content": "This dashboard shows monthly cost estimates for the cluster, based on **current** CPU, RAM and storage provisioned.", + "content": "Deprecated - It is not expected to match Kubecost UI/API. This dashboard shows monthly cost estimates for the cluster, based on **current** CPU, RAM and storage provisioned.", "mode": "markdown" }, "pluginVersion": "8.3.2", @@ -3189,7 +3189,7 @@ ] }, "timezone": "browser", - "title": "Cluster cost & utilization metrics", + "title": "Deprecated - Cluster cost & utilization metrics", "uid": "cluster-costs", "version": 1, "weekStart": "" diff --git a/charts/kubecost/cost-analyzer/deployment-utilization.json b/charts/kubecost/cost-analyzer/grafana-dashboards/deployment-utilization.json similarity index 99% rename from charts/kubecost/cost-analyzer/deployment-utilization.json rename to charts/kubecost/cost-analyzer/grafana-dashboards/deployment-utilization.json index ef6359202..1fd2b1d9e 100644 --- a/charts/kubecost/cost-analyzer/deployment-utilization.json +++ b/charts/kubecost/cost-analyzer/grafana-dashboards/deployment-utilization.json @@ -1225,7 +1225,7 @@ "schemaVersion": 16, "style": "dark", "tags": [ - "cost", + "kubecost", "utilization", "metrics" ], @@ -1380,7 +1380,7 @@ ] }, "timezone": "browser", - "title": "Deployment/Statefulset/Daemonset utilization metrics", + "title": "Deprecated - Deployment/Statefulset/Daemonset utilization metrics", "uid": "deployment-metrics", - "version": 1 + "version": 2 } diff --git a/charts/kubecost/cost-analyzer/grafana-dashboards/grafana-templates/aggregator-dashboard.json b/charts/kubecost/cost-analyzer/grafana-dashboards/grafana-templates/aggregator-dashboard.json new file mode 100644 index 000000000..e7c5b3691 --- /dev/null +++ b/charts/kubecost/cost-analyzer/grafana-dashboards/grafana-templates/aggregator-dashboard.json @@ -0,0 +1,668 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 0 + }, + "id": 7, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "sum(rate(container_fs_writes_bytes_total{pod=~\".+-aggregator-0\",namespace=~\"$namespace\"}[2m])) by (namespace)", + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Storage Write", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 6, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "sum(rate(container_fs_reads_bytes_total{pod=~\".+-aggregator-0\",namespace=~\"$namespace\"}[2m])) by (namespace)", + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Storage Read", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 8 + }, + "id": 4, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "sum(container_memory_working_set_bytes{container=\"aggregator\",pod!=\"\",namespace=~\"$namespace\"} ) by (namespace)", + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Memory Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 8 + }, + "id": 5, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "sum(rate(node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate\r\n{container=\"aggregator\",pod!=\"\",namespace=~\"$namespace\"}[2m])) by (namespace)", + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "CPU Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 16 + }, + "id": 2, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "sum(kubelet_volume_stats_available_bytes{persistentvolumeclaim=~\"aggregator.+\",namespace=~\"$namespace\"}) by (namespace)", + "hide": false, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "C" + } + ], + "title": "Storage Available", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 16 + }, + "id": 3, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "sum(rate(container_network_receive_bytes_total{pod=~\".+aggregator-0\",namespace=~\"$namespace\"}[2m])) by (namespace)", + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Network Receive Bytes", + "type": "timeseries" + } + ], + "refresh": "30s", + "schemaVersion": 39, + "tags": [ + "utilization", + "metrics", + "kubecost" + ], + "templating": { + "list": [ + { + "current": { + "selected": true, + "text": "Prometheus", + "value": "prometheus" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "datasource", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": { + "selected": false, + "text": "All", + "value": "$__all" + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(container_memory_working_set_bytes{container=\"aggregator\"},namespace)", + "hide": 0, + "includeAll": true, + "multi": false, + "name": "namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(container_memory_working_set_bytes{container=\"aggregator\"},namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 5, + "type": "query" + } + ] + }, + "time": { + "from": "now-1d", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "Kubecost Aggregator Metrics", + "uid": "kubecost_aggregator_metrics", + "version": 1, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/grafana-templates/multi-cluster-container-stats.json b/charts/kubecost/cost-analyzer/grafana-dashboards/grafana-templates/multi-cluster-container-stats.json similarity index 99% rename from charts/kubecost/cost-analyzer/grafana-templates/multi-cluster-container-stats.json rename to charts/kubecost/cost-analyzer/grafana-dashboards/grafana-templates/multi-cluster-container-stats.json index 8a39e09ce..5c592b339 100644 --- a/charts/kubecost/cost-analyzer/grafana-templates/multi-cluster-container-stats.json +++ b/charts/kubecost/cost-analyzer/grafana-dashboards/grafana-templates/multi-cluster-container-stats.json @@ -661,7 +661,11 @@ "refresh": "", "revision": 1, "schemaVersion": 39, - "tags": [], + "tags": [ + "utilization", + "metrics", + "kubecost" +], "templating": { "list": [ { diff --git a/charts/kubecost/cost-analyzer/grafana-templates/multi-cluster-disk-usage.json b/charts/kubecost/cost-analyzer/grafana-dashboards/grafana-templates/multi-cluster-disk-usage.json similarity index 97% rename from charts/kubecost/cost-analyzer/grafana-templates/multi-cluster-disk-usage.json rename to charts/kubecost/cost-analyzer/grafana-dashboards/grafana-templates/multi-cluster-disk-usage.json index 0c2e80000..6dc0b153c 100644 --- a/charts/kubecost/cost-analyzer/grafana-templates/multi-cluster-disk-usage.json +++ b/charts/kubecost/cost-analyzer/grafana-dashboards/grafana-templates/multi-cluster-disk-usage.json @@ -15,7 +15,7 @@ "type": "grafana", "id": "grafana", "name": "Grafana", - "version": "9.3.1" + "version": "10.4.2" }, { "type": "datasource", @@ -70,6 +70,7 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -83,6 +84,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -124,7 +126,6 @@ "y": 0 }, "id": 2, - "links": [], "options": { "legend": { "calcs": [], @@ -168,6 +169,7 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -181,6 +183,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -224,7 +227,6 @@ "y": 0 }, "id": 4, - "links": [], "options": { "legend": { "calcs": [], @@ -268,6 +270,7 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -281,6 +284,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -324,7 +328,6 @@ "y": 9 }, "id": 5, - "links": [], "options": { "legend": { "calcs": [], @@ -367,6 +370,7 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -380,6 +384,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -421,7 +426,6 @@ "y": 9 }, "id": 3, - "links": [], "options": { "legend": { "calcs": [], @@ -455,10 +459,9 @@ "type": "timeseries" } ], - "schemaVersion": 37, - "style": "dark", + "schemaVersion": 39, "tags": [ - "cost", + "kubecost", "utilization", "metrics" ], @@ -561,8 +564,8 @@ ] }, "timezone": "", - "title": "Attached disk metrics", + "title": "Attached disk metrics (multi-cluster)", "uid": "nBH7qBgMk", - "version": 1, + "version": 2, "weekStart": "" } \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/grafana-templates/multi-cluster-network-transfer-data.json b/charts/kubecost/cost-analyzer/grafana-dashboards/grafana-templates/multi-cluster-network-transfer-data.json similarity index 77% rename from charts/kubecost/cost-analyzer/grafana-templates/multi-cluster-network-transfer-data.json rename to charts/kubecost/cost-analyzer/grafana-dashboards/grafana-templates/multi-cluster-network-transfer-data.json index a153b053e..40bf4e787 100644 --- a/charts/kubecost/cost-analyzer/grafana-templates/multi-cluster-network-transfer-data.json +++ b/charts/kubecost/cost-analyzer/grafana-dashboards/grafana-templates/multi-cluster-network-transfer-data.json @@ -15,7 +15,7 @@ "type": "grafana", "id": "grafana", "name": "Grafana", - "version": "9.3.1" + "version": "10.4.2" }, { "type": "datasource", @@ -84,19 +84,21 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, + "drawStyle": "bars", + "fillOpacity": 100, "gradientMode": "none", "hideFrom": { "legend": false, "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -113,7 +115,6 @@ "mode": "off" } }, - "decimals": 2, "mappings": [], "thresholds": { "mode": "absolute", @@ -128,7 +129,7 @@ } ] }, - "unit": "decmbytes" + "unit": "bytes" }, "overrides": [] }, @@ -158,8 +159,8 @@ "uid": "${datasource}" }, "editorMode": "code", - "expr": "sum by($aggregation) (increase(kubecost_pod_network_ingress_bytes_total{namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod\"}[60m])) / 1024 / 1024", - "interval": "", + "expr": "sum(increase(kubecost_pod_network_ingress_bytes_total\n {namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod_name\", service=~\"$service\"}\n [1h]\n ))\nby($aggregation) ", + "interval": "1h", "legendFormat": "__auto", "range": true, "refId": "A" @@ -170,8 +171,9 @@ "uid": "${datasource}" }, "editorMode": "code", - "expr": "- sum by($aggregation) (increase(kubecost_pod_network_egress_bytes_total{namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod\"}[60m])) / 1024 / 1024", + "expr": "-sum(increase(kubecost_pod_network_egress_bytes_total\n {namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod_name\", service=~\"$service\"}\n [1h]\n ))\nby($aggregation) ", "hide": false, + "interval": "1h", "legendFormat": "__auto", "range": true, "refId": "B" @@ -191,19 +193,21 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, + "drawStyle": "bars", + "fillOpacity": 100, "gradientMode": "none", "hideFrom": { "legend": false, "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -234,7 +238,7 @@ } ] }, - "unit": "decmbytes" + "unit": "bytes" }, "overrides": [] }, @@ -264,9 +268,9 @@ "uid": "${datasource}" }, "editorMode": "code", - "expr": "sum by($aggregation) (increase(kubecost_pod_network_ingress_bytes_total{internet=\"true\", namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod\"}[60m])) / 1024 / 1024", + "expr": "sum(increase(kubecost_pod_network_ingress_bytes_total\n {internet=\"true\", namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod_name\", service=~\"$service\"}\n [1h]\n))\nby($aggregation) ", "hide": false, - "interval": "", + "interval": "1h", "legendFormat": "__auto", "range": true, "refId": "A" @@ -277,8 +281,9 @@ "uid": "${datasource}" }, "editorMode": "code", - "expr": "- sum by($aggregation) (increase(kubecost_pod_network_egress_bytes_total{internet=\"true\", namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod\"}[60m])) / 1024 / 1024", + "expr": "- sum(increase(kubecost_pod_network_egress_bytes_total\n {internet=\"true\", namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod_name\", service=~\"$service\"}\n [1h]))\nby($aggregation) ", "hide": false, + "interval": "1h", "legendFormat": "__auto", "range": true, "refId": "B" @@ -299,19 +304,21 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, + "drawStyle": "bars", + "fillOpacity": 100, "gradientMode": "none", "hideFrom": { "legend": false, "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -343,7 +350,7 @@ } ] }, - "unit": "decmbytes" + "unit": "bytes" }, "overrides": [] }, @@ -373,8 +380,8 @@ "uid": "${datasource}" }, "editorMode": "code", - "expr": "sum by($aggregation) (increase(kubecost_pod_network_ingress_bytes_total{internet=\"false\", namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod\", sameRegion=\"false\", sameZone=\"false\"}[60m])) / 1024 / 1024", - "interval": "", + "expr": "sum(increase(kubecost_pod_network_ingress_bytes_total\n {internet=\"false\",namespace=~\"$namespace\",cluster_id=~\"$cluster\",pod_name=~\"$pod_name\", sameRegion=\"false\",sameZone=\"false\", service=~\"$service\"}\n [1h]))\nby($aggregation)", + "interval": "1h", "legendFormat": "__auto", "range": true, "refId": "A" @@ -385,8 +392,9 @@ "uid": "${datasource}" }, "editorMode": "code", - "expr": "- sum by($aggregation) (increase(kubecost_pod_network_egress_bytes_total{internet=\"false\", namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod\", sameRegion=\"false\", sameZone=\"false\"}[60m])) / 1024 / 1024", + "expr": "- sum(increase(kubecost_pod_network_egress_bytes_total\n {internet=\"false\", namespace=~\"$namespace\",cluster_id=~\"$cluster\",pod_name=~\"$pod_name\",sameRegion=\"false\", sameZone=\"false\", service=~\"$service\"}\n [1h]))\nby($aggregation) ", "hide": false, + "interval": "1h", "legendFormat": "__auto", "range": true, "refId": "B" @@ -407,19 +415,21 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, + "drawStyle": "bars", + "fillOpacity": 100, "gradientMode": "none", "hideFrom": { "legend": false, "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -451,7 +461,7 @@ } ] }, - "unit": "decmbytes" + "unit": "bytes" }, "overrides": [] }, @@ -481,8 +491,8 @@ "uid": "${datasource}" }, "editorMode": "code", - "expr": "sum by($aggregation) (increase(kubecost_pod_network_ingress_bytes_total{internet=\"false\", namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod\", sameRegion=\"true\", sameZone=\"false\"}[60m])) / 1024 / 1024", - "interval": "", + "expr": "sum(increase(kubecost_pod_network_ingress_bytes_total\n {internet=\"false\", namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod_name\", sameRegion=\"true\", sameZone=\"false\", service=~\"$service\"}\n [1h]))\nby($aggregation)", + "interval": "1h", "legendFormat": "__auto", "range": true, "refId": "A" @@ -493,8 +503,9 @@ "uid": "${datasource}" }, "editorMode": "code", - "expr": "- sum by($aggregation) (increase(kubecost_pod_network_egress_bytes_total{internet=\"false\", namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod\", sameRegion=\"true\", sameZone=\"false\"}[60m])) / 1024 / 1024", + "expr": "- sum(increase(kubecost_pod_network_egress_bytes_total\n {internet=\"false\", namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod_name\", sameRegion=\"true\", sameZone=\"false\", service=~\"$service\"}\n [1h]))\nby($aggregation)", "hide": false, + "interval": "1h", "legendFormat": "__auto", "range": true, "refId": "B" @@ -504,9 +515,9 @@ "type": "timeseries" } ], - "refresh": false, - "schemaVersion": 37, - "style": "dark", + "refresh": "", + "revision": 1, + "schemaVersion": 39, "tags": [ "kubecost" ], @@ -528,7 +539,7 @@ }, { "current": { - "selected": true, + "selected": false, "text": "namespace", "value": "namespace" }, @@ -549,11 +560,11 @@ }, { "selected": false, - "text": "pod", - "value": "pod" + "text": "pod_name", + "value": "pod_name" } ], - "query": "cluster_id, namespace, pod", + "query": "cluster_id, namespace, pod_name", "queryValue": "", "skipUrlSync": false, "type": "custom" @@ -612,20 +623,21 @@ "type": "prometheus", "uid": "${datasource}" }, - "definition": "label_values(kube_pod_labels{cluster_id=~\"$cluster\",namespace=~\"$namespace\"}, pod) ", + "definition": "label_values(kubecost_pod_network_egress_bytes_total{cluster_id=~\"$cluster\", namespace=~\"$namespace\"},pod_name)", "hide": 0, "includeAll": true, "multi": false, - "name": "pod", + "name": "pod_name", "options": [], "query": { - "query": "label_values(kube_pod_labels{cluster_id=~\"$cluster\",namespace=~\"$namespace\"}, pod) ", - "refId": "StandardVariableQuery" + "qryType": 1, + "query": "label_values(kubecost_pod_network_egress_bytes_total{cluster_id=~\"$cluster\", namespace=~\"$namespace\"},pod_name)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" }, "refresh": 2, "regex": "", "skipUrlSync": false, - "sort": 0, + "sort": 5, "type": "query" }, { @@ -638,6 +650,25 @@ "name": "filter", "skipUrlSync": false, "type": "adhoc" + }, + { + "current": {}, + "definition": "label_values(kubecost_pod_network_egress_bytes_total{namespace=~\"$namespace\"},service)", + "hide": 0, + "includeAll": true, + "multi": false, + "name": "service", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(kubecost_pod_network_egress_bytes_total{namespace=~\"$namespace\"},service)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 5, + "type": "query" } ] }, @@ -647,8 +678,8 @@ }, "timepicker": {}, "timezone": "", - "title": "Kubecost - networkCosts Metrics", + "title": "Kubecost Network Costs Metrics", "uid": "kubecost-networkCosts-metrics", - "version": 7, + "version": 8, "weekStart": "" } \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/kubernetes-resource-efficiency.json b/charts/kubecost/cost-analyzer/grafana-dashboards/kubernetes-resource-efficiency.json similarity index 100% rename from charts/kubecost/cost-analyzer/kubernetes-resource-efficiency.json rename to charts/kubecost/cost-analyzer/grafana-dashboards/kubernetes-resource-efficiency.json diff --git a/charts/kubecost/cost-analyzer/label-cost-utilization.json b/charts/kubecost/cost-analyzer/grafana-dashboards/label-cost-utilization.json similarity index 99% rename from charts/kubecost/cost-analyzer/label-cost-utilization.json rename to charts/kubecost/cost-analyzer/grafana-dashboards/label-cost-utilization.json index 4c144df18..dc1963edb 100644 --- a/charts/kubecost/cost-analyzer/label-cost-utilization.json +++ b/charts/kubecost/cost-analyzer/grafana-dashboards/label-cost-utilization.json @@ -918,6 +918,7 @@ "schemaVersion": 34, "style": "dark", "tags": [ + "kubecost", "cost", "utilization", "metrics" diff --git a/charts/kubecost/cost-analyzer/namespace-utilization.json b/charts/kubecost/cost-analyzer/grafana-dashboards/namespace-utilization.json similarity index 100% rename from charts/kubecost/cost-analyzer/namespace-utilization.json rename to charts/kubecost/cost-analyzer/grafana-dashboards/namespace-utilization.json diff --git a/charts/kubecost/cost-analyzer/grafana-dashboards/network-cloud-services.json b/charts/kubecost/cost-analyzer/grafana-dashboards/network-cloud-services.json new file mode 100644 index 000000000..2729b6ca7 --- /dev/null +++ b/charts/kubecost/cost-analyzer/grafana-dashboards/network-cloud-services.json @@ -0,0 +1,408 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Most used metrics when troubleshooting applications", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 14, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "bars", + "fillOpacity": 80, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "binBps" + }, + "overrides": [] + }, + "gridPos": { + "h": 10, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 11, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "disableTextWrap": false, + "editorMode": "code", + "expr": "sum(\n rate(kubecost_pod_network_ingress_bytes_total\n {namespace=~\"$namespace\", pod_name=~\"$pod\",service!=\"\",service=~\"$service\"}\n [1h]\n )\n) \nby (namespace,service) ", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1h", + "legendFormat": "{{namespace}}/{{service}}", + "range": true, + "refId": "A", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "code", + "expr": "- sum(\n rate(kubecost_pod_network_egress_bytes_total\n {namespace=~\"$namespace\", pod_name=~\"$pod\",service!=\"\",service=~\"$service\"}\n [1h]\n )\n) \nby(namespace, service) ", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1h", + "legendFormat": "{{namespace}}/{{service}}", + "range": true, + "refId": "B", + "useBackend": false + } + ], + "title": "Kubecost Network Cloud Service by Namespace (egress is negative)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "bars", + "fillOpacity": 80, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "binBps" + }, + "overrides": [] + }, + "gridPos": { + "h": 14, + "w": 24, + "x": 0, + "y": 10 + }, + "id": 10, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "disableTextWrap": false, + "editorMode": "code", + "expr": "sum(topk(5,\n rate(kubecost_pod_network_ingress_bytes_total\n {namespace=~\"$namespace\", pod_name=~\"$pod\",service!=\"\",service=~\"$service\"}\n [1h]\n )\n) )\nby(namespace, pod_name,service) ", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1h", + "legendFormat": "{{namespace}}/{{pod_name}}/{{service}}", + "range": true, + "refId": "A", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "code", + "expr": "- sum(topk(5,\n rate(kubecost_pod_network_egress_bytes_total\n {namespace=~\"$namespace\", pod_name=~\"$pod\",service!=\"\",service=~\"$service\"}\n [1h]\n )\n) )\nby(namespace, pod_name,service) ", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1h", + "legendFormat": "{{namespace}}/{{pod_name}}/{{service}}", + "range": true, + "refId": "B", + "useBackend": false + } + ], + "title": "Kubecost Network Cloud Service by Pod (egress is negative)", + "type": "timeseries" + } + ], + "refresh": "5s", + "schemaVersion": 39, + "tags": [ + "utilization", + "metrics", + "kubecost" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "PBFA97CFB590B2093" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "datasource", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": { + "selected": false, + "text": "All", + "value": "$__all" + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(kube_namespace_labels,namespace)", + "hide": 0, + "includeAll": true, + "multi": false, + "name": "namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(kube_namespace_labels,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 5, + "type": "query" + }, + { + "current": { + "selected": false, + "text": "All", + "value": "$__all" + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(kube_pod_owner{namespace=~\"$namespace\"},pod)", + "hide": 0, + "includeAll": true, + "multi": false, + "name": "pod", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(kube_pod_owner{namespace=~\"$namespace\"},pod)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 5, + "type": "query" + }, + { + "current": { + "selected": false, + "text": "All", + "value": "$__all" + }, + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "definition": "label_values(kube_pod_container_status_running{namespace=\"$namespace\"},container)", + "hide": 0, + "includeAll": true, + "multi": false, + "name": "container", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(kube_pod_container_status_running{namespace=\"$namespace\"},container)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 5, + "type": "query" + }, + { + "current": { + "selected": true, + "text": "All", + "value": "$__all" + }, + "definition": "label_values(kubecost_pod_network_egress_bytes_total{namespace=~\"$namespace\"},service)", + "hide": 0, + "includeAll": true, + "multi": false, + "name": "service", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(kubecost_pod_network_egress_bytes_total{namespace=~\"$namespace\"},service)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 5, + "type": "query" + } + ] + }, + "time": { + "from": "now-2d", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "Kubecost Network Cloud Service Metrics", + "uid": "kubecost-network-cloud-services", + "version": 1, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/networkCosts-metrics.json b/charts/kubecost/cost-analyzer/grafana-dashboards/networkCosts-metrics.json similarity index 85% rename from charts/kubecost/cost-analyzer/networkCosts-metrics.json rename to charts/kubecost/cost-analyzer/grafana-dashboards/networkCosts-metrics.json index e09239b06..79e568ccb 100644 --- a/charts/kubecost/cost-analyzer/networkCosts-metrics.json +++ b/charts/kubecost/cost-analyzer/grafana-dashboards/networkCosts-metrics.json @@ -25,7 +25,7 @@ "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 0, - "id": 24, + "id": 2, "links": [], "liveNow": false, "panels": [ @@ -53,6 +53,7 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -66,6 +67,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -126,7 +128,7 @@ "uid": "${datasource}" }, "editorMode": "code", - "expr": "sum(increase(kubecost_pod_network_ingress_bytes_total\n {namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod\"}\n [1h]\n ))\nby($aggregation) ", + "expr": "sum(increase(kubecost_pod_network_ingress_bytes_total\n {namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod_name\", service=~\"$service\"}\n [1h]\n ))\nby($aggregation) ", "interval": "1h", "legendFormat": "__auto", "range": true, @@ -138,7 +140,7 @@ "uid": "${datasource}" }, "editorMode": "code", - "expr": "-sum(increase(kubecost_pod_network_egress_bytes_total\n {namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod\"}\n [1h]\n ))\nby($aggregation) ", + "expr": "-sum(increase(kubecost_pod_network_egress_bytes_total\n {namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod_name\", service=~\"$service\"}\n [1h]\n ))\nby($aggregation) ", "hide": false, "interval": "1h", "legendFormat": "__auto", @@ -160,6 +162,7 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -173,6 +176,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -233,7 +237,7 @@ "uid": "${datasource}" }, "editorMode": "code", - "expr": "sum(increase(kubecost_pod_network_ingress_bytes_total\n {internet=\"true\", namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod\"}\n [1h]\n))\nby($aggregation) ", + "expr": "sum(increase(kubecost_pod_network_ingress_bytes_total\n {internet=\"true\", namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod_name\", service=~\"$service\"}\n [1h]\n))\nby($aggregation) ", "hide": false, "interval": "1h", "legendFormat": "__auto", @@ -246,7 +250,7 @@ "uid": "${datasource}" }, "editorMode": "code", - "expr": "- sum(increase(kubecost_pod_network_egress_bytes_total\n {internet=\"true\", namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod\"}\n [1h]))\nby($aggregation) ", + "expr": "- sum(increase(kubecost_pod_network_egress_bytes_total\n {internet=\"true\", namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod_name\", service=~\"$service\"}\n [1h]))\nby($aggregation) ", "hide": false, "interval": "1h", "legendFormat": "__auto", @@ -269,6 +273,7 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -282,6 +287,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -343,7 +349,7 @@ "uid": "${datasource}" }, "editorMode": "code", - "expr": "sum(increase(kubecost_pod_network_ingress_bytes_total\n {internet=\"false\",namespace=~\"$namespace\",cluster_id=~\"$cluster\",pod_name=~\"$pod\", sameRegion=\"false\",sameZone=\"false\"}\n [1h]))\nby($aggregation)", + "expr": "sum(increase(kubecost_pod_network_ingress_bytes_total\n {internet=\"false\",namespace=~\"$namespace\",cluster_id=~\"$cluster\",pod_name=~\"$pod_name\", sameRegion=\"false\",sameZone=\"false\", service=~\"$service\"}\n [1h]))\nby($aggregation)", "interval": "1h", "legendFormat": "__auto", "range": true, @@ -355,7 +361,7 @@ "uid": "${datasource}" }, "editorMode": "code", - "expr": "- sum(increase(kubecost_pod_network_egress_bytes_total\n {internet=\"false\", namespace=~\"$namespace\",cluster_id=~\"$cluster\",pod_name=~\"$pod\",sameRegion=\"false\", sameZone=\"false\"}\n [1h]))\nby($aggregation) ", + "expr": "- sum(increase(kubecost_pod_network_egress_bytes_total\n {internet=\"false\", namespace=~\"$namespace\",cluster_id=~\"$cluster\",pod_name=~\"$pod_name\",sameRegion=\"false\", sameZone=\"false\", service=~\"$service\"}\n [1h]))\nby($aggregation) ", "hide": false, "interval": "1h", "legendFormat": "__auto", @@ -378,6 +384,7 @@ "mode": "palette-classic" }, "custom": { + "axisBorderShow": false, "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", @@ -391,6 +398,7 @@ "tooltip": false, "viz": false }, + "insertNulls": false, "lineInterpolation": "linear", "lineWidth": 1, "pointSize": 5, @@ -452,7 +460,7 @@ "uid": "${datasource}" }, "editorMode": "code", - "expr": "sum(increase(kubecost_pod_network_ingress_bytes_total\n {internet=\"false\", namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod\", sameRegion=\"true\", sameZone=\"false\"}\n [1h]))\nby($aggregation)", + "expr": "sum(increase(kubecost_pod_network_ingress_bytes_total\n {internet=\"false\", namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod_name\", sameRegion=\"true\", sameZone=\"false\", service=~\"$service\"}\n [1h]))\nby($aggregation)", "interval": "1h", "legendFormat": "__auto", "range": true, @@ -464,7 +472,7 @@ "uid": "${datasource}" }, "editorMode": "code", - "expr": "- sum(increase(kubecost_pod_network_egress_bytes_total\n {internet=\"false\", namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod\", sameRegion=\"true\", sameZone=\"false\"}\n [1h]))\nby($aggregation)", + "expr": "- sum(increase(kubecost_pod_network_egress_bytes_total\n {internet=\"false\", namespace=~\"$namespace\", cluster_id=~\"$cluster\", pod_name=~\"$pod_name\", sameRegion=\"true\", sameZone=\"false\", service=~\"$service\"}\n [1h]))\nby($aggregation)", "hide": false, "interval": "1h", "legendFormat": "__auto", @@ -478,18 +486,19 @@ ], "refresh": "", "revision": 1, - "schemaVersion": 38, - "style": "dark", + "schemaVersion": 39, "tags": [ + "utilization", + "metrics", "kubecost" ], "templating": { "list": [ { "current": { - "selected": true, + "selected": false, "text": "Prometheus", - "value": "Prometheus" + "value": "PBFA97CFB590B2093" }, "hide": 0, "includeAll": false, @@ -505,9 +514,9 @@ }, { "current": { - "selected": true, - "text": "pod", - "value": "pod" + "selected": false, + "text": "namespace", + "value": "namespace" }, "hide": 0, "includeAll": false, @@ -520,17 +529,17 @@ "value": "cluster_id" }, { - "selected": false, + "selected": true, "text": "namespace", "value": "namespace" }, { - "selected": true, - "text": "pod", - "value": "pod" + "selected": false, + "text": "pod_name", + "value": "pod_name" } ], - "query": "cluster_id, namespace, pod", + "query": "cluster_id, namespace, pod_name", "queryValue": "", "skipUrlSync": false, "type": "custom" @@ -563,7 +572,7 @@ }, { "current": { - "selected": false, + "selected": true, "text": "kubecost", "value": "kubecost" }, @@ -597,20 +606,21 @@ "type": "prometheus", "uid": "${datasource}" }, - "definition": "label_values(kube_pod_labels{cluster_id=~\"$cluster\",namespace=~\"$namespace\"}, pod) ", + "definition": "label_values(kubecost_pod_network_egress_bytes_total{cluster_id=~\"$cluster\", namespace=~\"$namespace\"},pod_name)", "hide": 0, "includeAll": true, "multi": false, - "name": "pod", + "name": "pod_name", "options": [], "query": { - "query": "label_values(kube_pod_labels{cluster_id=~\"$cluster\",namespace=~\"$namespace\"}, pod) ", - "refId": "StandardVariableQuery" + "qryType": 1, + "query": "label_values(kubecost_pod_network_egress_bytes_total{cluster_id=~\"$cluster\", namespace=~\"$namespace\"},pod_name)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" }, "refresh": 2, "regex": "", "skipUrlSync": false, - "sort": 0, + "sort": 5, "type": "query" }, { @@ -623,6 +633,29 @@ "name": "filter", "skipUrlSync": false, "type": "adhoc" + }, + { + "current": { + "selected": false, + "text": "All", + "value": "$__all" + }, + "definition": "label_values(kubecost_pod_network_egress_bytes_total{namespace=~\"$namespace\"},service)", + "hide": 0, + "includeAll": true, + "multi": false, + "name": "service", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(kubecost_pod_network_egress_bytes_total{namespace=~\"$namespace\"},service)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 5, + "type": "query" } ] }, @@ -632,8 +665,8 @@ }, "timepicker": {}, "timezone": "", - "title": "Kubecost networkCosts Metrics", + "title": "Kubecost Network Costs Metrics", "uid": "kubecost-networkCosts-metrics", - "version": 8, + "version": 2, "weekStart": "" } \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/node-utilization.json b/charts/kubecost/cost-analyzer/grafana-dashboards/node-utilization.json similarity index 100% rename from charts/kubecost/cost-analyzer/node-utilization.json rename to charts/kubecost/cost-analyzer/grafana-dashboards/node-utilization.json diff --git a/charts/kubecost/cost-analyzer/pod-utilization-multi-cluster.json b/charts/kubecost/cost-analyzer/grafana-dashboards/pod-utilization-multi-cluster.json similarity index 99% rename from charts/kubecost/cost-analyzer/pod-utilization-multi-cluster.json rename to charts/kubecost/cost-analyzer/grafana-dashboards/pod-utilization-multi-cluster.json index 3eb5184bb..74bd79856 100644 --- a/charts/kubecost/cost-analyzer/pod-utilization-multi-cluster.json +++ b/charts/kubecost/cost-analyzer/grafana-dashboards/pod-utilization-multi-cluster.json @@ -630,7 +630,11 @@ "refresh": "", "revision": 1, "schemaVersion": 39, - "tags": [], + "tags": [ + "utilization", + "metrics", + "kubecost" + ], "templating": { "list": [ { @@ -778,7 +782,7 @@ }, "timezone": "browser", "title": "Pod utilization metrics (multi-cluster)", - "uid": "at-cost-analysis-pod2", + "uid": "at-cost-analysis-pod-utilization-multi-cluster", "version": 2, "weekStart": "" } diff --git a/charts/kubecost/cost-analyzer/pod-utilization.json b/charts/kubecost/cost-analyzer/grafana-dashboards/pod-utilization.json similarity index 99% rename from charts/kubecost/cost-analyzer/pod-utilization.json rename to charts/kubecost/cost-analyzer/grafana-dashboards/pod-utilization.json index 2b11a01d8..f037af45e 100644 --- a/charts/kubecost/cost-analyzer/pod-utilization.json +++ b/charts/kubecost/cost-analyzer/grafana-dashboards/pod-utilization.json @@ -610,7 +610,7 @@ "schemaVersion": 38, "style": "dark", "tags": [ - "cost", + "kubecost", "utilization", "metrics" ], diff --git a/charts/kubecost/cost-analyzer/prom-benchmark.json b/charts/kubecost/cost-analyzer/grafana-dashboards/prom-benchmark.json similarity index 99% rename from charts/kubecost/cost-analyzer/prom-benchmark.json rename to charts/kubecost/cost-analyzer/grafana-dashboards/prom-benchmark.json index 0c5eae7e5..ff054acc2 100644 --- a/charts/kubecost/cost-analyzer/prom-benchmark.json +++ b/charts/kubecost/cost-analyzer/grafana-dashboards/prom-benchmark.json @@ -5578,7 +5578,9 @@ "refresh": false, "schemaVersion": 26, "style": "dark", - "tags": [], + "tags": [ + "kubecost" + ], "templating": { "list": [ { diff --git a/charts/kubecost/cost-analyzer/grafana-dashboards/workload-metrics-aggregator.json b/charts/kubecost/cost-analyzer/grafana-dashboards/workload-metrics-aggregator.json new file mode 100644 index 000000000..660358905 --- /dev/null +++ b/charts/kubecost/cost-analyzer/grafana-dashboards/workload-metrics-aggregator.json @@ -0,0 +1,988 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Most used metrics when troubleshooting applications", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 7, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 0 + }, + "id": 4, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "topk(5,sum(container_memory_working_set_bytes{container=\"aggregator\",namespace=~\"$namespace\"} ) by (namespace,pod,container))", + "instant": false, + "legendFormat": "{{namespace}}/{{container}}", + "range": true, + "refId": "A" + } + ], + "title": "Top Memory Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 1, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 10, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "topk(5, (\r\n sum(rate(container_cpu_usage_seconds_total{image!=\"\",namespace=~\"$namespace\",container=\"aggregator\"}[$__rate_interval])) by (namespace,pod,container)\r\n )\r\n)", + "instant": false, + "legendFormat": "{{namespace}}/{{container}}", + "range": true, + "refId": "A" + } + ], + "title": "Top CPU Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "binBps" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 8 + }, + "id": 9, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "disableTextWrap": false, + "editorMode": "code", + "expr": "sum(topk(5,\n rate(kubecost_pod_network_ingress_bytes_total\n {namespace=~\"$namespace\", pod_name=~\"$pod\"}\n [$__rate_interval]\n )\n) )\nby(namespace, pod_name) ", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{namespace}}/{{pod_name}}", + "range": true, + "refId": "A", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "code", + "expr": "- sum(topk(5,\n rate(kubecost_pod_network_egress_bytes_total\n {namespace=~\"$namespace\", pod_name=~\"$pod\"}\n [$__rate_interval]\n )\n) )\nby(namespace, pod_name) ", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{namespace}}/{{pod_name}}", + "range": true, + "refId": "B", + "useBackend": false + } + ], + "title": "Kubecost Top Network (egress is negative)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": 3600000, + "lineInterpolation": "smooth", + "lineStyle": { + "fill": "solid" + }, + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "binBps" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 8 + }, + "id": 3, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "sum(topk(5,rate(container_network_receive_bytes_total{namespace=~\"$namespace\"}[$__rate_interval]))) by (namespace,pod) ", + "hide": false, + "instant": false, + "legendFormat": "{{namespace}}/{{pod}}", + "range": true, + "refId": "receive" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "-sum(topk(5,rate(container_network_transmit_bytes_total{namespace=~\"$namespace\"}[$__rate_interval]))) by (namespace,pod) ", + "hide": false, + "instant": false, + "legendFormat": "{{namespace}}/{{pod}}", + "range": true, + "refId": "transmit" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "container_network_transmit_bytes_total{}", + "hide": false, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Top Network (transmit is negative)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": 3600000, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "binBps" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 16 + }, + "id": 7, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "\n sum(rate(container_fs_writes_bytes_total\n {container=\"aggregator\",namespace=~\"$namespace\",image!=\"\"}\n [$__rate_interval]))\n by (namespace,pod,container)\n>0 ", + "hide": false, + "instant": false, + "legendFormat": "{{namespace}}/{{container}}", + "range": true, + "refId": "storage_write" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "-(sum\r\n (rate(container_fs_reads_bytes_total\r\n {container=\"aggregator\",namespace=~\"$namespace\",image!=\"\"}\r\n [$__rate_interval])) \r\nby (namespace,pod,container) \r\n) <0", + "hide": false, + "instant": false, + "legendFormat": "{{namespace}}/{{container}}", + "range": true, + "refId": "storage_read" + } + ], + "title": "Storage (read is negative)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "description": "This may work depending on the CRI", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 16 + }, + "id": 2, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "sum(kubelet_volume_stats_available_bytes{namespace=~\"$namespace\"}) by (namespace,persistentvolumeclaim)", + "hide": false, + "instant": false, + "legendFormat": "{{namespace}}/{{persistentvolumeclaim}}", + "range": true, + "refId": "C" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "sum(kube_persistentvolume_capacity_bytes) by (persistentvolume)", + "hide": false, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Storage ", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "bars", + "fillOpacity": 82, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 24 + }, + "id": 8, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "code", + "expr": "sum(increase(kube_pod_container_status_restarts_total{namespace=~\"$namespace\",pod=~\".+-aggregator-0\"}[1h])) by (namespace,container)>0", + "instant": false, + "interval": "1h", + "legendFormat": "{{namespace}}/{{container}}", + "range": true, + "refId": "A" + } + ], + "title": "Pod restarts per hour", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 24 + }, + "id": 11, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "editorMode": "code", + "expr": "kubecost_read_db_size", + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "kubecost_read_db_size" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "sum(kubecost_write_db_size)", + "hide": false, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "kubecost_write_db_size" + } + ], + "title": "Aggregator DB Size", + "type": "timeseries" + } + ], + "refresh": "5s", + "schemaVersion": 39, + "tags": [ + "kubecost", + "utilization", + "metrics" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "PBFA97CFB590B2093" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "datasource", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": { + "selected": true, + "text": "kubecost", + "value": "kubecost" + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(kube_namespace_labels,namespace)", + "hide": 0, + "includeAll": true, + "multi": false, + "name": "namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(kube_namespace_labels,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 5, + "type": "query" + }, + { + "current": { + "selected": false, + "text": "All", + "value": "$__all" + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(kube_pod_owner{namespace=~\"$namespace\"},pod)", + "hide": 0, + "includeAll": true, + "multi": false, + "name": "pod", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(kube_pod_owner{namespace=~\"$namespace\"},pod)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 5, + "type": "query" + } + ] + }, + "time": { + "from": "now-3h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "Workload Metrics - Aggregator", + "uid": "kubecost-aggregator-metrics", + "version": 1, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/grafana-dashboards/workload-metrics.json b/charts/kubecost/cost-analyzer/grafana-dashboards/workload-metrics.json new file mode 100644 index 000000000..248afc134 --- /dev/null +++ b/charts/kubecost/cost-analyzer/grafana-dashboards/workload-metrics.json @@ -0,0 +1,893 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Most used metrics when troubleshooting applications", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 2, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 0 + }, + "id": 4, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "topk(5,sum(container_memory_working_set_bytes{container=~\"$container\",pod=~\"$pod\",container!=\"\",namespace=~\"$namespace\"} ) by (namespace,pod,container))", + "instant": false, + "legendFormat": "{{namespace}}/{{container}}", + "range": true, + "refId": "A" + } + ], + "title": "Top Memory Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 1, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 10, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "topk(5, (\r\n sum(rate(container_cpu_usage_seconds_total{image!=\"\",namespace=~\"$namespace\",pod=~\"$pod\",container=~\"$container\"}[10m])) by (namespace,pod,container)\r\n )\r\n)", + "instant": false, + "legendFormat": "{{namespace}}/{{container}}", + "range": true, + "refId": "A" + } + ], + "title": "Top CPU Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "binBps" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 8 + }, + "id": 9, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "disableTextWrap": false, + "editorMode": "code", + "expr": "sum(topk(5,\n rate(kubecost_pod_network_ingress_bytes_total\n {namespace=~\"$namespace\", pod_name=~\"$pod\"}\n [$__rate_interval]\n )\n) )\nby(namespace, pod_name) ", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{namespace}}/{{pod_name}}", + "range": true, + "refId": "A", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "code", + "expr": "- sum(topk(5,\n rate(kubecost_pod_network_egress_bytes_total\n {namespace=~\"$namespace\", pod_name=~\"$pod\"}\n [$__rate_interval]\n )\n) )\nby(namespace, pod_name) ", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{namespace}}/{{pod_name}}", + "range": true, + "refId": "B", + "useBackend": false + } + ], + "title": "Kubecost Top Network (egress is negative)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": 3600000, + "lineInterpolation": "smooth", + "lineStyle": { + "fill": "solid" + }, + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "binBps" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 8 + }, + "id": 3, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "sum(topk(5,rate(container_network_receive_bytes_total{pod=~\"$pod\",namespace=~\"$namespace\"}[$__rate_interval]))) by (namespace,pod) ", + "hide": false, + "instant": false, + "legendFormat": "{{namespace}}/{{pod}}", + "range": true, + "refId": "receive" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "-sum(topk(5,rate(container_network_transmit_bytes_total{pod=~\"$pod\",namespace=~\"$namespace\"}[$__rate_interval]))) by (namespace,pod) ", + "hide": false, + "instant": false, + "legendFormat": "{{namespace}}/{{pod}}", + "range": true, + "refId": "transmit" + } + ], + "title": "Top Network (transmit is negative)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": 3600000, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "binBps" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 16 + }, + "id": 7, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "\n sum(rate(container_fs_writes_bytes_total\n {pod=~\"$pod\",namespace=~\"$namespace\",image!=\"\"}\n [$__rate_interval]))\n by (namespace,pod,container)\n>0 ", + "hide": false, + "instant": false, + "legendFormat": "{{namespace}}/{{container}}", + "range": true, + "refId": "storage_write" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "-(sum\r\n (rate(container_fs_reads_bytes_total\r\n {pod=~\"$pod\",namespace=~\"$namespace\",image!=\"\"}\r\n [$__rate_interval])) \r\nby (namespace,pod,container) \r\n) <0", + "hide": false, + "instant": false, + "legendFormat": "{{namespace}}/{{container}}", + "range": true, + "refId": "storage_read" + } + ], + "title": "Storage (read is negative)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "description": "This may work depending on the CRI", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 16 + }, + "id": 2, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "sum(kubelet_volume_stats_available_bytes{namespace=~\"$namespace\"}) by (namespace,persistentvolumeclaim)", + "hide": false, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "C" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "sum(kube_persistentvolume_capacity_bytes) by (persistentvolume)", + "hide": false, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Storage ", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "bars", + "fillOpacity": 82, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 24 + }, + "id": 8, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "code", + "expr": "sum(increase(kube_pod_container_status_restarts_total{namespace=~\"$namespace\",pod=~\"$pod\"}[1h])) by (namespace,container)>0", + "instant": false, + "interval": "1h", + "legendFormat": "{{namespace}}/{{container}}", + "range": true, + "refId": "A" + } + ], + "title": "Pod restarts per hour", + "type": "timeseries" + } + ], + "refresh": "5s", + "schemaVersion": 39, + "tags": [ + "kubecost", + "utilization", + "metrics" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "PBFA97CFB590B2093" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "datasource", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": { + "selected": true, + "text": "kubecost", + "value": "kubecost" + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(kube_namespace_labels,namespace)", + "hide": 0, + "includeAll": true, + "multi": false, + "name": "namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(kube_namespace_labels,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 5, + "type": "query" + }, + { + "current": { + "selected": false, + "text": "All", + "value": "$__all" + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(kube_pod_owner{namespace=~\"$namespace\"},pod)", + "hide": 0, + "includeAll": true, + "multi": false, + "name": "pod", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(kube_pod_owner{namespace=~\"$namespace\"},pod)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 5, + "type": "query" + }, + { + "current": { + "selected": false, + "text": "All", + "value": "$__all" + }, + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "definition": "label_values({namespace=~\"$namespace\", pod=~\"$pod\"},container)", + "hide": 0, + "includeAll": true, + "multi": false, + "name": "container", + "options": [], + "query": { + "qryType": 1, + "query": "label_values({namespace=~\"$namespace\", pod=~\"$pod\"},container)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 5, + "type": "query" + } + ] + }, + "time": { + "from": "now-6h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "Workload Metrics", + "uid": "kubecost-workload-metrics", + "version": 1, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/NOTES.txt b/charts/kubecost/cost-analyzer/templates/NOTES.txt index 31ff29873..21bd8b1cd 100644 --- a/charts/kubecost/cost-analyzer/templates/NOTES.txt +++ b/charts/kubecost/cost-analyzer/templates/NOTES.txt @@ -7,6 +7,7 @@ {{- include "azureCloudIntegrationCheck" . -}} {{- include "federatedStorageConfigSecretCheck" . -}} {{- include "prometheusRetentionCheck" . -}} +{{- include "clusterIDCheck" . -}} {{- $servicePort := .Values.service.port | default 9090 }} Kubecost {{ .Chart.Version }} has been successfully installed. @@ -22,3 +23,5 @@ Then, navigate to http://localhost:{{ $servicePort }} in a web browser. Please allow 25 minutes for Kubecost to gather metrics. A progress indicator will appear at the top of the UI. Having installation issues? View our Troubleshooting Guide at http://docs.kubecost.com/troubleshoot-install + +{{- include "kubecostV2-3-notices" . -}} diff --git a/charts/kubecost/cost-analyzer/templates/_helpers.tpl b/charts/kubecost/cost-analyzer/templates/_helpers.tpl index 6f1a3c1a4..61071d6e9 100644 --- a/charts/kubecost/cost-analyzer/templates/_helpers.tpl +++ b/charts/kubecost/cost-analyzer/templates/_helpers.tpl @@ -31,6 +31,15 @@ Set important variables before starting main templates {{- end -}} {{- end -}} +{{/* +Kubecost 2.3 notices +*/}} +{{- define "kubecostV2-3-notices" -}} + {{- if (.Values.kubecostAggregator).env -}} + {{- printf "\n\n\nNotice: Issue in values detected.\nKubecost 2.3 has updated the aggregator's environment variables. Please update your Helm values to use the new key pairs.\nFor more information, see: https://docs.kubecost.com/install-and-configure/install/multi-cluster/federated-etl/aggregator#aggregator-optimizations\nIn Kubecost 2.3, kubecostAggregator.env is no longer used in favor of the new key pairs. This was done to prevent unexpected behavior and to simplify the aggregator's configuration." -}} + {{- end -}} +{{- end -}} + {{/* Kubecost 2.0 preconditions */}} @@ -165,6 +174,20 @@ ERROR: MISSING EBS-CSI DRIVER WHICH IS REQUIRED ON EKS v1.23+ TO MANAGE PERSISTE {{- end -}} {{- end -}} +{{/* +Verify a cluster_id is set in the Prometheus global config +*/}} +{{- define "clusterIDCheck" -}} + {{- if (.Values.kubecostModel).federatedStorageConfigSecret }} + {{- if not .Values.prometheus.server.clusterIDConfigmap }} + {{- if eq .Values.prometheus.server.global.external_labels.cluster_id "cluster-one" }} + {{- fail "\n\nWhen using multi-cluster Kubecost, you must specify a unique `.Values.prometheus.server.global.external_labels.cluster_id` for each cluster.\nNote this must be set even if you are using your own Prometheus or another identifier.\n" -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} + + {{/* Verify the cloud integration secret exists with the expected key when cloud integration is enabled. Skip the check if CI/CD is enabled and skipSanityChecks is set. Argo CD, for example, does not @@ -888,7 +911,11 @@ Begin Kubecost 2.0 templates periodSeconds: {{ .Values.kubecostAggregator.readinessProbe.periodSeconds }} failureThreshold: {{ .Values.kubecostAggregator.readinessProbe.failureThreshold }} {{- end }} + {{- if .Values.kubecostAggregator.imagePullPolicy }} + imagePullPolicy: {{ .Values.kubecostAggregator.imagePullPolicy }} + {{- else }} imagePullPolicy: Always + {{- end }} args: ["waterfowl"] ports: - name: tcp-api @@ -933,6 +960,10 @@ Begin Kubecost 2.0 templates - name: productkey-secret mountPath: /var/configs/productkey {{- end }} + {{- if and ((.Values.kubecostProductConfigs).smtp).secretname (eq (include "aggregator.deployMethod" .) "statefulset") }} + - name: smtp-secret + mountPath: /var/configs/smtp + {{- end }} {{- if .Values.saml }} {{- if .Values.saml.enabled }} {{- if .Values.saml.secretName }} @@ -969,6 +1000,12 @@ Begin Kubecost 2.0 templates {{- end }} {{- end }} {{- end }} + {{- if .Values.global.integrations.postgres.enabled }} + - name: postgres-creds + mountPath: /var/configs/integrations/postgres-creds + - name: postgres-queries + mountPath: /var/configs/integrations/postgres-queries + {{- end }} {{- /* Only adds extraVolumeMounts if aggregator is running as its own pod */}} {{- if and .Values.kubecostAggregator.extraVolumeMounts (eq (include "aggregator.deployMethod" .) "statefulset") }} {{- toYaml .Values.kubecostAggregator.extraVolumeMounts | nindent 4 }} @@ -989,6 +1026,14 @@ Begin Kubecost 2.0 templates - name: PRODUCT_KEY_MOUNT_PATH value: {{ .Values.kubecostProductConfigs.productKey.mountPath }} {{- end }} + {{- if and ((.Values.kubecostProductConfigs).smtp).mountPath (eq (include "aggregator.deployMethod" .) "statefulset") }} + - name: SMTP_CONFIG_MOUNT_PATH + value: {{ .Values.kubecostProductConfigs.smtp.mountPath }} + {{- end }} + {{- if .Values.smtpConfigmapName }} + - name: SMTP_CONFIGMAP_NAME + value: {{ .Values.smtpConfigmapName }} + {{- end }} {{- if (gt (int .Values.kubecostAggregator.numDBCopyPartitions) 0) }} - name: NUM_DB_COPY_CHUNKS value: {{ .Values.kubecostAggregator.numDBCopyPartitions | quote }} @@ -1003,10 +1048,20 @@ Begin Kubecost 2.0 templates - name: ETL_PATH_PREFIX value: "/var/db" {{- end }} - - name: ETL_ENABLED - value: "false" # this container should never run KC's concept of "ETL" - name: CLOUD_PROVIDER_API_KEY value: "AIzaSyDXQPG_MHUEy9neR7stolq6l0ujXmjJlvk" # The GCP Pricing API key.This GCP api key is expected to be here and is limited to accessing google's billing API.' + {{- if .Values.global.integrations.postgres.enabled }} + - name: AGGREGATOR_ADDRESS + {{- if or .Values.saml.enabled .Values.oidc.enabled }} + value: localhost:9008 + {{- else }} + value: localhost:9004 + {{- end }} + - name: INT_PG_ENABLED + value: "true" + - name: INT_PG_RUN_INTERVAL + value: {{ quote .Values.global.integrations.postgres.runInterval }} + {{- end }} - name: READ_ONLY value: {{ (quote .Values.readonly) | default (quote false) }} {{- if .Values.systemProxy.enabled }} @@ -1048,10 +1103,26 @@ Begin Kubecost 2.0 templates value: "true" {{- end }} {{- end }} - {{- range $key, $value := .Values.kubecostAggregator.env }} - - name: {{ $key | quote }} - value: {{ $value | quote }} + - name: LOG_LEVEL + value: {{ .Values.kubecostAggregator.logLevel }} + - name: DB_COPY_FULL + value: {{ (quote .Values.kubecostAggregator.dbCopyFull) | default (quote true) }} + - name: DB_READ_THREADS + value: {{ .Values.kubecostAggregator.dbReadThreads | quote }} + - name: DB_WRITE_THREADS + value: {{ .Values.kubecostAggregator.dbWriteThreads | quote }} + - name: DB_CONCURRENT_INGESTION_COUNT + value: {{ .Values.kubecostAggregator.dbConcurrentIngestionCount | quote }} + {{- if ne .Values.kubecostAggregator.dbMemoryLimit "0GB" }} + - name: DB_MEMORY_LIMIT + value: {{ .Values.kubecostAggregator.dbMemoryLimit | quote }} {{- end }} + {{- if ne .Values.kubecostAggregator.dbWriteMemoryLimit "0GB" }} + - name: DB_WRITE_MEMORY_LIMIT + value: {{ .Values.kubecostAggregator.dbWriteMemoryLimit | quote }} + {{- end }} + - name: ETL_DAILY_STORE_DURATION_DAYS + value: {{ .Values.kubecostAggregator.etlDailyStoreDurationDays | quote }} - name: KUBECOST_NAMESPACE value: {{ .Release.Namespace }} {{- if .Values.oidc.enabled }} @@ -1152,7 +1223,11 @@ Begin Kubecost 2.0 templates periodSeconds: {{ .Values.kubecostAggregator.cloudCost.readinessProbe.periodSeconds }} failureThreshold: {{ .Values.kubecostAggregator.cloudCost.readinessProbe.failureThreshold }} {{- end }} + {{- if .Values.kubecostAggregator.imagePullPolicy }} + imagePullPolicy: {{ .Values.kubecostAggregator.imagePullPolicy }} + {{- else }} imagePullPolicy: Always + {{- end }} args: ["cloud-cost"] ports: - name: tcp-api @@ -1208,7 +1283,7 @@ Begin Kubecost 2.0 templates value: "true" {{- end}} - name: ETL_DAILY_STORE_DURATION_DAYS - value: {{ (quote .Values.kubecostModel.etlDailyStoreDurationDays) | default (quote 91) }} + value: {{ (quote .Values.kubecostModel.etlDailyStoreDurationDays) }} - name: CLOUD_COST_REFRESH_RATE_HOURS value: {{ .Values.kubecostAggregator.cloudCost.refreshRateHours | default 6 | quote }} - name: CLOUD_COST_QUERY_WINDOW_DAYS @@ -1217,16 +1292,6 @@ Begin Kubecost 2.0 templates value: {{ .Values.kubecostAggregator.cloudCost.runWindowDays | default 3 | quote }} - name: CUSTOM_COST_ENABLED value: {{ .Values.kubecostModel.plugins.enabled | quote }} - {{- with .Values.kubecostModel.cloudCost }} - {{- with .labelList }} - - name: CLOUD_COST_IS_INCLUDE_LIST - value: {{ (quote .IsIncludeList) | default (quote false) }} - - name: CLOUD_COST_LABEL_LIST - value: {{ (quote .labels) }} - {{- end }} - - name: CLOUD_COST_TOP_N - value: {{ (quote .topNItems) | default (quote 1000) }} - {{- end }} {{- range $key, $value := .Values.kubecostAggregator.cloudCost.env }} - name: {{ $key | quote }} value: {{ $value | quote }} @@ -1371,10 +1436,26 @@ for more information {{- end -}} {{- end -}} -{{- define "pluginsEnabled" }} -{{- if ((.Values.kubecostModel.plugins).install).enabled}} +{{- define "forecastingEnabled" }} +{{- if (.Values.forecasting).enabled }} {{- printf "true" -}} {{- else -}} {{- printf "false" -}} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{- define "pluginsEnabled" }} +{{- if (.Values.kubecostModel.plugins).enabled }} +{{- printf "true" -}} +{{- else -}} +{{- printf "false" -}} +{{- end -}} +{{- end -}} + +{{- define "carbonEstimatesEnabled" }} +{{- if ((.Values.kubecostProductConfigs).carbonEstimates) }} +{{- printf "true" -}} +{{- else -}} +{{- printf "false" -}} +{{- end -}} +{{- end -}} diff --git a/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml b/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml index d9a70821b..b1baf2ff2 100644 --- a/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml +++ b/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml @@ -101,12 +101,22 @@ spec: {{- end }} - name: plugins-dir emptyDir: {} + {{- if and (not .Values.kubecostModel.plugins.existingCustomSecret.enabled) .Values.kubecostModel.plugins.secretName }} - name: plugins-config secret: - secretName: {{ .Values.kubecostModel.plugins.configSecret }} + secretName: {{ .Values.kubecostModel.plugins.secretName }} items: - key: datadog_config.json path: datadog_config.json + {{- end }} + {{- if .Values.kubecostModel.plugins.existingCustomSecret.enabled }} + - name: plugins-config + secret: + secretName: {{ .Values.kubecostModel.plugins.existingCustomSecret.name }} + items: + - key: datadog_config.json + path: datadog_config.json + {{- end }} - name: tmp emptyDir: {} {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/aggregator-servicemonitor.yaml b/charts/kubecost/cost-analyzer/templates/aggregator-servicemonitor.yaml new file mode 100644 index 000000000..670ae4794 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/aggregator-servicemonitor.yaml @@ -0,0 +1,31 @@ +{{- if .Values.serviceMonitor.aggregatorMetrics.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "aggregator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{ include "aggregator.commonLabels" . | nindent 4 }} + {{- if .Values.serviceMonitor.aggregatorMetrics.additionalLabels }} + {{ toYaml .Values.serviceMonitor.aggregatorMetrics.additionalLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: tcp-api + interval: {{ .Values.serviceMonitor.aggregatorMetrics.interval }} + scrapeTimeout: {{ .Values.serviceMonitor.aggregatorMetrics.scrapeTimeout }} + path: /metrics + scheme: http + {{- with .Values.serviceMonitor.aggregatorMetrics.metricRelabelings }} + metricRelabelings: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.serviceMonitor.aggregatorMetrics.relabelings }} + relabelings: {{ toYaml . | nindent 8 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{- include "aggregator.commonLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/aggregator-statefulset.yaml b/charts/kubecost/cost-analyzer/templates/aggregator-statefulset.yaml index 713ff2f56..bea16d077 100644 --- a/charts/kubecost/cost-analyzer/templates/aggregator-statefulset.yaml +++ b/charts/kubecost/cost-analyzer/templates/aggregator-statefulset.yaml @@ -148,6 +148,18 @@ spec: {{- end }} {{- end }} {{- end }} + {{- if .Values.global.integrations.postgres.enabled }} + - name: postgres-creds + secret: + {{- if not (eq .Values.global.integrations.postgres.databaseSecretName "") }} + secretName: {{ .Values.global.integrations.postgres.databaseSecretName }} + {{- else }} + secretName: kubecost-integrations-postgres + {{- end }} + - name: postgres-queries + configMap: + name: kubecost-integrations-postgres-queries + {{- end }} {{- if .Values.kubecostAggregator.extraVolumes }} {{- toYaml .Values.kubecostAggregator.extraVolumes | nindent 8 }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/awsstore-deployment-template.yaml b/charts/kubecost/cost-analyzer/templates/awsstore-deployment-template.yaml index ada60fa01..6a1eb5f8e 100644 --- a/charts/kubecost/cost-analyzer/templates/awsstore-deployment-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/awsstore-deployment-template.yaml @@ -7,6 +7,9 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{- include "cost-analyzer.commonLabels" . | nindent 4 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: selector: matchLabels: @@ -20,6 +23,9 @@ spec: metadata: labels: app: awsstore + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.global.podAnnotations}} annotations: {{- toYaml . | nindent 8 }} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-cluster-role-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-cluster-role-template.yaml index ec431857e..a76d2fe55 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-cluster-role-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-cluster-role-template.yaml @@ -16,6 +16,15 @@ rules: - get - list - watch +- apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - update --- {{- end }} apiVersion: rbac.authorization.k8s.io/v1 diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-deployment-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-deployment-template.yaml index 9201d1689..7d9d2ee46 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-deployment-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-deployment-template.yaml @@ -6,6 +6,9 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{- include "cost-analyzer.commonLabels" . | nindent 4 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- if and .Values.kubecostDeployment .Values.kubecostDeployment.labels }} {{- toYaml .Values.kubecostDeployment.labels | nindent 4 }} {{- end }} @@ -70,12 +73,22 @@ spec: {{- if .Values.kubecostModel.plugins.enabled }} - name: plugins-dir emptyDir: {} + {{- if and (not .Values.kubecostModel.plugins.existingCustomSecret.enabled) .Values.kubecostModel.plugins.secretName }} - name: plugins-config secret: - secretName: {{ .Values.kubecostModel.plugins.configSecret }} + secretName: {{ .Values.kubecostModel.plugins.secretName }} items: - key: datadog_config.json path: datadog_config.json + {{- end }} + {{- if .Values.kubecostModel.plugins.existingCustomSecret.enabled }} + - name: plugins-config + secret: + secretName: {{ .Values.kubecostModel.plugins.existingCustomSecret.name }} + items: + - key: datadog_config.json + path: datadog_config.json + {{- end }} {{- if .Values.kubecostModel.plugins.install.enabled}} - name: install-script configMap: @@ -137,6 +150,14 @@ spec: - key: productkey.json path: productkey.json {{- end }} + {{- if ((.Values.kubecostProductConfigs).smtp).secretname }} + - name: smtp-secret + secret: + secretName: {{ .Values.kubecostProductConfigs.smtp.secretname }} + items: + - key: smtp.json + path: smtp.json + {{- end }} {{- if .Values.kubecostProductConfigs }} {{- if .Values.kubecostProductConfigs.gcpSecretName }} - name: gcp-key-secret @@ -512,9 +533,11 @@ spec: - name: tcp-model containerPort: 9003 protocol: TCP + {{- if and .Values.kubecostFrontend.enabled (not .Values.federatedETL.agentOnly) (not (eq (include "frontend.deployMethod" .) "haMode")) }} - name: tcp-frontend containerPort: 9090 protocol: TCP + {{- end }} {{- with .Values.kubecostModel.extraPorts }} {{- toYaml . | nindent 10 }} {{- end }} @@ -580,6 +603,10 @@ spec: - name: productkey-secret mountPath: /var/configs/productkey {{- end }} + {{- if ((.Values.kubecostProductConfigs).smtp).secretname }} + - name: smtp-secret + mountPath: /var/configs/smtp + {{- end }} {{- if .Values.kubecostProductConfigs.gcpSecretName }} - name: gcp-key-secret mountPath: /var/secrets @@ -588,11 +615,6 @@ spec: - name: azure-storage-config mountPath: /var/azure-storage-config {{- end }} - # TODO remove this if-clause when CloudCost has been removed from Opencost Cost-Model - {{- if or (.Values.kubecostProductConfigs).cloudIntegrationSecret (.Values.kubecostProductConfigs).cloudIntegrationJSON ((.Values.kubecostProductConfigs).athenaBucketName) }} - - name: cloud-integration - mountPath: /var/configs/cloud-integration - {{- end }} {{- if or .Values.kubecostProductConfigs.serviceKeySecretName .Values.kubecostProductConfigs.createServiceKeySecret }} - name: service-key-secret mountPath: /var/secrets @@ -668,6 +690,10 @@ spec: - name: PRODUCT_CONFIGMAP_NAME value: {{ .Values.productConfigmapName }} {{- end }} + {{- if .Values.smtpConfigmapName }} + - name: SMTP_CONFIGMAP_NAME + value: {{ .Values.smtpConfigmapName }} + {{- end }} {{- if .Values.appConfigmapName }} - name: APP_CONFIGMAP_NAME value: {{ .Values.appConfigmapName }} @@ -707,8 +733,6 @@ spec: configMapKeyRef: name: {{ template "cost-analyzer.fullname" . }} key: prometheus-server-endpoint - - name: CLOUD_COST_ENABLED - value: "false" - name: CLOUD_PROVIDER_API_KEY value: "AIzaSyDXQPG_MHUEy9neR7stolq6l0ujXmjJlvk" # The GCP Pricing API key.This GCP api key is expected to be here and is limited to accessing google's billing API. {{- if .Values.kubecostProductConfigs }} @@ -732,6 +756,10 @@ spec: - name: PRODUCT_KEY_MOUNT_PATH value: {{ .Values.kubecostProductConfigs.productKey.mountPath }} {{- end }} + {{- if ((.Values.kubecostProductConfigs).smtp).mountPath }} + - name: SMTP_CONFIG_MOUNT_PATH + value: {{ .Values.kubecostProductConfigs.smtp.mountPath }} + {{- end }} {{- if .Values.kubecostProductConfigs.ingestPodUID }} - name: INGEST_POD_UID value: {{ (quote .Values.kubecostProductConfigs.ingestPodUID) }} @@ -818,18 +846,10 @@ spec: {{- end }} - name: LEGACY_EXTERNAL_API_DISABLED value: {{ (quote .Values.kubecostModel.legacyOutOfClusterAPIDisabled) | default (quote false) }} - - name: OUT_OF_CLUSTER_PROM_METRICS_ENABLED - value: {{ (quote .Values.kubecostModel.outOfClusterPromMetricsEnabled) | default (quote false) }} - name: CACHE_WARMING_ENABLED value: {{ (quote .Values.kubecostModel.warmCache) | default (quote true) }} - name: SAVINGS_ENABLED value: {{ (quote .Values.kubecostModel.warmSavingsCache) | default (quote true) }} - - name: ETL_ENABLED - value: {{ (quote .Values.kubecostModel.etl) | default (quote true) }} - {{- if .Values.kubecostModel.etlReadOnlyMode }} - - name: ETL_READ_ONLY - value: "true" - {{- end }} {{- if $etlBackupBucketSecret }} - name: ETL_BUCKET_CONFIG value: "/var/configs/etl/object-store.yaml" @@ -840,7 +860,11 @@ spec: {{- end }} {{- if or .Values.federatedETL.federatedCluster .Values.kubecostModel.federatedStorageConfigSecret }} - name: FEDERATED_CLUSTER + {{- if eq .Values.federatedETL.readOnlyPrimary true }} + value: "false" + {{- else }} value: "true" + {{- end }} {{- end }} {{- if .Values.federatedETL.redirectS3Backup }} - name: FEDERATED_REDIRECT_BACKUP @@ -850,18 +874,6 @@ spec: - name: CURRENT_CLUSTER_ID_FILTER_ENABLED value: "true" {{- end }} - - name: ETL_STORE_READ_ONLY - value: {{ (quote .Values.kubecostModel.etlStoreReadOnly) | default (quote false) }} - - name : ETL_CLOUD_USAGE_ENABLED - {{- if kindIs "bool" .Values.kubecostModel.etlCloudUsage }} - value: {{ (quote .Values.kubecostModel.etlCloudUsage) }} - {{- else if kindIs "bool" .Values.kubecostModel.etlCloudAsset }} - value: {{ (quote .Values.kubecostModel.etlCloudAsset) }} - {{- else }} - value: "false" - {{- end }} - - name: CLOUD_ASSETS_EXCLUDE_PROVIDER_ID - value: {{ (quote .Values.kubecostModel.cloudAssetsExcludeProviderID) | default (quote false) }} {{- if .Values.persistentVolume.dbPVEnabled }} - name: ETL_PATH_PREFIX value: "/var/db" @@ -871,7 +883,7 @@ spec: - name: ETL_MAX_PROMETHEUS_QUERY_DURATION_MINUTES value: {{ (quote .Values.kubecostModel.maxPrometheusQueryDurationMinutes) | default (quote 1440) }} - name: ETL_DAILY_STORE_DURATION_DAYS - value: {{ (quote .Values.kubecostModel.etlDailyStoreDurationDays) | default (quote 91) }} + value: {{ (quote .Values.kubecostModel.etlDailyStoreDurationDays) }} - name: ETL_HOURLY_STORE_DURATION_HOURS value: {{ (quote .Values.kubecostModel.etlHourlyStoreDurationHours) | default (quote 49) }} - name: ETL_WEEKLY_STORE_DURATION_WEEKS @@ -880,8 +892,7 @@ spec: value: {{ (quote .Values.kubecostModel.etlFileStoreEnabled) | default (quote true) }} - name: ETL_ASSET_RECONCILIATION_ENABLED value: {{ (quote .Values.kubecostModel.etlAssetReconciliationEnabled) | default (quote true) }} - - name: ETL_USE_UNBLENDED_COST - value: {{ (quote .Values.kubecostModel.etlUseUnblendedClost) | default (quote false) }} + {{- if .Values.kubecostModel }} {{- if .Values.kubecostModel.allocation }} {{- if .Values.kubecostModel.allocation.nodeLabels }} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml index df952b8b1..c356c2998 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml @@ -816,6 +816,22 @@ data: proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } + location = /model/smtp { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/smtp; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/smtp/test { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/smtp/test; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } location = /model/teams { proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/teams; @@ -968,6 +984,38 @@ data: proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } + location = /model/debug/ingestionRecords { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/debug/ingestionRecords; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/debug/ingestionSummary { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/debug/ingestionSummary; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/debug/derivationRecords { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/debug/derivationRecords; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/diagnostic/databaseDirectory { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/diagnostic/databaseDirectory; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } location = /model/enablements { proxy_read_timeout 300; proxy_pass http://aggregator/enablements; @@ -1001,6 +1049,63 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } + location = /model/getProductKey { + proxy_read_timeout 300; + proxy_pass http://aggregator/getProductKey; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/setProductKey { + proxy_read_timeout 300; + proxy_pass http://aggregator/setProductKey; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/trialStatus { + proxy_read_timeout 300; + proxy_pass http://aggregator/trialStatus; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/startProductTrial { + proxy_read_timeout 300; + proxy_pass http://aggregator/startProductTrial; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/resetProductTrial { + proxy_read_timeout 300; + proxy_pass http://aggregator/resetProductTrial; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/extendProductTrial { + proxy_read_timeout 300; + proxy_pass http://aggregator/extendProductTrial; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/expireProductTrial { + proxy_read_timeout 300; + proxy_pass http://aggregator/expireProductTrial; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + #Cloud Cost Endpoints location = /model/cloudCost/status { proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; @@ -1181,6 +1286,7 @@ data: return 405 '{"forecastingEnabled": "false"}'; } {{- end }} + location /model/productConfigs { default_type 'application/json'; add_header 'Access-Control-Allow-Origin' '*' always; @@ -1193,10 +1299,14 @@ data: "costEventsAuditEnabled": "{{ template "costEventsAuditEnabled" . }}", "frontendDeployMethod": "{{ template "frontend.deployMethod" . }}", "pluginsEnabled": "{{ template "pluginsEnabled" . }}", - "clusterControllerEnabled": "{{ template "clusterControllerEnabled" . }}" + "carbonEstimatesEnabled": "{{ template "carbonEstimatesEnabled" . }}", + "clusterControllerEnabled": "{{ template "clusterControllerEnabled" . }}", + "forecastingEnabled": "{{ template "forecastingEnabled" . }}", + "chartVersion": "2.3.1" } '; } } + {{- end }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-servicemonitor-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-servicemonitor-template.yaml index f35fa4c17..fb3379246 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-servicemonitor-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-servicemonitor-template.yaml @@ -14,8 +14,8 @@ spec: endpoints: - port: tcp-model honorLabels: true - interval: 1m - scrapeTimeout: 10s + interval: {{ .Values.serviceMonitor.interval }} + scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }} path: /metrics scheme: http {{- with .Values.serviceMonitor.metricRelabelings }} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-smtp-configmap.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-smtp-configmap.yaml new file mode 100644 index 000000000..fd00091ce --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-smtp-configmap.yaml @@ -0,0 +1,12 @@ + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ default "smtp-configs" .Values.smtpConfigmapName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "cost-analyzer.commonLabels" . | nindent 4 }} +{{- if (((.Values.kubecostProductConfigs).smtp).config) }} +data: + config: {{ .Values.kubecostProductConfigs.smtp.config | quote }} +{{- end -}} diff --git a/charts/kubecost/cost-analyzer/templates/diagnostics-deployment.yaml b/charts/kubecost/cost-analyzer/templates/diagnostics-deployment.yaml index 73fe10914..1234fa7bb 100644 --- a/charts/kubecost/cost-analyzer/templates/diagnostics-deployment.yaml +++ b/charts/kubecost/cost-analyzer/templates/diagnostics-deployment.yaml @@ -12,6 +12,9 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{- include "diagnostics.selectorLabels" . | nindent 4 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- if .Values.diagnostics.deployment.labels }} {{- toYaml .Values.diagnostics.deployment.labels | nindent 4 }} {{- end }} @@ -24,6 +27,9 @@ spec: metadata: labels: {{- include "diagnostics.selectorLabels" . | nindent 8 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} annotations: # Generates a unique annotation upon each `helm upgrade`, forcing a redeployment {{- if not .Values.global.platforms.cicd.enabled }} diff --git a/charts/kubecost/cost-analyzer/templates/etl-utils-deployment.yaml b/charts/kubecost/cost-analyzer/templates/etl-utils-deployment.yaml index fd539c971..78aeb8ed3 100644 --- a/charts/kubecost/cost-analyzer/templates/etl-utils-deployment.yaml +++ b/charts/kubecost/cost-analyzer/templates/etl-utils-deployment.yaml @@ -7,6 +7,9 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{- include "etlUtils.commonLabels" . | nindent 4 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- with .Values.global.podAnnotations}} annotations: {{- toYaml . | nindent 4 }} @@ -24,6 +27,9 @@ spec: app.kubernetes.io/name: {{ template "etlUtils.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app: {{ template "etlUtils.name" . }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: restartPolicy: Always volumes: diff --git a/charts/kubecost/cost-analyzer/templates/forecasting-deployment.yaml b/charts/kubecost/cost-analyzer/templates/forecasting-deployment.yaml index dec8e6316..acc8a3c7d 100644 --- a/charts/kubecost/cost-analyzer/templates/forecasting-deployment.yaml +++ b/charts/kubecost/cost-analyzer/templates/forecasting-deployment.yaml @@ -22,6 +22,9 @@ spec: app.kubernetes.io/name: forecasting app.kubernetes.io/instance: {{ .Release.Name }} app: forecasting + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.global.podAnnotations}} annotations: {{- toYaml . | nindent 8 }} @@ -55,7 +58,11 @@ spec: mountPath: /tmp securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- if .Values.forecasting.imagePullPolicy }} + imagePullPolicy: {{ .Values.forecasting.imagePullPolicy }} + {{- else }} imagePullPolicy: Always + {{- end }} ports: - name: tcp-api containerPort: 5000 diff --git a/charts/kubecost/cost-analyzer/templates/frontend-deployment-template.yaml b/charts/kubecost/cost-analyzer/templates/frontend-deployment-template.yaml index 950b22b67..8ba47e87e 100644 --- a/charts/kubecost/cost-analyzer/templates/frontend-deployment-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/frontend-deployment-template.yaml @@ -6,6 +6,9 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{- include "cost-analyzer.commonLabels" . | nindent 4 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- if and .Values.kubecostDeployment .Values.kubecostDeployment.labels }} {{- toYaml .Values.kubecostDeployment.labels | nindent 4 }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/grafana-attached-disk-metrics-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-attached-disks.yaml similarity index 51% rename from charts/kubecost/cost-analyzer/templates/grafana-attached-disk-metrics-template.yaml rename to charts/kubecost/cost-analyzer/templates/grafana-dashboard-attached-disks.yaml index 2c2dee9b0..380964046 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-attached-disk-metrics-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-attached-disks.yaml @@ -1,11 +1,8 @@ -{{- if .Values.grafana -}} -{{- if .Values.grafana.sidecar -}} -{{- if .Values.grafana.sidecar.dashboards -}} -{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} +{{- if (((.Values.grafana).sidecar).dashboards).enabled -}} apiVersion: v1 kind: ConfigMap metadata: - name: attached-disk-metrics-dashboard + name: grafana-dashboard-attached-disk-metrics {{- if $.Values.grafana.namespace_dashboards }} namespace: {{ $.Values.grafana.namespace_dashboards }} {{- end }} @@ -17,11 +14,8 @@ metadata: grafana_dashboard: "1" {{- end }} annotations: -{{ toYaml .Values.grafana.sidecar.dashboards.annotations | indent 4 }} +{{- toYaml .Values.grafana.sidecar.dashboards.annotations | nindent 4 }} data: - attached-disks.json: |- -{{ .Files.Get "attached-disks.json" | indent 8 }} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} + attached-disks.json: |- +{{- .Files.Get "grafana-dashboards/attached-disks.json" | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-cluster-metrics-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-cluster-metrics-template.yaml index 1f6dce16e..729869176 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-cluster-metrics-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-cluster-metrics-template.yaml @@ -1,11 +1,8 @@ -{{- if .Values.grafana -}} -{{- if .Values.grafana.sidecar -}} -{{- if .Values.grafana.sidecar.dashboards -}} -{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} +{{- if (((.Values.grafana).sidecar).dashboards).enabled -}} apiVersion: v1 kind: ConfigMap metadata: - name: cluster-metrics-dashboard + name: grafana-dashboard-cluster-metrics {{- if $.Values.grafana.namespace_dashboards }} namespace: {{ $.Values.grafana.namespace_dashboards }} {{- end }} @@ -17,13 +14,8 @@ metadata: grafana_dashboard: "1" {{- end }} annotations: -{{ toYaml .Values.grafana.sidecar.dashboards.annotations | indent 4 }} +{{- toYaml .Values.grafana.sidecar.dashboards.annotations | nindent 4 }} data: - cluster-metrics.json: |- -{{ .Files.Get "cluster-metrics.json" | indent 8 }} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} - - + cluster-metrics.json: |- +{{- .Files.Get "grafana-dashboards/cluster-metrics.json" | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-cluster-utilization-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-cluster-utilization-template.yaml index c071de7c5..2cdbd394c 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-cluster-utilization-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-cluster-utilization-template.yaml @@ -1,11 +1,8 @@ -{{- if .Values.grafana -}} -{{- if .Values.grafana.sidecar -}} -{{- if .Values.grafana.sidecar.dashboards -}} -{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} +{{- if (((.Values.grafana).sidecar).dashboards).enabled -}} apiVersion: v1 kind: ConfigMap metadata: - name: cluster-utilization-dashboard + name: grafana-dashboard-cluster-utilization {{- if $.Values.grafana.namespace_dashboards }} namespace: {{ $.Values.grafana.namespace_dashboards }} {{- end }} @@ -17,11 +14,8 @@ metadata: grafana_dashboard: "1" {{- end }} annotations: -{{ toYaml .Values.grafana.sidecar.dashboards.annotations | indent 4 }} +{{- toYaml .Values.grafana.sidecar.dashboards.annotations | nindent 4 }} data: - cluster-utilization.json: |- -{{ .Files.Get "cluster-utilization.json" | indent 8 }} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} + cluster-utilization.json: |- +{{- .Files.Get "grafana-dashboards/cluster-utilization.json" | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-deployment-utilization-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-deployment-utilization-template.yaml index 7ce9c892a..f12d1095b 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-deployment-utilization-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-deployment-utilization-template.yaml @@ -1,11 +1,8 @@ -{{- if .Values.grafana -}} -{{- if .Values.grafana.sidecar -}} -{{- if .Values.grafana.sidecar.dashboards -}} -{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} +{{- if (((.Values.grafana).sidecar).dashboards).enabled -}} apiVersion: v1 kind: ConfigMap metadata: - name: deployment-utilization-dashboard + name: grafana-dashboard-deployment-utilization {{- if $.Values.grafana.namespace_dashboards }} namespace: {{ $.Values.grafana.namespace_dashboards }} {{- end }} @@ -17,11 +14,8 @@ metadata: grafana_dashboard: "1" {{- end }} annotations: -{{ toYaml .Values.grafana.sidecar.dashboards.annotations | indent 4 }} +{{- toYaml .Values.grafana.sidecar.dashboards.annotations | nindent 4 }} data: - deployment-utilization.json: |- -{{ .Files.Get "deployment-utilization.json" | indent 8 }} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} + deployment-utilization.json: |- +{{- .Files.Get "grafana-dashboards/deployment-utilization.json" | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-kubernetes-resource-efficiency-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-kubernetes-resource-efficiency-template.yaml index 2b0c16149..60ad32d43 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-kubernetes-resource-efficiency-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-kubernetes-resource-efficiency-template.yaml @@ -1,7 +1,4 @@ -{{- if .Values.grafana -}} -{{- if .Values.grafana.sidecar -}} -{{- if .Values.grafana.sidecar.dashboards -}} -{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} +{{- if (((.Values.grafana).sidecar).dashboards).enabled -}} apiVersion: v1 kind: ConfigMap metadata: @@ -17,11 +14,8 @@ metadata: grafana_dashboard: "1" {{- end }} annotations: -{{ toYaml .Values.grafana.sidecar.dashboards.annotations | indent 4 }} +{{- toYaml .Values.grafana.sidecar.dashboards.annotations | nindent 4 }} data: - kubernetes-resource-efficiency.json: |- -{{ .Files.Get "kubernetes-resource-efficiency.json" | indent 8 }} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} + kubernetes-resource-efficiency.json: |- +{{- .Files.Get "grafana-dashboards/kubernetes-resource-efficiency.json" | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-label-cost-utilization-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-label-cost-utilization-template.yaml index c9c4e79e0..e08092459 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-label-cost-utilization-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-label-cost-utilization-template.yaml @@ -1,11 +1,8 @@ -{{- if .Values.grafana -}} -{{- if .Values.grafana.sidecar -}} -{{- if .Values.grafana.sidecar.dashboards -}} -{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} +{{- if (((.Values.grafana).sidecar).dashboards).enabled -}} apiVersion: v1 kind: ConfigMap metadata: - name: label-cost-dashboard + name: grafana-dashboard-label-cost {{- if $.Values.grafana.namespace_dashboards }} namespace: {{ $.Values.grafana.namespace_dashboards }} {{- end }} @@ -17,11 +14,8 @@ metadata: grafana_dashboard: "1" {{- end }} annotations: -{{ toYaml .Values.grafana.sidecar.dashboards.annotations | indent 4 }} +{{- toYaml .Values.grafana.sidecar.dashboards.annotations | nindent 4 }} data: - label-cost-utilization.json: |- -{{ .Files.Get "label-cost-utilization.json" | indent 8 }} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} + label-cost-utilization.json: |- +{{- .Files.Get "grafana-dashboards/label-cost-utilization.json" | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-namespace-utilization-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-namespace-utilization-template.yaml index 76a2a4c89..f6d28686b 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-namespace-utilization-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-namespace-utilization-template.yaml @@ -1,11 +1,8 @@ -{{- if .Values.grafana -}} -{{- if .Values.grafana.sidecar -}} -{{- if .Values.grafana.sidecar.dashboards -}} -{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} +{{- if (((.Values.grafana).sidecar).dashboards).enabled -}} apiVersion: v1 kind: ConfigMap metadata: - name: namespace-utilization-dashboard + name: grafana-dashboard-namespace-utilization {{- if $.Values.grafana.namespace_dashboards }} namespace: {{ $.Values.grafana.namespace_dashboards }} {{- end }} @@ -17,11 +14,8 @@ metadata: grafana_dashboard: "1" {{- end }} annotations: -{{ toYaml .Values.grafana.sidecar.dashboards.annotations | indent 4 }} +{{- toYaml .Values.grafana.sidecar.dashboards.annotations | nindent 4 }} data: - namespace-utilization.json: |- -{{ .Files.Get "namespace-utilization.json" | indent 8 }} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} + namespace-utilization.json: |- +{{- .Files.Get "grafana-dashboards/namespace-utilization.json" | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-network-cloud-sevices.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-network-cloud-sevices.yaml new file mode 100644 index 000000000..af72b6664 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-network-cloud-sevices.yaml @@ -0,0 +1,21 @@ +{{- if (((.Values.grafana).sidecar).dashboards).enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana-dashboard-network-cloud-services + {{- if $.Values.grafana.namespace_dashboards }} + namespace: {{ $.Values.grafana.namespace_dashboards }} + {{- end }} + labels: + {{ include "cost-analyzer.commonLabels" . | nindent 4 }} + {{- if $.Values.grafana.sidecar.dashboards.label }} + {{ $.Values.grafana.sidecar.dashboards.label }}: "{{ $.Values.grafana.sidecar.dashboards.labelValue }}" + {{- else }} + grafana_dashboard: "1" + {{- end }} + annotations: +{{- toYaml .Values.grafana.sidecar.dashboards.annotations | nindent 4 }} +data: + grafana-network-cloud-services.json: |- +{{- .Files.Get "grafana-dashboards/network-cloud-services.json" | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-network-costs.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-network-costs.yaml new file mode 100644 index 000000000..2e753745d --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-network-costs.yaml @@ -0,0 +1,21 @@ +{{- if (((.Values.grafana).sidecar).dashboards).enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana-dashboard-network-costs-metrics + {{- if $.Values.grafana.namespace_dashboards }} + namespace: {{ $.Values.grafana.namespace_dashboards }} + {{- end }} + labels: + {{ include "cost-analyzer.commonLabels" . | nindent 4 }} + {{- if $.Values.grafana.sidecar.dashboards.label }} + {{ $.Values.grafana.sidecar.dashboards.label }}: "{{ $.Values.grafana.sidecar.dashboards.labelValue }}" + {{- else }} + grafana_dashboard: "1" + {{- end }} + annotations: +{{- toYaml .Values.grafana.sidecar.dashboards.annotations | nindent 4 }} +data: + networkCosts-metrics.json: |- +{{- .Files.Get "grafana-dashboards/networkCosts-metrics.json" | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-node-utilization-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-node-utilization-template.yaml index b7d94e211..8f2998c25 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-node-utilization-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-node-utilization-template.yaml @@ -1,11 +1,8 @@ -{{- if .Values.grafana -}} -{{- if .Values.grafana.sidecar -}} -{{- if .Values.grafana.sidecar.dashboards -}} -{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} +{{- if (((.Values.grafana).sidecar).dashboards).enabled -}} apiVersion: v1 kind: ConfigMap metadata: - name: node-utilization-dashboard + name: grafana-dashboard-node-utilization {{- if $.Values.grafana.namespace_dashboards }} namespace: {{ $.Values.grafana.namespace_dashboards }} {{- end }} @@ -17,11 +14,8 @@ metadata: grafana_dashboard: "1" {{- end }} annotations: -{{ toYaml .Values.grafana.sidecar.dashboards.annotations | indent 4 }} +{{- toYaml .Values.grafana.sidecar.dashboards.annotations | nindent 4 }} data: - node-utilization.json: |- -{{ .Files.Get "node-utilization.json" | indent 8 }} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} + node-utilization.json: |- +{{- .Files.Get "grafana-dashboards/node-utilization.json" | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/grafana-pod-utilization-multi-cluster-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-pod-utilization-multi-cluster.yaml similarity index 54% rename from charts/kubecost/cost-analyzer/templates/grafana-pod-utilization-multi-cluster-template.yaml rename to charts/kubecost/cost-analyzer/templates/grafana-dashboard-pod-utilization-multi-cluster.yaml index e74c75b05..7b8b6ae7a 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-pod-utilization-multi-cluster-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-pod-utilization-multi-cluster.yaml @@ -1,7 +1,4 @@ -{{- if .Values.grafana -}} -{{- if .Values.grafana.sidecar -}} -{{- if .Values.grafana.sidecar.dashboards -}} -{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} +{{- if (((.Values.grafana).sidecar).dashboards).enabled -}} apiVersion: v1 kind: ConfigMap metadata: @@ -17,11 +14,8 @@ metadata: grafana_dashboard: "1" {{- end }} annotations: -{{ toYaml .Values.grafana.sidecar.dashboards.annotations | indent 4 }} +{{- toYaml .Values.grafana.sidecar.dashboards.annotations | nindent 4 }} data: - pod-utilization-multi-cluster.json: |- -{{ .Files.Get "pod-utilization-multi-cluster.json" | indent 8 }} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} + pod-utilization-multi-cluster.json: |- +{{- .Files.Get "grafana-dashboards/pod-utilization-multi-cluster.json" | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-pod-utilization-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-pod-utilization-template.yaml index 8bd3e0d34..04374ff43 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-pod-utilization-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-pod-utilization-template.yaml @@ -1,11 +1,8 @@ -{{- if .Values.grafana -}} -{{- if .Values.grafana.sidecar -}} -{{- if .Values.grafana.sidecar.dashboards -}} -{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} +{{- if (((.Values.grafana).sidecar).dashboards).enabled -}} apiVersion: v1 kind: ConfigMap metadata: - name: pod-utilization-dashboard + name: grafana-dashboard-pod-utilization {{- if $.Values.grafana.namespace_dashboards }} namespace: {{ $.Values.grafana.namespace_dashboards }} {{- end }} @@ -17,11 +14,8 @@ metadata: grafana_dashboard: "1" {{- end }} annotations: -{{ toYaml .Values.grafana.sidecar.dashboards.annotations | indent 4 }} +{{- toYaml .Values.grafana.sidecar.dashboards.annotations | nindent 4 }} data: - pod-utilization.json: |- -{{ .Files.Get "pod-utilization.json" | indent 8 }} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} + pod-utilization.json: |- +{{- .Files.Get "grafana-dashboards/pod-utilization.json" | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-prometheus-metrics-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-prometheus-metrics-template.yaml index 876221e43..723767c97 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-prometheus-metrics-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-prometheus-metrics-template.yaml @@ -1,11 +1,8 @@ -{{- if .Values.grafana -}} -{{- if .Values.grafana.sidecar -}} -{{- if .Values.grafana.sidecar.dashboards -}} -{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} +{{- if (((.Values.grafana).sidecar).dashboards).enabled -}} apiVersion: v1 kind: ConfigMap metadata: - name: prom-benchmark-dashboard + name: grafana-dashboard-prom-benchmark {{- if $.Values.grafana.namespace_dashboards }} namespace: {{ $.Values.grafana.namespace_dashboards }} {{- end }} @@ -17,11 +14,8 @@ metadata: grafana_dashboard: "1" {{- end }} annotations: -{{ toYaml .Values.grafana.sidecar.dashboards.annotations | indent 4 }} +{{- toYaml .Values.grafana.sidecar.dashboards.annotations | nindent 4 }} data: - prom-benchmark.json: |- -{{ .Files.Get "prom-benchmark.json" | indent 8 }} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} + prom-benchmark.json: |- +{{- .Files.Get "grafana-dashboards/prom-benchmark.json" | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-workload-aggregator.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-workload-aggregator.yaml new file mode 100644 index 000000000..40dfb558b --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-workload-aggregator.yaml @@ -0,0 +1,21 @@ +{{- if (((.Values.grafana).sidecar).dashboards).enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana-dashboard-workload-aggregator + {{- if $.Values.grafana.namespace_dashboards }} + namespace: {{ $.Values.grafana.namespace_dashboards }} + {{- end }} + labels: + {{ include "cost-analyzer.commonLabels" . | nindent 4 }} + {{- if $.Values.grafana.sidecar.dashboards.label }} + {{ $.Values.grafana.sidecar.dashboards.label }}: "{{ $.Values.grafana.sidecar.dashboards.labelValue }}" + {{- else }} + grafana_dashboard: "1" + {{- end }} + annotations: +{{- toYaml .Values.grafana.sidecar.dashboards.annotations | nindent 4 }} +data: + workload-metrics-aggregator.json: |- +{{- .Files.Get "grafana-dashboards/workload-metrics-aggregator.json" | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-workload-metrics.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-workload-metrics.yaml new file mode 100644 index 000000000..fa027dce7 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-workload-metrics.yaml @@ -0,0 +1,21 @@ +{{- if (((.Values.grafana).sidecar).dashboards).enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana-dashboard-workload-metrics + {{- if $.Values.grafana.namespace_dashboards }} + namespace: {{ $.Values.grafana.namespace_dashboards }} + {{- end }} + labels: + {{ include "cost-analyzer.commonLabels" . | nindent 4 }} + {{- if $.Values.grafana.sidecar.dashboards.label }} + {{ $.Values.grafana.sidecar.dashboards.label }}: "{{ $.Values.grafana.sidecar.dashboards.labelValue }}" + {{- else }} + grafana_dashboard: "1" + {{- end }} + annotations: +{{- toYaml .Values.grafana.sidecar.dashboards.annotations | nindent 4 }} +data: + grafana-workload-metrics.json: |- +{{- .Files.Get "grafana-dashboards/workload-metrics.json" | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboards-json-configmap.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboards-json-configmap.yaml index c4ad251ce..b7ccb3cb5 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboards-json-configmap.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboards-json-configmap.yaml @@ -6,7 +6,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "grafana.fullname" $ }}-dashboards-{{ $provider }} - namespace: {{ .Release.Namespace }} + namespace: {{ $.Release.Namespace }} labels: app: {{ template "grafana.name" $ }} release: {{ $.Release.Name }} diff --git a/charts/kubecost/cost-analyzer/templates/grafana-deployment.yaml b/charts/kubecost/cost-analyzer/templates/grafana-deployment.yaml index 4f11b6194..63598d6dd 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-deployment.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-deployment.yaml @@ -8,6 +8,9 @@ metadata: app: {{ template "grafana.name" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- with .Values.grafana.annotations }} annotations: {{ toYaml . | indent 4 }} diff --git a/charts/kubecost/cost-analyzer/templates/grafana-networkcosts-metrics-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-networkcosts-metrics-template.yaml deleted file mode 100644 index 1dd36e393..000000000 --- a/charts/kubecost/cost-analyzer/templates/grafana-networkcosts-metrics-template.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- if .Values.grafana -}} -{{- if .Values.grafana.sidecar -}} -{{- if .Values.grafana.sidecar.dashboards -}} -{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: grafana-dashboard-networkcosts-metrics - {{- if $.Values.grafana.namespace_dashboards }} - namespace: {{ $.Values.grafana.namespace_dashboards }} - {{- end }} - labels: - {{ include "cost-analyzer.commonLabels" . | nindent 4 }} - {{- if $.Values.grafana.sidecar.dashboards.label }} - {{ $.Values.grafana.sidecar.dashboards.label }}: "{{ $.Values.grafana.sidecar.dashboards.labelValue }}" - {{- else }} - grafana_dashboard: "1" - {{- end }} - annotations: -{{ toYaml .Values.grafana.sidecar.dashboards.annotations | indent 4 }} -data: - networkCosts-metrics.json: |- -{{ .Files.Get "networkCosts-metrics.json" | indent 8 }} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/kubecost/cost-analyzer/templates/integrations-postgres-queries-configmap.yaml b/charts/kubecost/cost-analyzer/templates/integrations-postgres-queries-configmap.yaml new file mode 100644 index 000000000..5e0af3e00 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/integrations-postgres-queries-configmap.yaml @@ -0,0 +1,14 @@ +{{- if .Values.global.integrations.postgres.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: kubecost-integrations-postgres-queries + namespace: {{ .Release.Namespace }} + labels: + {{ include "cost-analyzer.commonLabels" . | nindent 4 }} +data: + kubecost-queries.json: |- + {{- with .Values.global.integrations.postgres.queryConfigs }} + {{- . | toJson | nindent 6 }} + {{- end }} +{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/integrations-postgres-secret.yaml b/charts/kubecost/cost-analyzer/templates/integrations-postgres-secret.yaml new file mode 100644 index 000000000..136ab6016 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/integrations-postgres-secret.yaml @@ -0,0 +1,19 @@ +{{- if and (.Values.global.integrations.postgres.enabled) (eq .Values.global.integrations.postgres.databaseSecretName "") }} +apiVersion: v1 +kind: Secret +metadata: + name: kubecost-integrations-postgres + namespace: {{ .Release.Namespace }} + labels: + {{ include "cost-analyzer.commonLabels" . | nindent 4 }} +type: Opaque +stringData: + creds.json: |- + { + "host": "{{ .Values.global.integrations.postgres.databaseHost }}", + "port": "{{ .Values.global.integrations.postgres.databasePort }}", + "databaseName": "{{ .Values.global.integrations.postgres.databaseName }}", + "user": "{{ .Values.global.integrations.postgres.databaseUser }}", + "password": "{{ .Values.global.integrations.postgres.databasePassword }}" + } +{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/kubecost-metrics-deployment-template.yaml b/charts/kubecost/cost-analyzer/templates/kubecost-metrics-deployment-template.yaml index 5b2990d49..e93ae0f0d 100644 --- a/charts/kubecost/cost-analyzer/templates/kubecost-metrics-deployment-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/kubecost-metrics-deployment-template.yaml @@ -9,6 +9,9 @@ metadata: labels: {{ unset (include "cost-analyzer.commonLabels" . | fromYaml) "app" | toYaml | nindent 4 }} app: {{ template "kubecost.kubeMetricsName" . }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- with .Values.kubecostMetrics.exporter.labels }} {{ toYaml . | indent 4 }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/mimir-proxy-deployment-template.yaml b/charts/kubecost/cost-analyzer/templates/mimir-proxy-deployment-template.yaml index 5319dc9df..cbe8519b4 100644 --- a/charts/kubecost/cost-analyzer/templates/mimir-proxy-deployment-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/mimir-proxy-deployment-template.yaml @@ -7,6 +7,9 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: mimir-proxy + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: 1 selector: @@ -16,6 +19,9 @@ spec: metadata: labels: app: mimir-proxy + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: containers: - name: {{ .Values.global.mimirProxy.name }} diff --git a/charts/kubecost/cost-analyzer/templates/network-costs-servicemonitor-template.yaml b/charts/kubecost/cost-analyzer/templates/network-costs-servicemonitor-template.yaml index 3f952bdca..3cef9547d 100644 --- a/charts/kubecost/cost-analyzer/templates/network-costs-servicemonitor-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/network-costs-servicemonitor-template.yaml @@ -13,7 +13,7 @@ spec: endpoints: - port: metrics honorLabels: true - interval: 1m + interval: {{ .Values.serviceMonitor.networkCosts.interval }} scrapeTimeout: {{ .Values.serviceMonitor.networkCosts.scrapeTimeout }} path: /metrics scheme: http diff --git a/charts/kubecost/cost-analyzer/templates/plugins-config.yaml b/charts/kubecost/cost-analyzer/templates/plugins-config.yaml index 5cc312e8a..bd939ac1e 100644 --- a/charts/kubecost/cost-analyzer/templates/plugins-config.yaml +++ b/charts/kubecost/cost-analyzer/templates/plugins-config.yaml @@ -1,8 +1,8 @@ -{{- if .Values.kubecostModel.plugins.enabled }} +{{- if and (not .Values.kubecostModel.plugins.existingCustomSecret.enabled) .Values.kubecostModel.plugins.enabled }} apiVersion: v1 kind: Secret metadata: - name: {{ .Values.kubecostModel.plugins.configSecret }} + name: {{ .Values.kubecostModel.plugins.secretName }} labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} data: @@ -11,4 +11,3 @@ data: {{ $config | b64enc | indent 4}} {{- end }} {{- end }} - diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-deployment.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-deployment.yaml index 9520cd2df..b3af15532 100644 --- a/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-deployment.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-deployment.yaml @@ -5,6 +5,9 @@ kind: Deployment metadata: labels: {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} name: {{ template "prometheus.alertmanager.fullname" . }} namespace: {{ .Release.Namespace }} spec: @@ -24,6 +27,9 @@ spec: {{- end }} labels: {{- include "prometheus.alertmanager.labels" . | nindent 8 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- if .Values.prometheus.alertmanager.podLabels}} {{ toYaml .Values.prometheus.alertmanager.podLabels | nindent 8 }} {{- end}} diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-daemonset.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-daemonset.yaml index 14f3f6703..3529d6bdd 100644 --- a/charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-daemonset.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-daemonset.yaml @@ -9,6 +9,9 @@ metadata: {{- end }} labels: {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} name: {{ template "prometheus.nodeExporter.fullname" . }} namespace: {{ .Release.Namespace }} spec: @@ -27,6 +30,9 @@ spec: {{- end }} labels: {{- include "prometheus.nodeExporter.labels" . | nindent 8 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- if .Values.prometheus.nodeExporter.pod.labels }} {{ toYaml .Values.prometheus.nodeExporter.pod.labels | indent 8 }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-service.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-service.yaml index 1ef342d0e..9b8167e8d 100644 --- a/charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-service.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-service.yaml @@ -32,7 +32,7 @@ spec: {{- end }} {{- end }} ports: - - name: metrics + - name: tcp-metrics port: {{ .Values.prometheus.nodeExporter.service.servicePort }} protocol: TCP {{- if .Values.prometheus.nodeExporter.hostNetwork }} diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-deployment.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-deployment.yaml index 18c0630a6..072c028d1 100644 --- a/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-deployment.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-deployment.yaml @@ -5,6 +5,9 @@ kind: Deployment metadata: labels: {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} name: {{ template "prometheus.pushgateway.fullname" . }} namespace: {{ .Release.Namespace }} spec: @@ -27,6 +30,9 @@ spec: {{- end }} labels: {{- include "prometheus.pushgateway.labels" . | nindent 8 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: serviceAccountName: {{ template "prometheus.serviceAccountName.pushgateway" . }} {{- if .Values.prometheus.pushgateway.priorityClassName }} diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-server-deployment.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-server-deployment.yaml index 38061f16d..8f2d60d3e 100644 --- a/charts/kubecost/cost-analyzer/templates/prometheus-server-deployment.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-server-deployment.yaml @@ -10,6 +10,9 @@ metadata: {{- end }} labels: {{- include "prometheus.server.labels" . | nindent 4 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} name: {{ template "prometheus.server.fullname" . }} namespace: {{ .Release.Namespace }} spec: @@ -35,6 +38,9 @@ spec: helm-rollout-restarter: {{ randAlphaNum 5 | quote }} {{- end }} {{- include "prometheus.server.labels" . | nindent 8 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- if .Values.prometheus.server.podLabels}} {{ toYaml .Values.prometheus.server.podLabels | nindent 8 }} {{- end}} diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-server-statefulset.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-server-statefulset.yaml index dc90334c6..aba286811 100644 --- a/charts/kubecost/cost-analyzer/templates/prometheus-server-statefulset.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-server-statefulset.yaml @@ -10,6 +10,9 @@ metadata: {{- end }} labels: {{- include "prometheus.server.labels" . | nindent 4 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- if .Values.prometheus.server.statefulSet.labels}} {{ toYaml .Values.prometheus.server.statefulSet.labels | nindent 4 }} {{- end}} @@ -30,6 +33,9 @@ spec: {{- end }} labels: {{- include "prometheus.server.labels" . | nindent 8 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- if .Values.prometheus.server.statefulSet.labels}} {{ toYaml .Values.prometheus.server.statefulSet.labels | nindent 8 }} {{- end}} diff --git a/charts/kubecost/cost-analyzer/values-eks-cost-monitoring.yaml b/charts/kubecost/cost-analyzer/values-eks-cost-monitoring.yaml index fc128fcde..f8619429a 100644 --- a/charts/kubecost/cost-analyzer/values-eks-cost-monitoring.yaml +++ b/charts/kubecost/cost-analyzer/values-eks-cost-monitoring.yaml @@ -1,192 +1,43 @@ +# grafana is disabled by default, but can be enabled by setting the following values. +# or proxy to an existing grafana: https://docs.kubecost.com/install-and-configure/advanced-configuration/custom-grafana global: grafana: enabled: false proxy: false - -pricingCsv: - enabled: false - location: - provider: "AWS" - region: "us-east-1" - URI: s3://kc-csv-test/pricing_schema.csv # a valid file URI - csvAccessCredentials: pricing-schema-access-secret - -nodeSelector: {} - -tolerations: [] -# - key: "key" -# operator: "Equal|Exists" -# value: "value" -# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - -affinity: {} - -# If true, creates a PriorityClass to be used by the cost-analyzer pod -priority: - enabled: false - # value: 1000000 - -# If true, enable creation of NetworkPolicy resources. -networkPolicy: - enabled: false - -# Enable this flag if you need to install with specific image tags -# imageVersion: prod-1.97.0 +# grafana: +# image: +# repository: YOUR_REGISTRY/grafana +# sidecar: +# image: +# repository: YOUR_REGISTRY/k8s-sidecar kubecostFrontend: image: public.ecr.aws/kubecost/frontend - imagePullPolicy: Always - resources: - requests: - cpu: "10m" - memory: "55Mi" - #limits: - # cpu: "100m" - # memory: "256Mi" kubecostModel: image: public.ecr.aws/kubecost/cost-model - imagePullPolicy: Always - warmCache: true - etl: true - # The total number of days the ETL pipelines will build - # Set to 0 to disable daily ETL (not recommended) - etlDailyStoreDurationDays: 120 - maxQueryConcurrency: 5 - # utcOffset represents a timezone in hours and minutes east (+) or west (-) - # of UTC, itself, which is defined as +00:00. - # See the tz database of timezones to look up your local UTC offset: - # https://en.wikipedia.org/wiki/List_of_tz_database_time_zones - utcOffset: "+00:00" - resources: - requests: - cpu: "200m" - memory: "55Mi" - #limits: - # cpu: "800m" - # memory: "256Mi" forecasting: - fullImageName: public.ecr.aws/kubecost/kubecost-modeling:v0.1.6 + fullImageName: public.ecr.aws/kubecost/kubecost-modeling:v0.1.12 networkCosts: - enabled: false image: repository: public.ecr.aws/kubecost/kubecost-network-costs - tag: v0.17.3 clusterController: - enabled: false image: repository: public.ecr.aws/kubecost/cluster-controller - tag: v0.15.2 - -serviceAccount: - create: true # Set this to false if you're bringing your own service account. - annotations: {} - # name: kc-test - -# Define persistence volume for cost-analyzer -persistentVolume: - size: 32Gi - dbSize: 32.0Gi - enabled: true # Note that setting this to false means configurations will be wiped out on pod restart. - # storageClass: "-" # - # existingClaim: kubecost-cost-analyzer # a claim in the same namespace as kubecost - -ingress: - enabled: false - # className: nginx - annotations: - kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - paths: ["/"] # There's no need to route specifically to the pods-- we have an nginx deployed that handles routing - hosts: - - cost-analyzer.local - tls: [] - # - secretName: cost-analyzer-tls - # hosts: - # - cost-analyzer.local - -service: - type: ClusterIP - port: 9090 - targetPort: 9090 - # nodePort: - labels: {} - annotations: {} prometheus: server: - # If clusterIDConfigmap is defined, instead use user-generated configmap with key CLUSTER_ID - # to use as unique cluster ID in kubecost cost-analyzer deployment. - # This overrides the cluster_id set in prometheus.server.global.external_labels. - # NOTE: This does not affect the external_labels set in prometheus config. - # clusterIDConfigmap: cluster-id-configmap image: repository: public.ecr.aws/kubecost/prometheus - tag: v2.50.1 - resources: {} - # limits: - # cpu: 500m - # memory: 512Mi - # requests: - # cpu: 500m - # memory: 512Mi - global: - scrape_interval: 1m - scrape_timeout: 60s - evaluation_interval: 1m - external_labels: - cluster_id: cluster-one # Each cluster should have a unique ID - persistentVolume: - size: 32Gi - enabled: true - extraArgs: - query.max-concurrency: 1 - query.max-samples: 100000000 - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" configmapReload: prometheus: - - ## If false, the configmap-reload container will not be deployed - enabled: false - - ## configmap-reload container name - name: configmap-reload - - ## configmap-reload container image image: repository: public.ecr.aws/kubecost/prometheus-config-reloader - tag: v0.71.2 - pullPolicy: IfNotPresent - - ## Additional configmap-reload container arguments - extraArgs: {} - - ## Additional configmap-reload volume directories - extraVolumeDirs: [] - - ## Additional configmap-reload mounts - extraConfigmapMounts: [] - # - name: prometheus-alerts - # mountPath: /etc/alerts.d - # subPath: "" - # configMap: prometheus-alerts - # readOnly: true - ## configmap-reload resource requests and limits - ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ - ## - resources: {} - - nodeExporter: - enabled: false - reporting: productAnalytics: false + diff --git a/charts/kubecost/cost-analyzer/values.yaml b/charts/kubecost/cost-analyzer/values.yaml index 197f107cf..16a477875 100644 --- a/charts/kubecost/cost-analyzer/values.yaml +++ b/charts/kubecost/cost-analyzer/values.yaml @@ -1,7 +1,7 @@ global: # zone: cluster.local (use only if your DNS server doesn't live in the same zone as kubecost) prometheus: - enabled: true # If false, Prometheus will not be installed -- Warning: Before changing this setting, please read to understand this setting https://docs.kubecost.com/install-and-configure/install/custom-prom + enabled: true # Kubecost depends on Prometheus data, it is not optional. When enabled: false, Prometheus will not be installed and you must configure your own Prometheus to scrape kubecost as well as provide the fqdn below. -- Warning: Before changing this setting, please read to understand the risks https://docs.kubecost.com/install-and-configure/install/custom-prom fqdn: http://cost-analyzer-prometheus-server.default.svc # example address of a prometheus to connect to. Include protocol (http:// or https://) Ignored if enabled: true # insecureSkipVerify: false # If true, kubecost will not check the TLS cert of prometheus # queryServiceBasicAuthSecretName: dbsecret # kubectl create secret generic dbsecret -n kubecost --from-file=USERNAME --from-file=PASSWORD @@ -30,7 +30,7 @@ global: gmpProxy: enabled: false image: gke.gcr.io/prometheus-engine/frontend:v0.4.1-gke.0 # GMP Prometheus proxy image that serve as an endpoint to query metrics from GMP - imagePullPolicy: Always + imagePullPolicy: IfNotPresent name: gmp-proxy port: 8085 projectId: YOUR_PROJECT_ID # example GCP project ID @@ -141,9 +141,9 @@ global: idle: "separate" rate: "cumulative" accumulate: false # daily resolution - filters: # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api - - key: "cluster" # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api#allocation-apis-request-sizing-v2-api - operator: ":" # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api#filter-operators + filters: # Ref: https://docs.kubecost.com/apis/filters-api + - key: "cluster" # Ref: https://docs.kubecost.com/apis/filters-api#allocation-apis-request-sizing-v2-api + operator: ":" # Ref: https://docs.kubecost.com/apis/filters-api#filter-operators value: "dev" - title: "Example Saved Report 1" window: "month" @@ -152,9 +152,9 @@ global: idle: "share" rate: "monthly" accumulate: false - filters: # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api - - key: "namespace" # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api#allocation-apis-request-sizing-v2-api - operator: "!:" # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api#filter-operators + filters: # Ref: https://docs.kubecost.com/apis/filters-api + - key: "namespace" # Ref: https://docs.kubecost.com/apis/filters-api#allocation-apis-request-sizing-v2-api + operator: "!:" # Ref: https://docs.kubecost.com/apis/filters-api#filter-operators value: "kubecost" - title: "Example Saved Report 2" window: "2020-11-11T00:00:00Z,2020-12-09T23:59:59Z" @@ -186,9 +186,9 @@ global: - title: "Example Advanced Report 0" window: "7d" aggregateBy: "namespace" - filters: # same as allocation api filters Ref: https://docs.kubecost.com/apis/apis-overview/filters-api - - key: "cluster" # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api#allocation-apis-request-sizing-v2-api - operator: ":" # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api#filter-operators + filters: # same as allocation api filters Ref: https://docs.kubecost.com/apis/filters-api + - key: "cluster" # Ref: https://docs.kubecost.com/apis/filters-api#allocation-apis-request-sizing-v2-api + operator: ":" # Ref: https://docs.kubecost.com/apis/filters-api#filter-operators value: "dev" cloudBreakdown: "service" cloudJoin: "label:kubernetes_namespace" @@ -208,6 +208,8 @@ global: podAnnotations: {} # iam.amazonaws.com/role: role-arn + + # Applies these labels to all Deployments, StatefulSets, DaemonSets, and their pod templates. additionalLabels: {} securityContext: @@ -249,6 +251,48 @@ global: enabled: false # Set to true when using affected CI/CD tools for access to the below configuration options. skipSanityChecks: false # If true, skip all sanity/existence checks for resources like Secrets. + ## Kubecost Integrations + ## Ref: https://docs.kubecost.com/integrations + ## + integrations: + postgres: + enabled: false + runInterval: "12h" # How frequently to run the integration. + databaseHost: "" # REQUIRED. ex: my.postgres.database.azure.com + databasePort: "" # REQUIRED. ex: 5432 + databaseName: "" # REQUIRED. ex: postgres + databaseUser: "" # REQUIRED. ex: myusername + databasePassword: "" # REQUIRED. ex: mypassword + databaseSecretName: "" # OPTIONAL. Specify your own k8s secret containing the above credentials. Must have key "creds.json". + + ## Configure what Postgres table to write to, and what parameters to pass + ## when querying Kubecost's APIs. Ensure all parameters are enclosed in + ## quotes. Ref: https://docs.kubecost.com/apis/apis-overview + queryConfigs: + allocations: [] + # - databaseTable: "kubecost_allocation_data" + # window: "7d" + # aggregate: "namespace" + # idle: "true" + # shareIdle: "true" + # shareNamespaces: "kubecost,kube-system" + # shareLabels: "" + # - databaseTable: "kubecost_allocation_data_by_cluster" + # window: "10d" + # aggregate: "cluster" + # idle: "true" + # shareIdle: "false" + # shareNamespaces: "" + # shareLabels: "" + assets: [] + # - databaseTable: "kubecost_assets_data" + # window: "7d" + # aggregate: "cluster" + cloudCosts: [] + # - databaseTable: "kubecost_cloudcosts_data" + # window: "7d" + # aggregate: "service" + ## Provide a name override for the chart. # nameOverride: "" ## Provide a full name override option for the chart. @@ -371,7 +415,7 @@ kubecostFrontend: deployMethod: singlepod # haMode or singlepod - haMode is currently only supported with Enterprise tier haReplicas: 2 # only used with haMode image: "gcr.io/kubecost1/frontend" - imagePullPolicy: Always + imagePullPolicy: IfNotPresent # fullImageName overrides the default image construction logic. The exact # image provided (registry, image, tag) will be used for the frontend. # fullImageName: @@ -488,7 +532,7 @@ kubecostMetrics: sigV4Proxy: image: public.ecr.aws/aws-observability/aws-sigv4-proxy:latest - imagePullPolicy: Always + imagePullPolicy: IfNotPresent name: aps port: 8005 region: us-west-2 # The AWS region @@ -504,7 +548,7 @@ sigV4Proxy: kubecostModel: image: "gcr.io/kubecost1/cost-model" - imagePullPolicy: Always + imagePullPolicy: IfNotPresent # fullImageName overrides the default image construction logic. The exact # image provided (registry, image, tag) will be used for cost-model. # fullImageName: @@ -514,9 +558,6 @@ kubecostModel: # value: "some_value" # securityContext: # readOnlyRootFilesystem: true - # Enables the emission of the kubecost_cloud_credit_total and - # kubecost_cloud_expense_total metrics - outOfClusterPromMetricsEnabled: false # Build local cost allocation cache warmCache: false # Run allocation ETL pipelines @@ -570,7 +611,11 @@ kubecostModel: # - datadog # pre-existing secret for plugin configuration - configSecret: kubecost-plugin-secret + existingCustomSecret: + enabled: false + name: "" # name of the secret containing plugin config + + secretName: kubecost-plugin-secret # uncomment this to define plugin configuration via the values file # configs: @@ -581,16 +626,6 @@ kubecostModel: # "datadog_app_key": "" # } - ## Feature to view your out-of-cluster costs and their k8s utilization - ## Ref: https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/cloud-costs-explorer - cloudCost: - # enabled: true # this logic is always enabled if cloud billing integration is configured. This option is no longer configurable. - labelList: - IsIncludeList: false - # format labels as comma separated string (ex. "label1,label2,label3") - labels: "" - topNItems: 1000 - allocation: # Enables or disables adding node labels to allocation data (i.e. workloads). # Defaults to "true" and starts with a sensible includeList for basics like @@ -677,10 +712,10 @@ etlUtils: resources: {} env: {} nodeSelector: {} - tolerations: {} + tolerations: [] affinity: {} -# Basic Kubecost ingress, more examples available at https://github.com/kubecost/docs/blob/main/ingress-examples.md +# Basic Kubecost ingress, more examples available at https://docs.kubecost.com/install-and-configure/install/ingress-examples ingress: enabled: false # className: nginx @@ -840,6 +875,20 @@ prometheus: - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_name] action: keep regex: network-costs + - job_name: kubecost-aggregator + scrape_interval: 1m + scrape_timeout: 60s + metrics_path: /metrics + scheme: http + dns_sd_configs: + - names: + - {{ template "aggregator.serviceName" . }} + type: 'A' + {{- if or .Values.saml.enabled .Values.oidc.enabled }} + port: 9008 + {{- else }} + port: 9004 + {{- end }} server: # If clusterIDConfigmap is defined, instead use user-generated configmap with key CLUSTER_ID # to use as unique cluster ID in kubecost cost-analyzer deployment. @@ -863,7 +912,7 @@ prometheus: ## image: repository: quay.io/prometheus/prometheus - tag: v2.50.1 + tag: v2.52.0 pullPolicy: IfNotPresent ## prometheus server priorityClassName @@ -1560,7 +1609,7 @@ prometheus: ## image: repository: quay.io/prometheus-operator/prometheus-config-reloader - tag: v0.72.0 + tag: v0.74.0 pullPolicy: IfNotPresent ## Additional configmap-reload container arguments @@ -1600,7 +1649,7 @@ prometheus: ## image: repository: quay.io/prometheus-operator/prometheus-config-reloader - tag: v0.72.0 + tag: v0.74.0 pullPolicy: IfNotPresent ## Additional configmap-reload container arguments @@ -1656,7 +1705,7 @@ prometheus: ## image: repository: prom/node-exporter - tag: v1.7.0 + tag: v1.8.0 pullPolicy: IfNotPresent ## node-exporter priorityClassName @@ -1783,7 +1832,7 @@ prometheus: ## image: repository: prom/pushgateway - tag: v1.6.2 + tag: v1.8.0 pullPolicy: IfNotPresent ## pushgateway priorityClassName @@ -2201,17 +2250,18 @@ prometheus: enabled: false -## Module for measuring network costs -## Ref: https://github.com/kubecost/docs/blob/main/network-allocation.md +## Optional daemonset to more accurately attribute network costs to the correct workload +## https://docs.kubecost.com/install-and-configure/advanced-configuration/network-costs-configuration networkCosts: enabled: false image: repository: gcr.io/kubecost1/kubecost-network-costs tag: v0.17.3 - imagePullPolicy: Always + imagePullPolicy: IfNotPresent updateStrategy: type: RollingUpdate - # For existing Prometheus Installs, annotates the Service which generates Endpoints for each of the network-costs pods. + # For existing Prometheus Installs, use the serviceMonitor: or prometheusScrape below. + # the below setting annotates the networkCost service endpoints for each of the network-costs pods. # The Service is annotated with prometheus.io/scrape: "true" to automatically get picked up by the prometheus config. # NOTE: Setting this option to true and leaving the above extraScrapeConfig "job_name: kubecost-networking" configured will cause the # NOTE: pods to be scraped twice. @@ -2280,13 +2330,13 @@ networkCosts: services: # google-cloud-services: when set to true, enables labeling traffic metrics with google cloud # service endpoints - google-cloud-services: false + google-cloud-services: true # amazon-web-services: when set to true, enables labeling traffic metrics with amazon web service # endpoints. - amazon-web-services: false + amazon-web-services: true # azure-cloud-services: when set to true, enables labeling traffic metrics with azure cloud service # endpoints - azure-cloud-services: false + azure-cloud-services: true # user defined services provide a way to define custom service endpoints which will label traffic metrics # falling within the defined address range. # services: @@ -2364,7 +2414,8 @@ forecasting: # image provided (registry, image, tag) will be used for the forecasting # container. # Example: fullImageName: gcr.io/kubecost1/forecasting:v0.0.1 - fullImageName: gcr.io/kubecost1/kubecost-modeling:v0.1.6 + fullImageName: gcr.io/kubecost1/kubecost-modeling:v0.1.12 + imagePullPolicy: IfNotPresent # Resource specification block for the forecasting container. resources: @@ -2390,7 +2441,7 @@ forecasting: nodeSelector: {} # Define tolerations for the forecasting Deployment. - tolerations: {} + tolerations: [] # Define Pod affinity for the forecasting Deployment. affinity: {} @@ -2423,6 +2474,7 @@ kubecostAggregator: # fullImageName overrides the default image construction logic. The exact # image provided (registry, image, tag) will be used for aggregator. # fullImageName: + imagePullPolicy: IfNotPresent # For legacy configuration support, `enabled: true` overrides deployMethod # and causes `deployMethod: "statefulset"` @@ -2448,13 +2500,49 @@ kubecostAggregator: # set to 0 for max partitioning (minimum possible ram usage, but the slowest) # the default of 25 is sufficient for 95%+ of users. This should only be modified # after consulting with Kubecost's support team - numDBCopyPartitions: 25 + numDBCopyPartitions: 1 + logLevel: info - env: - "LOG_LEVEL": "info" - "DB_READ_THREADS": "1" - "DB_WRITE_THREADS": "1" - "DB_CONCURRENT_INGESTION_COUNT": "3" + # env: has been removed to avoid unknown issues that would be caused by + # customizations that were required to run aggregator in previous versions + # extraEnv: can be used to add new environment variables to the aggregator pod + + # the below settings should only be modified with support from Kubecost staff + + # How many threads the read database is configured with (i.e. Kubecost API / + # UI queries). If increasing this value, it is recommended to increase the + # aggregator's memory requests & limits. + # default: 1 + dbReadThreads: 1 + # How many threads the write database is configured with (i.e. ingestion of + # new data from S3). If increasing this value, it is recommended to increase + # the aggregator's memory requests & limits. + # default: 1 + dbWriteThreads: 1 + # How many threads to use when ingesting Asset/Allocation/CloudCost data + # from the federated store bucket. In most cases the default is sufficient, + # but can be increased if trying to backfill historical data. + # default: 1 + dbConcurrentIngestionCount: 1 + # dbCopyFull: "true" can improve the time it takes to copy the write DB, + # at the expense of additional memory usages. + dbCopyFull: false + # Memory limit applied to read database connections. + # default: 0GB is no limit + dbMemoryLimit: 0GB + # Memory limit applied to write database connections. + # default: 0GB is no limit + dbWriteMemoryLimit: 0GB + # How much data to ingest from the federated store bucket, and how much data + # to keep in the DB before rolling the data off. + # + # Note: If increasing this value to backfill historical data, it will take + # time to gradually ingest and process those historical ETL files. Consider + # also increasing the resources available to the aggregator as well as the + # refresh and concurrency env vars. + # + # default: 91 + etlDailyStoreDurationDays: 91 persistentConfigsStorage: storageClass: "" # default storage class @@ -2523,7 +2611,6 @@ kubecostAggregator: # kubecostAggregator.deployMethod: # kA.dM = "singlepod" -> cloudCost is run as container inside cost-analyzer # kA.dM = "statefulset" -> cloudCost is run as single-replica Deployment - enabled: false resources: {} # requests: # cpu: 1000m @@ -2542,7 +2629,7 @@ kubecostAggregator: # nodeSelector: {} ## Tolerations for the aggregator cloud costs - # tolerations: {} + # tolerations: [] ## Affinity for the aggregator cloud costs # affinity: {} @@ -2615,7 +2702,7 @@ diagnostics: securityContext: {} containerSecurityContext: {} nodeSelector: {} - tolerations: {} + tolerations: [] affinity: {} ## Provide a full name override for the diagnostics Deployment. @@ -2626,8 +2713,8 @@ clusterController: enabled: false image: repository: gcr.io/kubecost1/cluster-controller - tag: v0.16.0 - imagePullPolicy: Always + tag: v0.16.2 + imagePullPolicy: IfNotPresent ## PriorityClassName ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: "" @@ -2705,7 +2792,7 @@ clusterController: # # See the examples below. # - # [1] https://docs.kubecost.com/apis/apis-overview/filters-api + # [1] https://docs.kubecost.com/apis/filters-api # filterConfig: # - filter: | # namespace:"abc"+controllerKind:"deployment" @@ -2748,16 +2835,25 @@ reporting: serviceMonitor: # the kubecost included prometheus uses scrapeConfigs and does not support service monitors. The following options assume an existing prometheus that supports serviceMonitors. enabled: false + interval: 1m + scrapeTimeout: 10s additionalLabels: {} metricRelabelings: [] relabelings: [] networkCosts: enabled: false + interval: 1m + scrapeTimeout: 10s + additionalLabels: {} + metricRelabelings: [] + relabelings: [] + aggregatorMetrics: + enabled: false + interval: 1m scrapeTimeout: 10s additionalLabels: {} metricRelabelings: [] relabelings: [] - prometheusRule: enabled: false additionalLabels: {} @@ -2828,7 +2924,7 @@ grafana: ## Container image settings for the Grafana deployment image: repository: grafana/grafana - tag: 10.3.4 + tag: 10.4.3 pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -3022,7 +3118,7 @@ grafana: sidecar: image: repository: kiwigrid/k8s-sidecar - tag: 1.26.0 + tag: 1.27.2 pullPolicy: IfNotPresent resources: {} dashboards: @@ -3096,6 +3192,12 @@ federatedETL: ## If true, push ETL data to the federated storage bucket federatedCluster: false + ## If true, this cluster will be able to read from the federated-store but will + ## not write to it. This is useful in situations when you want to deploy a + ## primary cluster, but don't want the primary cluster's ETL data to be + ## pushed to the bucket + readOnlyPrimary: false + ## If true, changes the dir of S3 backup to the Federated combined store. ## Commonly used when transitioning from Thanos to Federated ETL architecture. redirectS3Backup: false @@ -3242,6 +3344,20 @@ costEventsAudit: # key: "" # secretname: productkeysecret # Reference an existing k8s secret created from a file named productkey.json of format { "key": "enterprise-key-here" }. If the secretname is specified, a configmap with the key will not be created. # mountPath: "/some/custom/path/productkey.json" # (use instead of secretname) Declare the path at which the product key file is mounted (eg. by a secrets provisioner). The file must be of format { "key": "enterprise-key-here" }. +# # The following block enables the use of a custom SMTP server which overrides Kubecost's built-in, external SMTP server for alerts and reports +# smtp: +# config: | +# { +# "sender_email": "", +# "host": "", +# "port": 587, +# "authentication": true, +# "username": "", +# "password": "", +# "secure": true +# } +# secretname: smtpconfigsecret # Reference an existing k8s secret created from a file named smtp.json of format specified by config above. If the secretname is specified, a configmap with the key will not be created. +# mountPath: "/some/custom/path/smtp.json" # (use instead of secretname) Declare the path at which the SMTP config file is mounted (eg. by a secrets provisioner). The file must be of format specified by config above. # carbonEstimates: false # Enables Kubecost beta carbon estimation endpoints /assets/carbon and /allocations/carbon ## Specify an existing Kubernetes Secret holding the cloud integration information. This Secret must contain @@ -3296,8 +3412,10 @@ costEventsAudit: # ingestPodUID: false # Enables using UIDs to uniquely ID pods. This requires either Kubecost's replicated KSM metrics, or KSM v2.1.0+. This may impact performance, and changes the default cost-model allocation behavior. # regionOverrides: "region1,region2,region3" # list of regions which will override default costmodel provider regions -# Explicit name of the ConfigMap to use for pricing overrides. If not set, a default will apply. +# Explicit names of various ConfigMaps to use. If not set, a default will apply. # pricingConfigmapName: "" +# productConfigmapName: "" +# smtpConfigmapName: "" # -- Array of extra K8s manifests to deploy ## Note: Supports use of custom Helm templates diff --git a/charts/kuma/kuma/Chart.yaml b/charts/kuma/kuma/Chart.yaml index 26514f6b8..da01a019d 100644 --- a/charts/kuma/kuma/Chart.yaml +++ b/charts/kuma/kuma/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/namespace: kuma-system catalog.cattle.io/release-name: kuma apiVersion: v2 -appVersion: 2.7.3 +appVersion: 2.8.0 description: A Helm chart for the Kuma Control Plane home: https://github.com/kumahq/kuma icon: https://kuma.io/assets/images/brand/kuma-logo-new.svg @@ -23,4 +23,4 @@ maintainers: url: https://github.com/michaelbeaumont name: kuma type: application -version: 2.7.3 +version: 2.8.0 diff --git a/charts/kuma/kuma/README.md b/charts/kuma/kuma/README.md index 4f3d9228d..3431b6cb1 100644 --- a/charts/kuma/kuma/README.md +++ b/charts/kuma/kuma/README.md @@ -2,7 +2,7 @@ A Helm chart for the Kuma Control Plane -![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.7.3](https://img.shields.io/badge/Version-2.7.3-informational?style=flat-square) ![AppVersion: 2.7.3](https://img.shields.io/badge/AppVersion-2.7.3-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.8.0](https://img.shields.io/badge/Version-2.8.0-informational?style=flat-square) ![AppVersion: 2.8.0](https://img.shields.io/badge/AppVersion-2.8.0-informational?style=flat-square) **Homepage:** diff --git a/charts/kuma/kuma/crds/kuma.io_hostnamegenerators.yaml b/charts/kuma/kuma/crds/kuma.io_hostnamegenerators.yaml new file mode 100644 index 000000000..289ba10ce --- /dev/null +++ b/charts/kuma/kuma/crds/kuma.io_hostnamegenerators.yaml @@ -0,0 +1,65 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: hostnamegenerators.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: HostnameGenerator + listKind: HostnameGeneratorList + plural: hostnamegenerators + singular: hostnamegenerator + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma HostnameGenerator resource. + properties: + selector: + properties: + meshExternalService: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + meshService: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + template: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/crds/kuma.io_meshaccesslogs.yaml b/charts/kuma/kuma/crds/kuma.io_meshaccesslogs.yaml index df9919d58..61cb8c28a 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshaccesslogs.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshaccesslogs.yaml @@ -213,9 +213,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -225,6 +233,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -236,6 +249,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -261,9 +279,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -273,6 +299,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -284,6 +315,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -458,9 +494,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -470,6 +514,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -481,6 +530,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string diff --git a/charts/kuma/kuma/crds/kuma.io_meshcircuitbreakers.yaml b/charts/kuma/kuma/crds/kuma.io_meshcircuitbreakers.yaml index 3c6a01d82..b0b848b52 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshcircuitbreakers.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshcircuitbreakers.yaml @@ -304,9 +304,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -316,6 +324,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -327,6 +340,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -352,9 +370,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -364,6 +390,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -375,6 +406,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -640,9 +676,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -652,6 +696,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -663,6 +712,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string diff --git a/charts/kuma/kuma/crds/kuma.io_meshexternalservices.yaml b/charts/kuma/kuma/crds/kuma.io_meshexternalservices.yaml new file mode 100644 index 000000000..6108163ca --- /dev/null +++ b/charts/kuma/kuma/crds/kuma.io_meshexternalservices.yaml @@ -0,0 +1,333 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: meshexternalservices.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshExternalService + listKind: MeshExternalServiceList + plural: meshexternalservices + singular: meshexternalservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshExternalService + resource. + properties: + endpoints: + description: Endpoints defines a list of destinations to send traffic + to. + items: + properties: + address: + description: Address defines an address to which a user want + to send a request. Is possible to provide `domain`, `ip` and + `unix` sockets. + example: unix:///tmp/example.sock + minLength: 1 + type: string + port: + description: Port of the endpoint + maximum: 65535 + minimum: 1 + type: integer + required: + - address + type: object + type: array + extension: + description: Extension struct for a plugin configuration, in the presence + of an extension `endpoints` and `tls` are not required anymore - + it's up to the extension to validate them independently. + properties: + config: + description: Config freeform configuration for the extension. + x-kubernetes-preserve-unknown-fields: true + type: + description: Type of the extension. + type: string + required: + - config + - type + type: object + match: + description: Match defines traffic that should be routed through the + sidecar. + properties: + port: + description: Port defines a port to which a user does request. + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: tcp + description: 'Protocol defines a protocol of the communication. + Possible values: `tcp`, `grpc`, `http`, `http2`.' + enum: + - tcp + - grpc + - http + - http2 + type: string + type: + default: HostnameGenerator + description: Type of the match, only `HostnameGenerator` is available + at the moment. + enum: + - HostnameGenerator + type: string + required: + - port + type: object + tls: + description: Tls provides a TLS configuration when proxy is resposible + for a TLS origination + properties: + allowRenegotiation: + default: false + description: |- + AllowRenegotiation defines if TLS sessions will allow renegotiation. + Setting this to true is not recommended for security reasons. + type: boolean + enabled: + default: false + description: Enabled defines if proxy should originate TLS. + type: boolean + verification: + description: Verification section for providing TLS verification + details. + properties: + caCert: + description: CaCert defines a certificate of CA. + properties: + inline: + description: Data source is inline bytes. + format: byte + type: string + inlineString: + description: Data source is inline string` + type: string + secret: + description: Data source is a secret with given Secret + key. + type: string + type: object + clientCert: + description: ClientCert defines a certificate of a client. + properties: + inline: + description: Data source is inline bytes. + format: byte + type: string + inlineString: + description: Data source is inline string` + type: string + secret: + description: Data source is a secret with given Secret + key. + type: string + type: object + clientKey: + description: ClientKey defines a client private key. + properties: + inline: + description: Data source is inline bytes. + format: byte + type: string + inlineString: + description: Data source is inline string` + type: string + secret: + description: Data source is a secret with given Secret + key. + type: string + type: object + mode: + default: Secured + description: Mode defines if proxy should skip verification, + one of `SkipSAN`, `SkipCA`, `Secured`, `SkipAll`. Default + `Secured`. + enum: + - SkipSAN + - SkipCA + - Secured + - SkipAll + type: string + serverName: + description: ServerName overrides the default Server Name + Indicator set by Kuma. + type: string + subjectAltNames: + description: SubjectAltNames list of names to verify in the + certificate. + items: + properties: + type: + default: Exact + description: 'Type specifies matching type, one of `Exact`, + `Prefix`. Default: `Exact`' + enum: + - Exact + - Prefix + type: string + value: + description: Value to match. + type: string + required: + - value + type: object + type: array + type: object + version: + description: Version section for providing version specification. + properties: + max: + default: TLSAuto + description: Max defines maximum supported version. One of + `TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`. + enum: + - TLSAuto + - TLS10 + - TLS11 + - TLS12 + - TLS13 + type: string + min: + default: TLSAuto + description: Min defines minimum supported version. One of + `TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`. + enum: + - TLSAuto + - TLS10 + - TLS11 + - TLS12 + - TLS13 + type: string + type: object + type: object + required: + - match + type: object + status: + description: Status is the current status of the Kuma MeshExternalService + resource. + properties: + addresses: + description: Addresses section for generated domains + items: + properties: + hostname: + type: string + hostnameGeneratorRef: + properties: + coreName: + type: string + required: + - coreName + type: object + origin: + type: string + type: object + type: array + hostnameGenerators: + items: + properties: + conditions: + description: Conditions is an array of hostname generator conditions. + items: + properties: + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + hostnameGeneratorRef: + properties: + coreName: + type: string + required: + - coreName + type: object + required: + - hostnameGeneratorRef + type: object + type: array + vip: + description: Vip section for allocated IP + properties: + ip: + description: Value allocated IP for a provided domain with `HostnameGenerator` + type in a match section. + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/crds/kuma.io_meshfaultinjections.yaml b/charts/kuma/kuma/crds/kuma.io_meshfaultinjections.yaml index 4150c0fdd..e3ccb0b24 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshfaultinjections.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshfaultinjections.yaml @@ -145,9 +145,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -157,6 +165,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -168,6 +181,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -193,9 +211,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -205,6 +231,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -216,6 +247,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -321,9 +357,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -333,6 +377,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -344,6 +393,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string diff --git a/charts/kuma/kuma/crds/kuma.io_meshhealthchecks.yaml b/charts/kuma/kuma/crds/kuma.io_meshhealthchecks.yaml index 20a819786..f941d27e0 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshhealthchecks.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshhealthchecks.yaml @@ -60,9 +60,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -72,6 +80,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -83,6 +96,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -302,9 +320,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -314,6 +340,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -325,6 +356,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string diff --git a/charts/kuma/kuma/crds/kuma.io_meshhttproutes.yaml b/charts/kuma/kuma/crds/kuma.io_meshhttproutes.yaml index 1be4e6847..f4dc4952b 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshhttproutes.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshhttproutes.yaml @@ -60,9 +60,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -72,6 +80,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -83,6 +96,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -128,9 +146,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -140,6 +166,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string port: description: Port is only supported when this ref refers to a real MeshService object @@ -156,6 +187,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -235,9 +271,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -247,6 +291,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string port: description: Port is only supported when this ref refers to a real MeshService @@ -264,6 +313,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -552,9 +606,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -564,6 +626,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -575,6 +642,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string diff --git a/charts/kuma/kuma/crds/kuma.io_meshloadbalancingstrategies.yaml b/charts/kuma/kuma/crds/kuma.io_meshloadbalancingstrategies.yaml index 023ce1768..38fd712fc 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshloadbalancingstrategies.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshloadbalancingstrategies.yaml @@ -61,9 +61,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -73,6 +81,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -84,6 +97,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -492,9 +510,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -504,6 +530,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -515,6 +546,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string diff --git a/charts/kuma/kuma/crds/kuma.io_meshmetrics.yaml b/charts/kuma/kuma/crds/kuma.io_meshmetrics.yaml index 1b37c6e3c..260f6916e 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshmetrics.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshmetrics.yaml @@ -235,9 +235,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -247,6 +255,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -258,6 +271,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string diff --git a/charts/kuma/kuma/crds/kuma.io_meshpassthroughs.yaml b/charts/kuma/kuma/crds/kuma.io_meshpassthroughs.yaml new file mode 100644 index 000000000..aaa17e47e --- /dev/null +++ b/charts/kuma/kuma/crds/kuma.io_meshpassthroughs.yaml @@ -0,0 +1,167 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: meshpassthroughs.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshPassthrough + listKind: MeshPassthroughList + plural: meshpassthroughs + singular: meshpassthrough + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshPassthrough resource. + properties: + default: + description: MeshPassthrough configuration. + properties: + appendMatch: + description: AppendMatch is a list of destinations that should + be allowed through the sidecar. + items: + properties: + port: + description: Port defines the port to which a user makes + a request. + type: integer + protocol: + default: tcp + description: 'Protocol defines the communication protocol. + Possible values: `tcp`, `tls`, `grpc`, `http`, `http2`.' + enum: + - tcp + - tls + - grpc + - http + - http2 + type: string + type: + description: Type of the match, one of `Domain`, `IP` or + `CIDR` is available. + enum: + - Domain + - IP + - CIDR + type: string + value: + description: Value for the specified Type. + type: string + required: + - port + type: object + type: array + passthroughMode: + default: None + description: |- + Defines the passthrough behavior. Possible values: `All`, `None`, `Matched` + When `All` or `None` `appendMatch` has no effect. + enum: + - All + - Matched + - None + type: string + type: object + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined in-place. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/crds/kuma.io_meshproxypatches.yaml b/charts/kuma/kuma/crds/kuma.io_meshproxypatches.yaml index 5d86a0bd6..76daf5a47 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshproxypatches.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshproxypatches.yaml @@ -501,9 +501,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -513,6 +521,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -524,6 +537,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string diff --git a/charts/kuma/kuma/crds/kuma.io_meshratelimits.yaml b/charts/kuma/kuma/crds/kuma.io_meshratelimits.yaml index 1be95be73..844d9c52f 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshratelimits.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshratelimits.yaml @@ -63,7 +63,7 @@ spec: properties: http: description: |- - LocalHTTP defines confguration of local HTTP rate limiting + LocalHTTP defines configuration of local HTTP rate limiting https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/local_rate_limit_filter properties: disabled: @@ -184,9 +184,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -196,6 +204,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -207,6 +220,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -232,9 +250,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -244,6 +270,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -255,6 +286,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -279,7 +315,7 @@ spec: properties: http: description: |- - LocalHTTP defines confguration of local HTTP rate limiting + LocalHTTP defines configuration of local HTTP rate limiting https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/local_rate_limit_filter properties: disabled: @@ -400,9 +436,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -412,6 +456,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -423,6 +472,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string diff --git a/charts/kuma/kuma/crds/kuma.io_meshretries.yaml b/charts/kuma/kuma/crds/kuma.io_meshretries.yaml index 307a44326..404c0b2e5 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshretries.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshretries.yaml @@ -60,9 +60,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -72,6 +80,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -83,6 +96,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -427,9 +445,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -439,6 +465,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -450,6 +481,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string diff --git a/charts/kuma/kuma/crds/kuma.io_meshservices.yaml b/charts/kuma/kuma/crds/kuma.io_meshservices.yaml index 8994f0822..c4548da4e 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshservices.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshservices.yaml @@ -40,29 +40,52 @@ spec: spec: description: Spec is the specification of the Kuma MeshService resource. properties: + identities: + items: + properties: + type: + enum: + - ServiceTag + type: string + value: + type: string + required: + - type + - value + type: object + type: array ports: items: properties: - port: - format: int32 - type: integer - protocol: + appProtocol: default: tcp description: Protocol identifies a protocol supported by a service. type: string - targetPort: + name: + type: string + port: format: int32 type: integer + targetPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true required: - port type: object type: array x-kubernetes-list-map-keys: - port - - protocol + - appProtocol x-kubernetes-list-type: map selector: properties: + dataplaneRef: + properties: + name: + type: string + type: object dataplaneTags: additionalProperties: type: string @@ -77,6 +100,78 @@ spec: properties: hostname: type: string + hostnameGeneratorRef: + properties: + coreName: + type: string + required: + - coreName + type: object + origin: + type: string + type: object + type: array + hostnameGenerators: + items: + properties: + conditions: + description: Conditions is an array of hostname generator conditions. + items: + properties: + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + hostnameGeneratorRef: + properties: + coreName: + type: string + required: + - coreName + type: object + required: + - hostnameGeneratorRef type: object type: array tls: diff --git a/charts/kuma/kuma/crds/kuma.io_meshtcproutes.yaml b/charts/kuma/kuma/crds/kuma.io_meshtcproutes.yaml index 259dee322..5ba894de8 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshtcproutes.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshtcproutes.yaml @@ -60,9 +60,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -72,6 +80,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -83,6 +96,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -120,9 +138,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -132,6 +158,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string port: description: Port is only supported when this ref refers to a real MeshService object @@ -148,6 +179,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -182,9 +218,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -194,6 +238,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -205,6 +254,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string diff --git a/charts/kuma/kuma/crds/kuma.io_meshtimeouts.yaml b/charts/kuma/kuma/crds/kuma.io_meshtimeouts.yaml index 57f875b39..f8a7205eb 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshtimeouts.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshtimeouts.yaml @@ -116,9 +116,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -128,6 +136,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -139,6 +152,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -164,9 +182,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -176,6 +202,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -187,6 +218,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -264,9 +300,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -276,6 +320,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -287,6 +336,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string diff --git a/charts/kuma/kuma/crds/kuma.io_meshtraces.yaml b/charts/kuma/kuma/crds/kuma.io_meshtraces.yaml index ad47f508c..2107140d3 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshtraces.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshtraces.yaml @@ -226,9 +226,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -238,6 +246,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -249,6 +262,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string diff --git a/charts/kuma/kuma/crds/kuma.io_meshtrafficpermissions.yaml b/charts/kuma/kuma/crds/kuma.io_meshtrafficpermissions.yaml index 65474d719..05d433788 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshtrafficpermissions.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshtrafficpermissions.yaml @@ -79,9 +79,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -91,6 +99,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -102,6 +115,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string @@ -127,9 +145,17 @@ spec: - MeshSubset - MeshGateway - MeshService + - MeshExternalService - MeshServiceSubset - MeshHTTPRoute type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object mesh: description: Mesh is reserved for future use to identify cross mesh resources. @@ -139,6 +165,11 @@ spec: Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute` type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string proxyTypes: description: |- ProxyTypes specifies the data plane types that are subject to the policy. When not specified, @@ -150,6 +181,11 @@ spec: type: string minItems: 1 type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string tags: additionalProperties: type: string diff --git a/charts/kuma/kuma/templates/_helpers.tpl b/charts/kuma/kuma/templates/_helpers.tpl index 7715ce2d7..1956ef6ee 100644 --- a/charts/kuma/kuma/templates/_helpers.tpl +++ b/charts/kuma/kuma/templates/_helpers.tpl @@ -263,7 +263,7 @@ env: {{- end }} - name: KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN value: "false" -- name: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME +- name: KUMA_RUNTIME_KUBERNETES_ALLOWED_USERS value: "system:serviceaccount:{{ .Release.Namespace }}:{{ include "kuma.name" . }}-control-plane" {{- if .Values.experimental.sidecarContainers }} - name: KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS diff --git a/charts/kuma/kuma/templates/cp-rbac.yaml b/charts/kuma/kuma/templates/cp-rbac.yaml index 52e246314..2c0145f0c 100644 --- a/charts/kuma/kuma/templates/cp-rbac.yaml +++ b/charts/kuma/kuma/templates/cp-rbac.yaml @@ -43,6 +43,14 @@ rules: verbs: - list - watch + - apiGroups: + - "discovery.k8s.io" + resources: + - endpointslices + verbs: + - get + - list + - watch - apiGroups: - "apps" resources: @@ -120,6 +128,14 @@ rules: - create - update - patch + - apiGroups: + - "discovery.k8s.io" + resources: + - endpointslices + verbs: + - get + - list + - watch - apiGroups: - kuma.io resources: diff --git a/charts/kuma/kuma/templates/cp-webhooks-and-secrets.yaml b/charts/kuma/kuma/templates/cp-webhooks-and-secrets.yaml index e353cb2b3..8d9ba3169 100644 --- a/charts/kuma/kuma/templates/cp-webhooks-and-secrets.yaml +++ b/charts/kuma/kuma/templates/cp-webhooks-and-secrets.yaml @@ -232,7 +232,7 @@ webhooks: - dataplanes - externalservices - faultinjections - - gatewayinstances + - meshgatewayinstances - healthchecks - meshes - meshgateways diff --git a/charts/kuma/kuma/templates/pre-delete-webhooks.yaml b/charts/kuma/kuma/templates/pre-delete-webhooks.yaml index a1a122c57..e6948af2f 100644 --- a/charts/kuma/kuma/templates/pre-delete-webhooks.yaml +++ b/charts/kuma/kuma/templates/pre-delete-webhooks.yaml @@ -95,6 +95,7 @@ spec: - 'kubectl' - 'delete' - 'ValidatingWebhookConfiguration' + - '--ignore-not-found' - {{ include "kuma.name" . }}-validating-webhook-configuration securityContext: {{- toYaml (mergeOverwrite (dict "runAsUser" 65534) .Values.hooks.containerSecurityContext) | trim | nindent 12 }} diff --git a/charts/kuma/kuma/values.yaml b/charts/kuma/kuma/values.yaml index 6fedf821a..bcd67e454 100644 --- a/charts/kuma/kuma/values.yaml +++ b/charts/kuma/kuma/values.yaml @@ -727,6 +727,8 @@ postgres: # @ignored for helm-docs plugins: resources: + hostnamegenerators: true + meshexternalservices: true meshservices: true policies: meshaccesslogs: true @@ -736,6 +738,7 @@ plugins: meshhttproutes: true meshloadbalancingstrategies: true meshmetrics: true + meshpassthroughs: true meshproxypatches: true meshratelimits: true meshretries: true diff --git a/charts/linkerd/linkerd-control-plane/Chart.yaml b/charts/linkerd/linkerd-control-plane/Chart.yaml index a8fa5a0aa..de4c1eb51 100644 --- a/charts/linkerd/linkerd-control-plane/Chart.yaml +++ b/charts/linkerd/linkerd-control-plane/Chart.yaml @@ -6,7 +6,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: linkerd-control-plane apiVersion: v2 -appVersion: edge-24.6.2 +appVersion: edge-24.6.4 dependencies: - name: partials repository: file://./charts/partials @@ -26,4 +26,4 @@ name: linkerd-control-plane sources: - https://github.com/linkerd/linkerd2/ type: application -version: 2024.6.2 +version: 2024.6.4 diff --git a/charts/linkerd/linkerd-control-plane/README.md b/charts/linkerd/linkerd-control-plane/README.md index 719b49fd8..26527216b 100644 --- a/charts/linkerd/linkerd-control-plane/README.md +++ b/charts/linkerd/linkerd-control-plane/README.md @@ -3,7 +3,7 @@ Linkerd gives you observability, reliability, and security for your microservices — with no code change required. -![Version: 2024.6.2](https://img.shields.io/badge/Version-2024.6.2-informational?style=flat-square) +![Version: 2024.6.4](https://img.shields.io/badge/Version-2024.6.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) @@ -289,12 +289,6 @@ Kubernetes: `>=1.22.0-0` | proxyInit.logFormat | string | plain | Log format (`plain` or `json`) for the proxy-init | | proxyInit.logLevel | string | info | Log level for the proxy-init | | proxyInit.privileged | bool | false | Privileged mode allows the container processes to inherit all security capabilities and bypass any security limitations enforced by the kubelet. When used with 'runAsRoot: true', the container will behave exactly as if it was running as root on the host. May escape cgroup limits and see other processes and devices on the host. | -| proxyInit.resources.cpu.limit | string | `"100m"` | Maximum amount of CPU units that the proxy-init container can use | -| proxyInit.resources.cpu.request | string | `"100m"` | Amount of CPU units that the proxy-init container requests | -| proxyInit.resources.ephemeral-storage.limit | string | `""` | Maximum amount of ephemeral storage that the proxy-init container can use | -| proxyInit.resources.ephemeral-storage.request | string | `""` | Amount of ephemeral storage that the proxy-init container requests | -| proxyInit.resources.memory.limit | string | `"20Mi"` | Maximum amount of memory that the proxy-init container can use | -| proxyInit.resources.memory.request | string | `"20Mi"` | Amount of memory that the proxy-init container requests | | proxyInit.runAsGroup | int | `65534` | This value is used only if runAsRoot is false; otherwise runAsGroup will be 0 | | proxyInit.runAsRoot | bool | `false` | Allow overriding the runAsNonRoot behaviour () | | proxyInit.runAsUser | int | `65534` | This value is used only if runAsRoot is false; otherwise runAsUser will be 0 | diff --git a/charts/linkerd/linkerd-control-plane/charts/partials/templates/_network-validator.tpl b/charts/linkerd/linkerd-control-plane/charts/partials/templates/_network-validator.tpl index e3920a491..e31233311 100644 --- a/charts/linkerd/linkerd-control-plane/charts/partials/templates/_network-validator.tpl +++ b/charts/linkerd/linkerd-control-plane/charts/partials/templates/_network-validator.tpl @@ -2,7 +2,7 @@ name: linkerd-network-validator image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion }} imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} -{{ include "partials.resources" .Values.proxyInit.resources }} +{{ include "partials.resources" .Values.proxy.resources }} {{- if or .Values.networkValidator.enableSecurityContext }} securityContext: allowPrivilegeEscalation: false diff --git a/charts/linkerd/linkerd-control-plane/charts/partials/templates/_proxy-init.tpl b/charts/linkerd/linkerd-control-plane/charts/partials/templates/_proxy-init.tpl index 95cd7f2c4..a307b1407 100644 --- a/charts/linkerd/linkerd-control-plane/charts/partials/templates/_proxy-init.tpl +++ b/charts/linkerd/linkerd-control-plane/charts/partials/templates/_proxy-init.tpl @@ -46,7 +46,7 @@ args: image: {{.Values.proxyInit.image.name}}:{{.Values.proxyInit.image.version}} imagePullPolicy: {{.Values.proxyInit.image.pullPolicy | default .Values.imagePullPolicy}} name: linkerd-init -{{ include "partials.resources" .Values.proxyInit.resources }} +{{ include "partials.resources" .Values.proxy.resources }} securityContext: {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }} allowPrivilegeEscalation: true diff --git a/charts/linkerd/linkerd-control-plane/charts/partials/templates/_proxy.tpl b/charts/linkerd/linkerd-control-plane/charts/partials/templates/_proxy.tpl index a6bfdb9a2..282d80163 100644 --- a/charts/linkerd/linkerd-control-plane/charts/partials/templates/_proxy.tpl +++ b/charts/linkerd/linkerd-control-plane/charts/partials/templates/_proxy.tpl @@ -2,7 +2,7 @@ {{ if and .Values.proxy.nativeSidecar .Values.proxy.waitBeforeExitSeconds }} {{ fail "proxy.nativeSidecar and waitBeforeExitSeconds cannot be used simultaneously" }} {{- end }} -{{- if not (has .Values.proxy.logHTTPHeaders (list "insecure" "off")) }} +{{- if not (has .Values.proxy.logHTTPHeaders (list "insecure" "off" "")) }} {{- fail "logHTTPHeaders must be one of: insecure | off" }} {{- end }} {{- $trustDomain := (.Values.identityTrustDomain | default .Values.clusterDomain) -}} diff --git a/charts/linkerd/linkerd-control-plane/templates/config-rbac.yaml b/charts/linkerd/linkerd-control-plane/templates/config-rbac.yaml index b55efbd46..5f5c34203 100644 --- a/charts/linkerd/linkerd-control-plane/templates/config-rbac.yaml +++ b/charts/linkerd/linkerd-control-plane/templates/config-rbac.yaml @@ -2,9 +2,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - {{- with .Values.commonLabels }} - labels: {{ toYaml . | trim | nindent 4 }} - {{- end }} + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} annotations: {{ include "partials.annotations.created-by" . }} name: ext-namespace-metadata-linkerd-config diff --git a/charts/linkerd/linkerd-control-plane/templates/destination-rbac.yaml b/charts/linkerd/linkerd-control-plane/templates/destination-rbac.yaml index d05ed0dd3..38488cd04 100644 --- a/charts/linkerd/linkerd-control-plane/templates/destination-rbac.yaml +++ b/charts/linkerd/linkerd-control-plane/templates/destination-rbac.yaml @@ -190,6 +190,7 @@ webhooks: apiVersions: ["*"] resources: - httproutes + - grpcroutes sideEffects: None --- apiVersion: rbac.authorization.k8s.io/v1 @@ -233,6 +234,7 @@ rules: - gateway.networking.k8s.io resources: - httproutes + - grpcroutes verbs: - get - list @@ -247,6 +249,7 @@ rules: - gateway.networking.k8s.io resources: - httproutes/status + - grpcroutes/status verbs: - patch - apiGroups: diff --git a/charts/linkerd/linkerd-control-plane/templates/destination.yaml b/charts/linkerd/linkerd-control-plane/templates/destination.yaml index 4513d315e..847e4570c 100644 --- a/charts/linkerd/linkerd-control-plane/templates/destination.yaml +++ b/charts/linkerd/linkerd-control-plane/templates/destination.yaml @@ -125,6 +125,12 @@ spec: {{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}} {{ $_ := set $tree.Values.proxy "component" "linkerd-destination" -}} {{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}} +{{- if not (empty .Values.destinationProxyResources) }} +{{- $c := dig "cores" .Values.proxy.cores .Values.destinationProxyResources }} +{{- $_ := set $tree.Values.proxy "cores" $c }} +{{- $r := merge .Values.destinationProxyResources .Values.proxy.resources }} +{{- $_ := set $tree.Values.proxy "resources" $r }} +{{- end }} apiVersion: apps/v1 kind: Deployment metadata: @@ -176,12 +182,6 @@ spec: {{- $_ := set $tree "component" "destination" -}} {{- include "linkerd.affinity" $tree | nindent 6 }} containers: - {{- if not (empty .Values.destinationProxyResources) }} - {{- $c := dig "cores" .Values.proxy.cores .Values.destinationProxyResources }} - {{- $_ := set $tree.Values.proxy "cores" $c }} - {{- $r := merge .Values.destinationProxyResources .Values.proxy.resources }} - {{- $_ := set $tree.Values.proxy "resources" $r }} - {{- end }} {{- $_ := set $tree.Values.proxy "await" $tree.Values.proxy.await }} {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }} {{- $_ := set $tree.Values.proxy "podInboundPorts" "8086,8090,8443,9443,9990,9996,9997" }} diff --git a/charts/linkerd/linkerd-control-plane/templates/identity.yaml b/charts/linkerd/linkerd-control-plane/templates/identity.yaml index 243b7e87e..bd3bcbe31 100644 --- a/charts/linkerd/linkerd-control-plane/templates/identity.yaml +++ b/charts/linkerd/linkerd-control-plane/templates/identity.yaml @@ -100,6 +100,12 @@ spec: {{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}} {{ $_ := set $tree.Values.proxy "component" "linkerd-identity" -}} {{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}} +{{- if not (empty .Values.identityProxyResources) }} +{{- $c := dig "cores" .Values.proxy.cores .Values.identityProxyResources }} +{{- $_ := set $tree.Values.proxy "cores" $c }} +{{- $r := merge .Values.identityProxyResources .Values.proxy.resources }} +{{- $_ := set $tree.Values.proxy "resources" $r }} +{{- end }} apiVersion: apps/v1 kind: Deployment metadata: @@ -211,12 +217,6 @@ spec: name: identity-issuer - mountPath: /var/run/linkerd/identity/trust-roots/ name: trust-roots - {{- if not (empty .Values.identityProxyResources) }} - {{- $c := dig "cores" .Values.proxy.cores .Values.identityProxyResources }} - {{- $_ := set $tree.Values.proxy "cores" $c }} - {{- $r := merge .Values.identityProxyResources .Values.proxy.resources }} - {{- $_ := set $tree.Values.proxy "resources" $r }} - {{- end }} {{- $_ := set $tree.Values.proxy "await" false }} {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }} {{- $_ := set $tree.Values.proxy "podInboundPorts" "8080,9990" }} diff --git a/charts/linkerd/linkerd-control-plane/templates/proxy-injector.yaml b/charts/linkerd/linkerd-control-plane/templates/proxy-injector.yaml index f0231dd95..0f6b3bb87 100644 --- a/charts/linkerd/linkerd-control-plane/templates/proxy-injector.yaml +++ b/charts/linkerd/linkerd-control-plane/templates/proxy-injector.yaml @@ -6,6 +6,12 @@ {{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}} {{ $_ := set $tree.Values.proxy "component" "linkerd-proxy-injector" -}} {{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}} +{{- if not (empty .Values.proxyInjectorProxyResources) }} +{{- $c := dig "cores" .Values.proxy.cores .Values.proxyInjectorProxyResources }} +{{- $_ := set $tree.Values.proxy "cores" $c }} +{{- $r := merge .Values.proxyInjectorProxyResources .Values.proxy.resources }} +{{- $_ := set $tree.Values.proxy "resources" $r }} +{{- end }} apiVersion: apps/v1 kind: Deployment metadata: @@ -56,12 +62,6 @@ spec: {{- $_ := set $tree "component" "proxy-injector" -}} {{- include "linkerd.affinity" $tree | nindent 6 }} containers: - {{- if not (empty .Values.proxyInjectorProxyResources) }} - {{- $c := dig "cores" .Values.proxy.cores .Values.proxyInjectorProxyResources }} - {{- $_ := set $tree.Values.proxy "cores" $c }} - {{- $r := merge .Values.proxyInjectorProxyResources .Values.proxy.resources }} - {{- $_ := set $tree.Values.proxy "resources" $r }} - {{- end }} {{- $_ := set $tree.Values.proxy "await" $tree.Values.proxy.await }} {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }} {{- $_ := set $tree.Values.proxy "podInboundPorts" "8443,9995" }} diff --git a/charts/linkerd/linkerd-control-plane/values.yaml b/charts/linkerd/linkerd-control-plane/values.yaml index 0c4b13a8c..f708977f8 100644 --- a/charts/linkerd/linkerd-control-plane/values.yaml +++ b/charts/linkerd/linkerd-control-plane/values.yaml @@ -24,7 +24,7 @@ controlPlaneTracing: false # -- namespace to send control plane traces to controlPlaneTracingNamespace: linkerd-jaeger # -- control plane version. See Proxy section for proxy version -linkerdVersion: edge-24.6.2 +linkerdVersion: edge-24.6.4 # -- default kubernetes deployment strategy deploymentStrategy: rollingUpdate: @@ -295,22 +295,6 @@ proxyInit: pullPolicy: "" # -- Tag for the proxy-init container image version: v2.4.1 - resources: - cpu: - # -- Maximum amount of CPU units that the proxy-init container can use - limit: 100m - # -- Amount of CPU units that the proxy-init container requests - request: 100m - memory: - # -- Maximum amount of memory that the proxy-init container can use - limit: 20Mi - # -- Amount of memory that the proxy-init container requests - request: 20Mi - ephemeral-storage: - # -- Maximum amount of ephemeral storage that the proxy-init container can use - limit: "" - # -- Amount of ephemeral storage that the proxy-init container requests - request: "" closeWaitTimeoutSecs: 0 # -- Privileged mode allows the container processes to inherit all security # capabilities and bypass any security limitations enforced by the kubelet. diff --git a/charts/linkerd/linkerd-crds/Chart.yaml b/charts/linkerd/linkerd-crds/Chart.yaml index f4296fc9b..603611f9f 100644 --- a/charts/linkerd/linkerd-crds/Chart.yaml +++ b/charts/linkerd/linkerd-crds/Chart.yaml @@ -23,4 +23,4 @@ name: linkerd-crds sources: - https://github.com/linkerd/linkerd2/ type: application -version: 2024.6.2 +version: 2024.6.4 diff --git a/charts/linkerd/linkerd-crds/README.md b/charts/linkerd/linkerd-crds/README.md index 4414071aa..d16c20d2f 100644 --- a/charts/linkerd/linkerd-crds/README.md +++ b/charts/linkerd/linkerd-crds/README.md @@ -3,7 +3,7 @@ Linkerd gives you observability, reliability, and security for your microservices — with no code change required. -![Version: 2024.6.2](https://img.shields.io/badge/Version-2024.6.2-informational?style=flat-square) +![Version: 2024.6.4](https://img.shields.io/badge/Version-2024.6.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) **Homepage:** diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_network-validator.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_network-validator.tpl index e3920a491..e31233311 100644 --- a/charts/linkerd/linkerd-crds/charts/partials/templates/_network-validator.tpl +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_network-validator.tpl @@ -2,7 +2,7 @@ name: linkerd-network-validator image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion }} imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} -{{ include "partials.resources" .Values.proxyInit.resources }} +{{ include "partials.resources" .Values.proxy.resources }} {{- if or .Values.networkValidator.enableSecurityContext }} securityContext: allowPrivilegeEscalation: false diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_proxy-init.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_proxy-init.tpl index 95cd7f2c4..a307b1407 100644 --- a/charts/linkerd/linkerd-crds/charts/partials/templates/_proxy-init.tpl +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_proxy-init.tpl @@ -46,7 +46,7 @@ args: image: {{.Values.proxyInit.image.name}}:{{.Values.proxyInit.image.version}} imagePullPolicy: {{.Values.proxyInit.image.pullPolicy | default .Values.imagePullPolicy}} name: linkerd-init -{{ include "partials.resources" .Values.proxyInit.resources }} +{{ include "partials.resources" .Values.proxy.resources }} securityContext: {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }} allowPrivilegeEscalation: true diff --git a/charts/linkerd/linkerd-crds/charts/partials/templates/_proxy.tpl b/charts/linkerd/linkerd-crds/charts/partials/templates/_proxy.tpl index a6bfdb9a2..282d80163 100644 --- a/charts/linkerd/linkerd-crds/charts/partials/templates/_proxy.tpl +++ b/charts/linkerd/linkerd-crds/charts/partials/templates/_proxy.tpl @@ -2,7 +2,7 @@ {{ if and .Values.proxy.nativeSidecar .Values.proxy.waitBeforeExitSeconds }} {{ fail "proxy.nativeSidecar and waitBeforeExitSeconds cannot be used simultaneously" }} {{- end }} -{{- if not (has .Values.proxy.logHTTPHeaders (list "insecure" "off")) }} +{{- if not (has .Values.proxy.logHTTPHeaders (list "insecure" "off" "")) }} {{- fail "logHTTPHeaders must be one of: insecure | off" }} {{- end }} {{- $trustDomain := (.Values.identityTrustDomain | default .Values.clusterDomain) -}} diff --git a/charts/loft/loft/Chart.yaml b/charts/loft/loft/Chart.yaml index 18b21405b..66d66597d 100644 --- a/charts/loft/loft/Chart.yaml +++ b/charts/loft/loft/Chart.yaml @@ -28,4 +28,4 @@ name: loft sources: - https://github.com/loft-sh/loft type: application -version: 3.4.7 +version: 3.4.8 diff --git a/charts/loft/loft/templates/_helpers.tpl b/charts/loft/loft/templates/_helpers.tpl index e09407dcc..937c407b9 100644 --- a/charts/loft/loft/templates/_helpers.tpl +++ b/charts/loft/loft/templates/_helpers.tpl @@ -54,15 +54,15 @@ Default image name for a given product {{- end -}} {{- define "loft.strategy" -}} - {{- $type := include "loft.strategyType" . -}} - type: {{ $type }} - {{- if eq $type "RollingUpdate" }} - rollingUpdate: - maxSurge: 1 - {{- if (eq (int .Values.replicaCount) 1) }} - maxUnavailable: 0 - {{- else }} - maxUnavailable: 1 - {{- end }} - {{- end -}} +{{- $type := include "loft.strategyType" . -}} +type: {{ $type }} +{{- if eq $type "RollingUpdate" }} +rollingUpdate: + maxSurge: 1 + {{- if (eq (int .Values.replicaCount) 1) }} + maxUnavailable: 0 + {{- else }} + maxUnavailable: 1 + {{- end }} +{{- end -}} {{- end -}} diff --git a/charts/loft/loft/templates/deployment.yaml b/charts/loft/loft/templates/deployment.yaml index 8f096d917..fcf0e5405 100644 --- a/charts/loft/loft/templates/deployment.yaml +++ b/charts/loft/loft/templates/deployment.yaml @@ -27,7 +27,7 @@ spec: release: {{ .Release.Name }} replicas: {{ .Values.replicaCount }} strategy: - {{ template "loft.strategy" . }} +{{ include "loft.strategy" . | indent 4}} template: metadata: labels: diff --git a/charts/loft/loft/tests/deployment_test.yaml b/charts/loft/loft/tests/deployment_test.yaml index 918cf7391..34ba2bc9b 100644 --- a/charts/loft/loft/tests/deployment_test.yaml +++ b/charts/loft/loft/tests/deployment_test.yaml @@ -67,3 +67,27 @@ tests: values: - spot + - it: Deployment strategy is applied correctly for Recreate + asserts: + - hasDocuments: + count: 1 + - equal: + path: spec.strategy.type + value: Recreate + + - it: Deployment strategy is applied correctly for RollingUpdate + set: + replicaCount: 2 + asserts: + - hasDocuments: + count: 1 + - equal: + path: spec.strategy.type + value: RollingUpdate + - equal: + path: spec.strategy.rollingUpdate.maxSurge + value: 1 + - equal: + path: spec.strategy.rollingUpdate.maxUnavailable + value: 1 + \ No newline at end of file diff --git a/charts/mongodb/community-operator/Chart.lock b/charts/mongodb/community-operator/Chart.lock index 69cea69c5..76b0df9ce 100644 --- a/charts/mongodb/community-operator/Chart.lock +++ b/charts/mongodb/community-operator/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: community-operator-crds repository: https://mongodb.github.io/helm-charts - version: 0.9.0 -digest: sha256:02e79baf6cea1dc4d174bd3d0f92be020bcf610ed1bcfdb663ca879846bbd99a -generated: "2023-12-13T12:09:21.529169936Z" + version: 0.10.0 +digest: sha256:46588004c5af7c40347f4506115677cb63b280befed5fab8207a6d4762bb70b8 +generated: "2024-06-27T11:07:51.750950464Z" diff --git a/charts/mongodb/community-operator/Chart.yaml b/charts/mongodb/community-operator/Chart.yaml index 8aa9636fe..a4078bedb 100644 --- a/charts/mongodb/community-operator/Chart.yaml +++ b/charts/mongodb/community-operator/Chart.yaml @@ -4,12 +4,12 @@ annotations: catalog.cattle.io/kube-version: '>=1.16-0' catalog.cattle.io/release-name: community-operator apiVersion: v2 -appVersion: 0.9.0 +appVersion: 0.10.0 dependencies: - condition: community-operator-crds.enabled name: community-operator-crds repository: file://./charts/community-operator-crds - version: 0.9.0 + version: 0.10.0 description: MongoDB Kubernetes Community Operator home: https://github.com/mongodb/mongodb-kubernetes-operator icon: https://mongodb-images-new.s3.eu-west-1.amazonaws.com/leaf-green-dark.png @@ -23,4 +23,4 @@ maintainers: name: MongoDB name: community-operator type: application -version: 0.9.0 +version: 0.10.0 diff --git a/charts/mongodb/community-operator/charts/community-operator-crds/Chart.yaml b/charts/mongodb/community-operator/charts/community-operator-crds/Chart.yaml index a2befe274..3669caafc 100644 --- a/charts/mongodb/community-operator/charts/community-operator-crds/Chart.yaml +++ b/charts/mongodb/community-operator/charts/community-operator-crds/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.9.0 +appVersion: 0.10.0 description: MongoDB Kubernetes Community Operator - CRDs home: https://github.com/mongodb/mongodb-kubernetes-operator icon: https://mongodb-images-new.s3.eu-west-1.amazonaws.com/leaf-green-dark.png @@ -13,4 +13,4 @@ maintainers: name: MongoDB name: community-operator-crds type: application -version: 0.9.0 +version: 0.10.0 diff --git a/charts/mongodb/community-operator/charts/community-operator-crds/templates/mongodbcommunity.mongodb.com_mongodbcommunity.yaml b/charts/mongodb/community-operator/charts/community-operator-crds/templates/mongodbcommunity.mongodb.com_mongodbcommunity.yaml index f903a1b53..1b1189970 100644 --- a/charts/mongodb/community-operator/charts/community-operator-crds/templates/mongodbcommunity.mongodb.com_mongodbcommunity.yaml +++ b/charts/mongodb/community-operator/charts/community-operator-crds/templates/mongodbcommunity.mongodb.com_mongodbcommunity.yaml @@ -3,14 +3,13 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 + controller-gen.kubebuilder.io/version: v0.15.0 service.binding: path={.metadata.name}-{.spec.users[0].db}-{.spec.users[0].name},objectType=Secret service.binding/connectionString: path={.metadata.name}-{.spec.users[0].db}-{.spec.users[0].name},objectType=Secret,sourceKey=connectionString.standardSrv service.binding/password: path={.metadata.name}-{.spec.users[0].db}-{.spec.users[0].name},objectType=Secret,sourceKey=password service.binding/provider: community service.binding/type: mongodb service.binding/username: path={.metadata.name}-{.spec.users[0].db}-{.spec.users[0].name},objectType=Secret,sourceKey=username - creationTimestamp: null name: mongodbcommunity.mongodbcommunity.mongodb.com spec: group: mongodbcommunity.mongodb.com @@ -38,14 +37,19 @@ spec: description: MongoDBCommunity is the Schema for the mongodbs API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -59,9 +63,10 @@ spec: type: object x-kubernetes-preserve-unknown-fields: true additionalMongodConfig: - description: 'AdditionalMongodConfig is additional configuration that - can be passed to each data-bearing mongod at runtime. Uses the same - structure as the mongod configuration file: https://www.mongodb.com/docs/manual/reference/configuration-options/' + description: |- + AdditionalMongodConfig is additional configuration that can be passed to + each data-bearing mongod at runtime. Uses the same structure as the mongod + configuration file: https://www.mongodb.com/docs/manual/reference/configuration-options/ nullable: true type: object x-kubernetes-preserve-unknown-fields: true @@ -78,8 +83,9 @@ spec: processes. properties: includeAuditLogsWithMongoDBLogs: - description: set to 'true' to have the Automation Agent rotate - the audit files along with mongodb log files + description: |- + set to 'true' to have the Automation Agent rotate the audit files along + with mongodb log files type: boolean numTotal: description: maximum number of log files to have total @@ -88,14 +94,15 @@ spec: description: maximum number of log files to leave uncompressed type: integer percentOfDiskspace: - description: Maximum percentage of the total disk space these - log files should take up. The string needs to be able to - be converted to float64 + description: |- + Maximum percentage of the total disk space these log files should take up. + The string needs to be able to be converted to float64 type: string sizeThresholdMB: - description: Maximum size for an individual log file before - rotation. The string needs to be able to be converted to - float64. Fractional values of MB are supported. + description: |- + Maximum size for an individual log file before rotation. + The string needs to be able to be converted to float64. + Fractional values of MB are supported. type: string timeThresholdHrs: description: maximum hours for an individual log file before @@ -123,14 +130,15 @@ spec: type: object type: object arbiters: - description: 'Arbiters is the number of arbiters to add to the Replica - Set. It is not recommended to have more than one arbiter per Replica - Set. More info: https://www.mongodb.com/docs/manual/tutorial/add-replica-set-arbiter/' + description: |- + Arbiters is the number of arbiters to add to the Replica Set. + It is not recommended to have more than one arbiter per Replica Set. + More info: https://www.mongodb.com/docs/manual/tutorial/add-replica-set-arbiter/ type: integer automationConfig: - description: AutomationConfigOverride is merged on top of the operator - created automation config. Processes are merged by name. Currently - Only the process.disabled field is supported. + description: |- + AutomationConfigOverride is merged on top of the operator created automation config. Processes are merged + by name. Currently Only the process.disabled field is supported. properties: processes: items: @@ -145,8 +153,9 @@ spec: as float64 properties: includeAuditLogsWithMongoDBLogs: - description: set to 'true' to have the Automation Agent - rotate the audit files along with mongodb log files + description: |- + set to 'true' to have the Automation Agent rotate the audit files along + with mongodb log files type: boolean numTotal: description: maximum number of log files to have total @@ -155,15 +164,15 @@ spec: description: maximum number of log files to leave uncompressed type: integer percentOfDiskspace: - description: Maximum percentage of the total disk space - these log files should take up. The string needs to - be able to be converted to float64 + description: |- + Maximum percentage of the total disk space these log files should take up. + The string needs to be able to be converted to float64 type: string sizeThresholdMB: - description: Maximum size for an individual log file - before rotation. The string needs to be able to be - converted to float64. Fractional values of MB are - supported. + description: |- + Maximum size for an individual log file before rotation. + The string needs to be able to be converted to float64. + Fractional values of MB are supported. type: string timeThresholdHrs: description: maximum hours for an individual log file @@ -180,13 +189,37 @@ spec: - name type: object type: array - required: - - processes + replicaSet: + properties: + settings: + description: |- + MapWrapper is a wrapper for a map to be used by other structs. + The CRD generator does not support map[string]interface{} + on the top level and hence we need to work around this with + a wrapping struct. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object type: object featureCompatibilityVersion: - description: FeatureCompatibilityVersion configures the feature compatibility - version that will be set for the deployment + description: |- + FeatureCompatibilityVersion configures the feature compatibility version that will + be set for the deployment type: string + memberConfig: + description: MemberConfig + items: + properties: + priority: + type: string + tags: + additionalProperties: + type: string + type: object + votes: + type: integer + type: object + type: array members: description: Members is the number of members in the replica set type: integer @@ -216,8 +249,9 @@ spec: to 9216. type: integer tlsSecretKeyRef: - description: Name of a Secret (type kubernetes.io/tls) holding - the certificates to use in the Prometheus endpoint. + description: |- + Name of a Secret (type kubernetes.io/tls) holding the certificates to use in the + Prometheus endpoint. properties: key: description: Key is the key in the secret storing this password. @@ -238,12 +272,13 @@ spec: - username type: object replicaSetHorizons: - description: ReplicaSetHorizons Add this parameter and values if you - need your database to be accessed outside of Kubernetes. This setting - allows you to provide different DNS settings within the Kubernetes - cluster and to the Kubernetes cluster. The Kubernetes Operator uses - split horizon DNS for replica set members. This feature allows communication - both within the Kubernetes cluster and from outside Kubernetes. + description: |- + ReplicaSetHorizons Add this parameter and values if you need your database + to be accessed outside of Kubernetes. This setting allows you to + provide different DNS settings within the Kubernetes cluster and + to the Kubernetes cluster. The Kubernetes Operator uses split horizon + DNS for replica set members. This feature allows communication both + within the Kubernetes cluster and from outside Kubernetes. items: additionalProperties: type: string @@ -256,16 +291,18 @@ spec: authentication: properties: agentCertificateSecretRef: - description: 'AgentCertificateSecret is a reference to a Secret - containing the certificate and the key for the automation - agent The secret needs to have available: - certificate - under key: "tls.crt" - private key under key: "tls.key" - If additionally, tls.pem is present, then it needs to be - equal to the concatenation of tls.crt and tls.key' + description: |- + AgentCertificateSecret is a reference to a Secret containing the certificate and the key for the automation agent + The secret needs to have available: + - certificate under key: "tls.crt" + - private key under key: "tls.key" + If additionally, tls.pem is present, then it needs to be equal to the concatenation of tls.crt and tls.key properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -306,9 +343,9 @@ spec: description: The authentication restrictions the server enforces on the role. items: - description: AuthenticationRestriction specifies a list - of IP addresses and CIDR ranges users are allowed to - connect to or from. + description: |- + AuthenticationRestriction specifies a list of IP addresses and CIDR ranges users + are allowed to connect to or from. properties: clientSource: items: @@ -337,9 +374,9 @@ spec: type: string type: array resource: - description: Resource specifies specifies the resources - upon which a privilege permits actions. See https://www.mongodb.com/docs/manual/reference/resource-document - for more. + description: |- + Resource specifies specifies the resources upon which a privilege permits actions. + See https://www.mongodb.com/docs/manual/reference/resource-document for more. properties: anyResource: type: boolean @@ -387,45 +424,45 @@ spec: communication properties: caCertificateSecretRef: - description: CaCertificateSecret is a reference to a Secret - containing the certificate for the CA which signed the server - certificates The certificate is expected to be available - under the key "ca.crt" + description: |- + CaCertificateSecret is a reference to a Secret containing the certificate for the CA which signed the server certificates + The certificate is expected to be available under the key "ca.crt" properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic caConfigMapRef: - description: CaConfigMap is a reference to a ConfigMap containing - the certificate for the CA which signed the server certificates - The certificate is expected to be available under the key - "ca.crt" This field is ignored when CaCertificateSecretRef - is configured + description: |- + CaConfigMap is a reference to a ConfigMap containing the certificate for the CA which signed the server certificates + The certificate is expected to be available under the key "ca.crt" + This field is ignored when CaCertificateSecretRef is configured properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic certificateKeySecretRef: - description: CertificateKeySecret is a reference to a Secret - containing a private key and certificate to use for TLS. - The key and cert are expected to be PEM encoded and available - at "tls.key" and "tls.crt". This is the same format used - for the standard "kubernetes.io/tls" Secret type, but no - specific type is required. Alternatively, an entry tls.pem, - containing the concatenation of cert and key, can be provided. - If all of tls.pem, tls.crt and tls.key are present, the - tls.pem one needs to be equal to the concatenation of tls.crt - and tls.key + description: |- + CertificateKeySecret is a reference to a Secret containing a private key and certificate to use for TLS. + The key and cert are expected to be PEM encoded and available at "tls.key" and "tls.crt". + This is the same format used for the standard "kubernetes.io/tls" Secret type, but no specific type is required. + Alternatively, an entry tls.pem, containing the concatenation of cert and key, can be provided. + If all of tls.pem, tls.crt and tls.key are present, the tls.pem one needs to be equal to the concatenation of tls.crt and tls.key properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -440,7 +477,8 @@ spec: type: object type: object statefulSet: - description: StatefulSetConfiguration holds the optional custom StatefulSet + description: |- + StatefulSetConfiguration holds the optional custom StatefulSet that should be merged into the operator created one. properties: metadata: @@ -474,17 +512,21 @@ spec: items: properties: additionalConnectionStringConfig: - description: Additional options to be appended to the connection - string. These options apply only to this user and will override - any existing options in the resource. + description: |- + Additional options to be appended to the connection string. + These options apply only to this user and will override any existing options in the resource. nullable: true type: object x-kubernetes-preserve-unknown-fields: true connectionStringSecretName: - description: ConnectionStringSecretName is the name of the secret - object created by the operator which exposes the connection - strings for the user. If provided, this secret must be different - for each user in a deployment. + description: |- + ConnectionStringSecretName is the name of the secret object created by the operator which exposes the connection strings for the user. + If provided, this secret must be different for each user in a deployment. + type: string + connectionStringSecretNamespace: + description: ConnectionStringSecretNamespace is the namespace + of the secret object created by the operator which exposes + the connection strings for the user. type: string db: default: admin @@ -526,10 +568,9 @@ spec: type: object type: array scramCredentialsSecretName: - description: ScramCredentialsSecretName appended by string "scram-credentials" - is the name of the secret object created by the mongoDB operator - for storing SCRAM credentials These secrets names must be - different for each user in a deployment. + description: |- + ScramCredentialsSecretName appended by string "scram-credentials" is the name of the secret object created by the mongoDB operator for storing SCRAM credentials + These secrets names must be different for each user in a deployment. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: diff --git a/charts/mongodb/community-operator/templates/operator.yaml b/charts/mongodb/community-operator/templates/operator.yaml index 15af40140..55a309868 100644 --- a/charts/mongodb/community-operator/templates/operator.yaml +++ b/charts/mongodb/community-operator/templates/operator.yaml @@ -76,6 +76,9 @@ spec: securityContext: {{- toYaml .Values.operator.securityContext | nindent 12 }} {{- end }} + {{- if .Values.operator.priorityClassName }} + priorityClassName: {{ .Values.operator.priorityClassName }} + {{- end }} {{- if .Values.operator.podSecurityContext }} securityContext: {{- toYaml .Values.operator.podSecurityContext | nindent 8 }} diff --git a/charts/mongodb/community-operator/values.yaml b/charts/mongodb/community-operator/values.yaml index 459361925..2a9d36db6 100644 --- a/charts/mongodb/community-operator/values.yaml +++ b/charts/mongodb/community-operator/values.yaml @@ -15,7 +15,7 @@ operator: deploymentName: mongodb-kubernetes-operator # Version of mongodb-kubernetes-operator - version: 0.9.0 + version: 0.10.0 # Uncomment this line to watch all namespaces # watchNamespace: "*" @@ -29,6 +29,10 @@ operator: cpu: 500m memory: 200Mi + # PriorityClass configuration for operator + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass + priorityClassName: '' + # replicas deployed for the operator pod. Running 1 is optimal and suggested. replicas: 1 @@ -57,14 +61,14 @@ database: # namespace: mongodb-database agent: - name: mongodb-agent - version: 107.0.0.8465-1 + name: mongodb-agent-ubi + version: 107.0.1.8507-1 versionUpgradeHook: name: mongodb-kubernetes-operator-version-upgrade-post-start-hook version: 1.0.8 readinessProbe: name: mongodb-kubernetes-readinessprobe - version: 1.0.17 + version: 1.0.19 mongodb: name: mongo repo: docker.io diff --git a/charts/new-relic/nri-bundle/Chart.lock b/charts/new-relic/nri-bundle/Chart.lock index ff6c575b2..16d7638aa 100644 --- a/charts/new-relic/nri-bundle/Chart.lock +++ b/charts/new-relic/nri-bundle/Chart.lock @@ -1,36 +1,39 @@ dependencies: - name: newrelic-infrastructure repository: https://newrelic.github.io/nri-kubernetes - version: 3.33.9 + version: 3.34.0 - name: nri-prometheus repository: https://newrelic.github.io/nri-prometheus version: 2.1.17 - name: newrelic-prometheus-agent repository: https://newrelic.github.io/newrelic-prometheus-configurator - version: 1.13.4 + version: 1.14.0 - name: nri-metadata-injection repository: https://newrelic.github.io/k8s-metadata-injection - version: 4.19.4 + version: 4.20.0 - name: newrelic-k8s-metrics-adapter repository: https://newrelic.github.io/newrelic-k8s-metrics-adapter - version: 1.10.5 + version: 1.11.0 - name: kube-state-metrics repository: https://prometheus-community.github.io/helm-charts version: 5.12.1 - name: nri-kube-events repository: https://newrelic.github.io/nri-kube-events - version: 3.9.10 + version: 3.10.0 - name: newrelic-logging repository: https://newrelic.github.io/helm-charts version: 1.22.1 - name: newrelic-pixie repository: https://newrelic.github.io/helm-charts version: 2.1.4 +- name: k8s-agents-operator + repository: https://newrelic.github.io/k8s-agents-operator + version: 0.9.0 - name: pixie-operator-chart repository: https://pixie-operator-charts.storage.googleapis.com version: 0.1.6 - name: newrelic-infra-operator repository: https://newrelic.github.io/newrelic-infra-operator - version: 2.10.1 -digest: sha256:27f893a5b2028d36ce60d195d5894aff8003dfb248d3649e08757ff33df092e9 -generated: "2024-06-17T12:38:20.103377726Z" + version: 2.11.0 +digest: sha256:ac1a83fa1d5dcd993d7ece1cdec026fd63fe8bc240c2ce76d484f68d8ecd258a +generated: "2024-06-25T19:22:32.732048-07:00" diff --git a/charts/new-relic/nri-bundle/Chart.yaml b/charts/new-relic/nri-bundle/Chart.yaml index e6297c30e..2278924ac 100644 --- a/charts/new-relic/nri-bundle/Chart.yaml +++ b/charts/new-relic/nri-bundle/Chart.yaml @@ -7,7 +7,7 @@ dependencies: - condition: infrastructure.enabled,newrelic-infrastructure.enabled name: newrelic-infrastructure repository: file://./charts/newrelic-infrastructure - version: 3.33.9 + version: 3.34.0 - condition: prometheus.enabled,nri-prometheus.enabled name: nri-prometheus repository: file://./charts/nri-prometheus @@ -15,15 +15,15 @@ dependencies: - condition: newrelic-prometheus-agent.enabled name: newrelic-prometheus-agent repository: file://./charts/newrelic-prometheus-agent - version: 1.13.4 + version: 1.14.0 - condition: webhook.enabled,nri-metadata-injection.enabled name: nri-metadata-injection repository: file://./charts/nri-metadata-injection - version: 4.19.4 + version: 4.20.0 - condition: metrics-adapter.enabled,newrelic-k8s-metrics-adapter.enabled name: newrelic-k8s-metrics-adapter repository: file://./charts/newrelic-k8s-metrics-adapter - version: 1.10.5 + version: 1.11.0 - condition: ksm.enabled,kube-state-metrics.enabled name: kube-state-metrics repository: file://./charts/kube-state-metrics @@ -31,7 +31,7 @@ dependencies: - condition: kubeEvents.enabled,nri-kube-events.enabled name: nri-kube-events repository: file://./charts/nri-kube-events - version: 3.9.10 + version: 3.10.0 - condition: logging.enabled,newrelic-logging.enabled name: newrelic-logging repository: file://./charts/newrelic-logging @@ -40,6 +40,10 @@ dependencies: name: newrelic-pixie repository: file://./charts/newrelic-pixie version: 2.1.4 +- condition: k8s-agents-operator.enabled + name: k8s-agents-operator + repository: file://./charts/k8s-agents-operator + version: 0.9.0 - alias: pixie-chart condition: pixie-chart.enabled name: pixie-operator-chart @@ -48,7 +52,7 @@ dependencies: - condition: newrelic-infra-operator.enabled name: newrelic-infra-operator repository: file://./charts/newrelic-infra-operator - version: 2.10.1 + version: 2.11.0 description: Groups together the individual charts for the New Relic Kubernetes solution for a more comfortable deployment. home: https://github.com/newrelic/helm-charts @@ -77,4 +81,5 @@ sources: - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-logging - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-pixie - https://github.com/newrelic/newrelic-infra-operator/tree/master/charts/newrelic-infra-operator -version: 5.0.82 +- https://github.com/newrelic/k8s-agents-operator/tree/master/charts/k8s-agents-operator +version: 5.0.84 diff --git a/charts/new-relic/nri-bundle/README.md b/charts/new-relic/nri-bundle/README.md index f5f20b0f1..3fcc97d2b 100644 --- a/charts/new-relic/nri-bundle/README.md +++ b/charts/new-relic/nri-bundle/README.md @@ -25,6 +25,7 @@ here is a list of components that this chart installs and where you can find mor | [newrelic-prometheus-configurator](https://github.com/newrelic/newrelic-prometheus-configurator/tree/master/charts/newrelic-prometheus-agent) | | Configures instances of Prometheus in Agent mode to send metrics to the New Relic Prometheus endpoint. | | [newrelic-pixie](https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-pixie) | | Connects to the Pixie API and enables the New Relic plugin in Pixie. The plugin allows you to export data from Pixie to New Relic for long-term data retention. | | [Pixie](https://docs.pixielabs.ai/installing-pixie/install-schemes/helm/#3.-deploy) | | Is an open source observability tool for Kubernetes applications that uses eBPF to automatically capture telemetry data without the need for manual instrumentation. | +| [k8s-agents-operator](https://github.com/newrelic/k8s-agents-operator/tree/main/charts/k8s-agents-operator) | | (Preview) Streamlines full-stack observability for Kubernetes environments by automating APM instrumentation alongside Kubernetes agent deployment. | ## Configure components @@ -179,6 +180,7 @@ Note, the value table below is automatically generated from `values.yaml` by `he | global.serviceAccount.name | string | `nil` | Change the name of the service account. This is honored if you disable on this chart the creation of the service account so you can use your own | | global.tolerations | list | `[]` | Sets pod's tolerations to node taints | | global.verboseLog | bool | false | Sets the debug logs to this integration or all integrations if it is set globally | +| k8s-agents-operator.enabled | bool | `false` | Install the [`k8s-agents-operator` chart](https://github.com/newrelic/k8s-agents-operator/tree/main/charts/k8s-agents-operator) | | kube-state-metrics.enabled | bool | `false` | Install the [`kube-state-metrics` chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics) from the stable helm charts repository. This is mandatory if `infrastructure.enabled` is set to `true` and the user does not provide its own instance of KSM version >=1.8 and <=2.0. Note, kube-state-metrics v2+ disables labels/annotations metrics by default. You can enable the target labels/annotations metrics to be monitored by using the metricLabelsAllowlist/metricAnnotationsAllowList options described [here](https://github.com/prometheus-community/helm-charts/blob/159cd8e4fb89b8b107dcc100287504bb91bf30e0/charts/kube-state-metrics/values.yaml#L274) in your Kubernetes clusters. | | newrelic-infra-operator.enabled | bool | `false` | Install the [`newrelic-infra-operator` chart](https://github.com/newrelic/newrelic-infra-operator/tree/main/charts/newrelic-infra-operator) (Beta) | | newrelic-infrastructure.enabled | bool | `true` | Install the [`newrelic-infrastructure` chart](https://github.com/newrelic/nri-kubernetes/tree/main/charts/newrelic-infrastructure) | diff --git a/charts/new-relic/nri-bundle/README.md.gotmpl b/charts/new-relic/nri-bundle/README.md.gotmpl index 046148d6e..269c4925a 100644 --- a/charts/new-relic/nri-bundle/README.md.gotmpl +++ b/charts/new-relic/nri-bundle/README.md.gotmpl @@ -26,6 +26,7 @@ here is a list of components that this chart installs and where you can find mor | [newrelic-prometheus-configurator](https://github.com/newrelic/newrelic-prometheus-configurator/tree/master/charts/newrelic-prometheus-agent) | | Configures instances of Prometheus in Agent mode to send metrics to the New Relic Prometheus endpoint. | | [newrelic-pixie](https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-pixie) | | Connects to the Pixie API and enables the New Relic plugin in Pixie. The plugin allows you to export data from Pixie to New Relic for long-term data retention. | | [Pixie](https://docs.pixielabs.ai/installing-pixie/install-schemes/helm/#3.-deploy) | | Is an open source observability tool for Kubernetes applications that uses eBPF to automatically capture telemetry data without the need for manual instrumentation. | +| [k8s-agents-operator](https://github.com/newrelic/k8s-agents-operator/tree/main/charts/k8s-agents-operator) | | (Preview) Streamlines full-stack observability for Kubernetes environments by automating APM instrumentation alongside Kubernetes agent deployment. | ## Configure components diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/.helmignore b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/Chart.yaml b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/Chart.yaml new file mode 100644 index 000000000..1104382b1 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v2 +appVersion: 0.9.0 +description: A Helm chart for the Kubernetes Agents Operator +home: https://github.com/newrelic/k8s-agents-operator/blob/main/charts/k8s-agents-operator/README.md +maintainers: +- name: juanjjaramillo + url: https://github.com/juanjjaramillo +- name: csongnr + url: https://github.com/csongnr +- name: dbudziwojskiNR + url: https://github.com/dbudziwojskiNR +name: k8s-agents-operator +sources: +- https://github.com/newrelic/k8s-agents-operator +type: application +version: 0.9.0 diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/README.md b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/README.md new file mode 100644 index 000000000..67d4ee956 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/README.md @@ -0,0 +1,191 @@ +# k8s-agents-operator + +![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.9.0](https://img.shields.io/badge/AppVersion-0.9.0-informational?style=flat-square) + +A Helm chart for the Kubernetes Agents Operator + +**Homepage:** + +## Prerequisites + +[Helm](https://helm.sh) must be installed to use the charts. Please refer to Helm's [documentation](https://helm.sh/docs) to get started. + +## Installation + +### Requirements + +Add the `jetstack` and `k8s-agents-operator` Helm chart repositories: +```shell +helm repo add jetstack https://charts.jetstack.io +helm repo add k8s-agents-operator https://newrelic.github.io/k8s-agents-operator +``` + +Install the [`cert-manager`](https://github.com/cert-manager/cert-manager) Helm chart: +```shell +helm install cert-manager jetstack/cert-manager \ + --namespace cert-manager \ + --create-namespace \ + --set crds.enabled=true +``` + +### Instrumentation + +Install the [`k8s-agents-operator`](https://github.com/newrelic/k8s-agents-operator) Helm chart: +```shell +helm upgrade --install k8s-agents-operator k8s-agents-operator/k8s-agents-operator \ + --namespace k8s-agents-operator \ + --create-namespace \ + --values your-custom-values.yaml +``` + +### Monitored namespaces + +For each namespace you want the operator to be instrumented, create a secret containing a valid New Relic ingest license key: +```shell +kubectl create secret generic newrelic-key-secret \ + --namespace my-monitored-namespace \ + --from-literal=new_relic_license_key= +``` + +Similarly, for each namespace you need to instrument create the `Instrumentation` custom resource, specifying which APM agents you want to instrument. All available APM agent docker images and corresponding tags are listed on DockerHub: +* [Java](https://hub.docker.com/repository/docker/newrelic/newrelic-java-init/general) +* [Node](https://hub.docker.com/repository/docker/newrelic/newrelic-node-init/general) +* [Python](https://hub.docker.com/repository/docker/newrelic/newrelic-python-init/general) +* [.NET](https://hub.docker.com/repository/docker/newrelic/newrelic-dotnet-init/general) +* [Ruby](https://hub.docker.com/repository/docker/newrelic/newrelic-ruby-init/general) + +```yaml +apiVersion: newrelic.com/v1alpha1 +kind: Instrumentation +metadata: + labels: + app.kubernetes.io/name: instrumentation + app.kubernetes.io/created-by: k8s-agents-operator + name: newrelic-instrumentation +spec: + java: + image: newrelic/newrelic-java-init:latest + # env: + # Example New Relic agent supported environment variables + # - name: NEW_RELIC_LABELS + # value: "environment:auto-injection" + # Example overriding the appName configuration + # - name: NEW_RELIC_POD_NAME + # valueFrom: + # fieldRef: + # fieldPath: metadata.name + # - name: NEW_RELIC_APP_NAME + # value: "$(NEW_RELIC_LABELS)-$(NEW_RELIC_POD_NAME)" + nodejs: + image: newrelic/newrelic-nodejs-init:latest + python: + image: newrelic/newrelic-python-init:latest + dotnet: + image: newrelic/newrelic-dotnet-init:latest + ruby: + image: newrelic/newrelic-ruby-init:latest +``` +In the example above, we show how you can configure the agent settings globally using environment variables. See each agent's configuration documentation for available configuration options: +* [Java](https://docs.newrelic.com/docs/apm/agents/java-agent/configuration/java-agent-configuration-config-file/) +* [Node](https://docs.newrelic.com/docs/apm/agents/nodejs-agent/installation-configuration/nodejs-agent-configuration/) +* [Python](https://docs.newrelic.com/docs/apm/agents/python-agent/configuration/python-agent-configuration/) +* [.NET](https://docs.newrelic.com/docs/apm/agents/net-agent/configuration/net-agent-configuration/) +* [Ruby](https://docs.newrelic.com/docs/apm/agents/ruby-agent/configuration/ruby-agent-configuration/) + +Global agent settings can be overridden in your deployment manifest if a different configuration is required. + +### Annotations + +The `k8s-agents-operator` looks for language-specific annotations when your pods are being scheduled to know which applications you want to monitor. + +Below are the currently supported annotations: +```yaml +instrumentation.newrelic.com/inject-java: "true" +instrumentation.newrelic.com/inject-nodejs: "true" +instrumentation.newrelic.com/inject-python: "true" +instrumentation.newrelic.com/inject-dotnet: "true" +instrumentation.newrelic.com/inject-ruby: "true" +``` + +Example deployment with annotation to instrument the Java agent: +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spring-petclinic +spec: + selector: + matchLabels: + app: spring-petclinic + replicas: 1 + template: + metadata: + labels: + app: spring-petclinic + annotations: + instrumentation.newrelic.com/inject-java: "true" + spec: + containers: + - name: spring-petclinic + image: ghcr.io/pavolloffay/spring-petclinic:latest + ports: + - containerPort: 8080 + env: + - name: NEW_RELIC_APP_NAME + value: spring-petclinic-demo +``` + +## Available Chart Releases + +To see the available charts: +```shell +helm search repo k8s-agents-operator +``` + +If you want to see a list of all available charts and releases, check [index.yaml](https://newrelic.github.io/k8s-agents-operator/index.yaml). + +## Source Code + +* + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| admissionWebhooks | object | `{"create":true}` | Admission webhooks make sure only requests with correctly formatted rules will get into the Operator | +| controllerManager.kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | | +| controllerManager.kubeRbacProxy.image.tag | string | `"v0.14.0"` | | +| controllerManager.kubeRbacProxy.resources.limits.cpu | string | `"500m"` | | +| controllerManager.kubeRbacProxy.resources.limits.memory | string | `"128Mi"` | | +| controllerManager.kubeRbacProxy.resources.requests.cpu | string | `"5m"` | | +| controllerManager.kubeRbacProxy.resources.requests.memory | string | `"64Mi"` | | +| controllerManager.manager.image.pullPolicy | string | `nil` | | +| controllerManager.manager.image.repository | string | `"newrelic/k8s-agents-operator"` | | +| controllerManager.manager.image.tag | string | `nil` | | +| controllerManager.manager.leaderElection | object | `{"enabled":true}` | Enable leader election mechanism for protecting against split brain if multiple operator pods/replicas are started | +| controllerManager.manager.resources.requests.cpu | string | `"100m"` | | +| controllerManager.manager.resources.requests.memory | string | `"64Mi"` | | +| controllerManager.manager.serviceAccount.create | bool | `true` | | +| controllerManager.replicas | int | `1` | | +| kubernetesClusterDomain | string | `"cluster.local"` | | +| metricsService.ports[0].name | string | `"https"` | | +| metricsService.ports[0].port | int | `8443` | | +| metricsService.ports[0].protocol | string | `"TCP"` | | +| metricsService.ports[0].targetPort | string | `"https"` | | +| metricsService.type | string | `"ClusterIP"` | | +| securityContext | object | `{"fsGroup":65532,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532}` | SecurityContext holds pod-level security attributes and common container settings | +| webhookService.ports[0].port | int | `443` | | +| webhookService.ports[0].protocol | string | `"TCP"` | | +| webhookService.ports[0].targetPort | int | `9443` | | +| webhookService.type | string | `"ClusterIP"` | | + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| juanjjaramillo | | | +| csongnr | | | +| dbudziwojskiNR | | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/README.md.gotmpl b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/README.md.gotmpl new file mode 100644 index 000000000..135baa293 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/README.md.gotmpl @@ -0,0 +1,157 @@ +{{ template "chart.header" . }} + +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.badgesSection" . }} + +{{ template "chart.description" . }} + +{{ template "chart.homepageLine" . }} + +## Prerequisites + +[Helm](https://helm.sh) must be installed to use the charts. Please refer to Helm's [documentation](https://helm.sh/docs) to get started. + +## Installation + +### Requirements + +Add the `jetstack` and `k8s-agents-operator` Helm chart repositories: +```shell +helm repo add jetstack https://charts.jetstack.io +helm repo add k8s-agents-operator https://newrelic.github.io/k8s-agents-operator +``` + +Install the [`cert-manager`](https://github.com/cert-manager/cert-manager) Helm chart: +```shell +helm install cert-manager jetstack/cert-manager \ + --namespace cert-manager \ + --create-namespace \ + --set crds.enabled=true +``` + +### Instrumentation + +Install the [`k8s-agents-operator`](https://github.com/newrelic/k8s-agents-operator) Helm chart: +```shell +helm upgrade --install k8s-agents-operator k8s-agents-operator/k8s-agents-operator \ + --namespace k8s-agents-operator \ + --create-namespace \ + --values your-custom-values.yaml +``` + +### Monitored namespaces + +For each namespace you want the operator to be instrumented, create a secret containing a valid New Relic ingest license key: +```shell +kubectl create secret generic newrelic-key-secret \ + --namespace my-monitored-namespace \ + --from-literal=new_relic_license_key= +``` + +Similarly, for each namespace you need to instrument create the `Instrumentation` custom resource, specifying which APM agents you want to instrument. All available APM agent docker images and corresponding tags are listed on DockerHub: +* [Java](https://hub.docker.com/repository/docker/newrelic/newrelic-java-init/general) +* [Node](https://hub.docker.com/repository/docker/newrelic/newrelic-node-init/general) +* [Python](https://hub.docker.com/repository/docker/newrelic/newrelic-python-init/general) +* [.NET](https://hub.docker.com/repository/docker/newrelic/newrelic-dotnet-init/general) +* [Ruby](https://hub.docker.com/repository/docker/newrelic/newrelic-ruby-init/general) + +```yaml +apiVersion: newrelic.com/v1alpha1 +kind: Instrumentation +metadata: + labels: + app.kubernetes.io/name: instrumentation + app.kubernetes.io/created-by: k8s-agents-operator + name: newrelic-instrumentation +spec: + java: + image: newrelic/newrelic-java-init:latest + # env: + # Example New Relic agent supported environment variables + # - name: NEW_RELIC_LABELS + # value: "environment:auto-injection" + # Example overriding the appName configuration + # - name: NEW_RELIC_POD_NAME + # valueFrom: + # fieldRef: + # fieldPath: metadata.name + # - name: NEW_RELIC_APP_NAME + # value: "$(NEW_RELIC_LABELS)-$(NEW_RELIC_POD_NAME)" + nodejs: + image: newrelic/newrelic-nodejs-init:latest + python: + image: newrelic/newrelic-python-init:latest + dotnet: + image: newrelic/newrelic-dotnet-init:latest + ruby: + image: newrelic/newrelic-ruby-init:latest +``` +In the example above, we show how you can configure the agent settings globally using environment variables. See each agent's configuration documentation for available configuration options: +* [Java](https://docs.newrelic.com/docs/apm/agents/java-agent/configuration/java-agent-configuration-config-file/) +* [Node](https://docs.newrelic.com/docs/apm/agents/nodejs-agent/installation-configuration/nodejs-agent-configuration/) +* [Python](https://docs.newrelic.com/docs/apm/agents/python-agent/configuration/python-agent-configuration/) +* [.NET](https://docs.newrelic.com/docs/apm/agents/net-agent/configuration/net-agent-configuration/) +* [Ruby](https://docs.newrelic.com/docs/apm/agents/ruby-agent/configuration/ruby-agent-configuration/) + +Global agent settings can be overridden in your deployment manifest if a different configuration is required. + +### Annotations + +The `k8s-agents-operator` looks for language-specific annotations when your pods are being scheduled to know which applications you want to monitor. + +Below are the currently supported annotations: +```yaml +instrumentation.newrelic.com/inject-java: "true" +instrumentation.newrelic.com/inject-nodejs: "true" +instrumentation.newrelic.com/inject-python: "true" +instrumentation.newrelic.com/inject-dotnet: "true" +instrumentation.newrelic.com/inject-ruby: "true" +``` + +Example deployment with annotation to instrument the Java agent: +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spring-petclinic +spec: + selector: + matchLabels: + app: spring-petclinic + replicas: 1 + template: + metadata: + labels: + app: spring-petclinic + annotations: + instrumentation.newrelic.com/inject-java: "true" + spec: + containers: + - name: spring-petclinic + image: ghcr.io/pavolloffay/spring-petclinic:latest + ports: + - containerPort: 8080 + env: + - name: NEW_RELIC_APP_NAME + value: spring-petclinic-demo +``` + +## Available Chart Releases + +To see the available charts: +```shell +helm search repo k8s-agents-operator +``` + +If you want to see a list of all available charts and releases, check [index.yaml](https://newrelic.github.io/k8s-agents-operator/index.yaml). + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "chart.maintainersSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/NOTES.txt b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/NOTES.txt new file mode 100644 index 000000000..e3fb91764 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/NOTES.txt @@ -0,0 +1,36 @@ +This project is currently in experimental phases and is provided AS-IS WITHOUT WARRANTY OR DEDICATED SUPPORT. +Issues and contributions should be reported to the project's GitHub. +{{- if (include "k8s-agents-operator.areValuesValid" .) }} +===================================== + + ******** + **************** + ********** **********, + &&&**** ****/((( + &&&&&&& (((((( + &&&&&&&&&& (((((( + &&&&&&&& (((((( + &&&&& (((((( + &&&&& (((((((( + &&&&& .(((((((((( + &&&&&(((((((( + &&&(((, + +Your deployment of the New Relic Agent Operator is complete. +You can check on the progress of this by running the following command: + +kubectl get deployments -o wide -w --namespace {{ .Release.Namespace }} {{ template "k8s-agents-operator.fullname" . }} + +WARNING: This deployment will be incomplete until you configure your Instrumentation custom resource definition. +===================================== + +Please visit https://github.com/newrelic/k8s-agents-operator for instructions on how to create & configure the +Instrumentation custom resource definition required by the Operator. +{{- else }} + +############################################################################## +#### ERROR: You did not set a license key. #### +############################################################################## + +This deployment will be incomplete until you get your ingest license key from New Relic. +{{- end -}} diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/_helpers.tpl b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/_helpers.tpl new file mode 100644 index 000000000..43b57a4d4 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/_helpers.tpl @@ -0,0 +1,80 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "k8s-agents-operator.name" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "k8s-agents-operator.fullname" -}} +{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "k8s-agents-operator.chart" -}} +{{- printf "%s" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "k8s-agents-operator.labels" -}} +helm.sh/chart: {{ include "k8s-agents-operator.chart" . }} +{{ include "k8s-agents-operator.selectorLabels" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "k8s-agents-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "k8s-agents-operator.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "k8s-agents-operator.serviceAccountName" -}} +{{- if .Values.controllerManager.manager.serviceAccount.create }} +{{- default (include "k8s-agents-operator.name" .) .Values.controllerManager.manager.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.controllerManager.manager.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Return the licenseKey +*/}} +{{- define "k8s-agents-operator.licenseKey" -}} +{{- if .Values.global}} + {{- if .Values.global.licenseKey }} + {{- .Values.global.licenseKey -}} + {{- else -}} + {{- .Values.licenseKey | default "" -}} + {{- end -}} +{{- else -}} + {{- .Values.licenseKey | default "" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns if the template should render, it checks if the required values are set. +*/}} +{{- define "k8s-agents-operator.areValuesValid" -}} +{{- $licenseKey := include "k8s-agents-operator.licenseKey" . -}} +{{- and (or $licenseKey)}} +{{- end -}} + +{{/* +Controller manager service certificate's secret. +*/}} +{{- define "k8s-agents-operator.certificateSecret" -}} +{{- printf "%s-controller-manager-service-cert" (include "k8s-agents-operator.fullname" .) | trunc 63 | trimSuffix "-" -}} +{{- end }} diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/certmanager.yaml b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/certmanager.yaml new file mode 100644 index 000000000..54509f673 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/certmanager.yaml @@ -0,0 +1,17 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ template "k8s-agents-operator.fullname" . }}-serving-cert + labels: + {{- include "k8s-agents-operator.labels" . | nindent 4 }} +spec: + dnsNames: + - '{{ template "k8s-agents-operator.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc' + - '{{ template "k8s-agents-operator.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc.{{ .Values.kubernetesClusterDomain }}' + issuerRef: + kind: Issuer + name: '{{ template "k8s-agents-operator.fullname" . }}-selfsigned-issuer' + secretName: {{ template "k8s-agents-operator.certificateSecret" . }} + subject: + organizationalUnits: + - k8s-agents-operator \ No newline at end of file diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/deployment.yaml b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/deployment.yaml new file mode 100644 index 000000000..bf19d4e16 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/deployment.yaml @@ -0,0 +1,91 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "k8s-agents-operator.serviceAccountName" . }} + labels: + {{- include "k8s-agents-operator.labels" . | nindent 4 }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "k8s-agents-operator.fullname" . }} + labels: + control-plane: controller-manager + {{- include "k8s-agents-operator.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.controllerManager.replicas }} + selector: + matchLabels: + app.kubernetes.io/name: k8s-agents-operator + control-plane: controller-manager + {{- include "k8s-agents-operator.labels" . | nindent 6 }} + template: + metadata: + labels: + app.kubernetes.io/name: k8s-agents-operator + control-plane: controller-manager + {{- include "k8s-agents-operator.labels" . | nindent 8 }} + spec: + containers: + - args: + - --metrics-addr=127.0.0.1:8080 + {{- if .Values.controllerManager.manager.leaderElection.enabled }} + - --enable-leader-election + {{- end }} + - --zap-log-level=info + - --zap-time-encoding=rfc3339nano + env: + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ quote .Values.kubernetesClusterDomain }} + - name: ENABLE_WEBHOOKS + value: "true" + image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.controllerManager.manager.image.pullPolicy | default "Always" }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 10 }} + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + env: + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ quote .Values.kubernetesClusterDomain }} + image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag | default .Chart.AppVersion }} + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent 10 }} + serviceAccountName: {{ template "k8s-agents-operator.serviceAccountName" . }} + terminationGracePeriodSeconds: 10 + {{- if or .Values.admissionWebhooks.create .Values.admissionWebhooks.secretName }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: {{ template "k8s-agents-operator.certificateSecret" . }} + {{- end }} + securityContext: +{{ toYaml .Values.securityContext | indent 8 }} diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/instrumentation-crd.yaml b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/instrumentation-crd.yaml new file mode 100644 index 000000000..ae81414fb --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/instrumentation-crd.yaml @@ -0,0 +1,1150 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: instrumentations.newrelic.com + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + labels: + {{- include "k8s-agents-operator.labels" . | nindent 4 }} +spec: + group: newrelic.com + names: + kind: Instrumentation + listKind: InstrumentationList + plural: instrumentations + shortNames: + - nragent + - nragents + singular: instrumentation + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Instrumentation is the Schema for the instrumentations API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: InstrumentationSpec defines the desired state of Instrumentation + properties: + dotnet: + description: DotNet defines configuration for dotnet auto-instrumentation. + properties: + env: + description: Env defines DotNet specific env vars. If the former + var had been defined, then the other vars would be ignored. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + description: Image is a container image with DotNet agent and + auto-instrumentation. + type: string + type: object + env: + description: 'Env defines common env vars. There are four layers for + env vars'' definitions and the precedence order is: `original container + env vars` > `language specific env vars` > `common env vars` > `instrument + spec configs'' vars`. If the former var had been defined, then the + other vars would be ignored.' + items: + description: EnvVar represents an environment variable present in + a Container. + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded using + the previously defined environment variables in the container + and any service environment variables. If a variable cannot + be resolved, the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the + string literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists or + not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. Cannot + be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, + status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified + API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the exposed + resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + exporter: + description: Exporter defines exporter configuration. + properties: + endpoint: + description: Endpoint is address of the collector with OTLP endpoint. + type: string + type: object + go: + description: Go defines configuration for Go auto-instrumentation. + When using Go auto-instrumentation you must provide a value for + the OTEL_GO_AUTO_TARGET_EXE env var via the Instrumentation env + vars or via the instrumentation.opentelemetry.io/otel-go-auto-target-exe + pod annotation. Failure to set this value causes instrumentation + injection to abort, leaving the original pod unchanged. + properties: + env: + description: 'Env defines Go specific env vars. There are four + layers for env vars'' definitions and the precedence order is: + `original container env vars` > `language specific env vars` + > `common env vars` > `instrument spec configs'' vars`. If the + former var had been defined, then the other vars would be ignored.' + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + description: Image is a container image with Go SDK and auto-instrumentation. + type: string + resourceRequirements: + description: Resources describes the compute resource requirements. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + volumeLimitSize: + anyOf: + - type: integer + - type: string + description: VolumeSizeLimit defines size limit for volume used + for auto-instrumentation. The default size is 200Mi. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + java: + description: Java defines configuration for java auto-instrumentation. + properties: + env: + description: Env defines java specific env vars. If the former + var had been defined, then the other vars would be ignored. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + description: Image is a container image with javaagent auto-instrumentation + JAR. + type: string + type: object + nodejs: + description: NodeJS defines configuration for nodejs auto-instrumentation. + properties: + env: + description: Env defines nodejs specific env vars. If the former + var had been defined, then the other vars would be ignored. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + description: Image is a container image with NodeJS agent and + auto-instrumentation. + type: string + type: object + php: + description: Php defines configuration for php auto-instrumentation. + properties: + env: + description: Env defines Php specific env vars. If the former + var had been defined, then the other vars would be ignored. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + description: Image is a container image with Php agent and auto-instrumentation. + type: string + type: object + propagators: + description: Propagators defines inter-process context propagation + configuration. Values in this list will be set in the OTEL_PROPAGATORS + env var. Enum=tracecontext;none + items: + description: Propagator represents the propagation type. + enum: + - tracecontext + - none + type: string + type: array + python: + description: Python defines configuration for python auto-instrumentation. + properties: + env: + description: Env defines python specific env vars. If the former + var had been defined, then the other vars would be ignored. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + description: Image is a container image with Python agent and + auto-instrumentation. + type: string + type: object + ruby: + description: Ruby defines configuration for ruby auto-instrumentation. + properties: + env: + description: Env defines Ruby specific env vars. If the former + var had been defined, then the other vars would be ignored. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + description: Image is a container image with Ruby agent and + auto-instrumentation. + type: string + type: object + resource: + description: Resource defines the configuration for the resource attributes, + as defined by the OpenTelemetry specification. + properties: + addK8sUIDAttributes: + description: AddK8sUIDAttributes defines whether K8s UID attributes + should be collected (e.g. k8s.deployment.uid). + type: boolean + resourceAttributes: + additionalProperties: + type: string + description: 'Attributes defines attributes that are added to + the resource. For example environment: dev' + type: object + type: object + sampler: + description: Sampler defines sampling configuration. + properties: + argument: + description: Argument defines sampler argument. The value depends + on the sampler type. For instance for parentbased_traceidratio + sampler type it is a number in range [0..1] e.g. 0.25. The value + will be set in the OTEL_TRACES_SAMPLER_ARG env var. + type: string + type: + description: Type defines sampler type. The value will be set + in the OTEL_TRACES_SAMPLER env var. The value can be for instance + parentbased_always_on, parentbased_always_off, parentbased_traceidratio... + enum: + - always_on + - always_off + - traceidratio + - parentbased_always_on + - parentbased_always_off + - parentbased_traceidratio + type: string + type: object + type: object + status: + description: InstrumentationStatus defines the observed state of Instrumentation + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null \ No newline at end of file diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/leader-election-rbac.yaml b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/leader-election-rbac.yaml new file mode 100644 index 000000000..57a5be3a3 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/leader-election-rbac.yaml @@ -0,0 +1,49 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "k8s-agents-operator.fullname" . }}-leader-election-role + labels: + {{- include "k8s-agents-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "k8s-agents-operator.fullname" . }}-leader-election-rolebinding + labels: + {{- include "k8s-agents-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: '{{ template "k8s-agents-operator.fullname" . }}-leader-election-role' +subjects: +- kind: ServiceAccount + name: '{{ template "k8s-agents-operator.serviceAccountName" . }}' + namespace: '{{ .Release.Namespace }}' \ No newline at end of file diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/manager-rbac.yaml b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/manager-rbac.yaml new file mode 100644 index 000000000..7a1d9d3bf --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/manager-rbac.yaml @@ -0,0 +1,76 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "k8s-agents-operator.fullname" . }}-manager-role + labels: + {{- include "k8s-agents-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +- apiGroups: + - newrelic.com + resources: + - instrumentations + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - route.openshift.io + resources: + - routes + - routes/custom-host + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "k8s-agents-operator.fullname" . }}-manager-rolebinding + labels: + {{- include "k8s-agents-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: '{{ template "k8s-agents-operator.fullname" . }}-manager-role' +subjects: +- kind: ServiceAccount + name: '{{ template "k8s-agents-operator.serviceAccountName" . }}' + namespace: '{{ .Release.Namespace }}' \ No newline at end of file diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/mutating-webhook-configuration.yaml b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/mutating-webhook-configuration.yaml new file mode 100644 index 000000000..f37ad6a79 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/mutating-webhook-configuration.yaml @@ -0,0 +1,49 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "k8s-agents-operator.fullname" . }}-mutating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "k8s-agents-operator.fullname" . }}-serving-cert + labels: + {{- include "k8s-agents-operator.labels" . | nindent 4 }} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ template "k8s-agents-operator.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /mutate-newrelic-com-v1alpha1-instrumentation + failurePolicy: Fail + name: instrumentation.kb.io + rules: + - apiGroups: + - newrelic.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instrumentations + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ template "k8s-agents-operator.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /mutate-v1-pod + failurePolicy: Ignore + name: mpod.kb.io + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + sideEffects: None \ No newline at end of file diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/newrelic_license_secret.yaml b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/newrelic_license_secret.yaml new file mode 100644 index 000000000..db2c35f72 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/newrelic_license_secret.yaml @@ -0,0 +1,14 @@ +{{- $licenseKey := include "k8s-agents-operator.licenseKey" . -}} +{{- if $licenseKey }} +apiVersion: v1 +kind: Secret +metadata: + name: "newrelic-key-secret" + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "k8s-agents-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +type: Opaque +data: + new_relic_license_key: {{ $licenseKey | b64enc }} +{{- end }} \ No newline at end of file diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/proxy-rbac.yaml b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/proxy-rbac.yaml new file mode 100644 index 000000000..af583f595 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/proxy-rbac.yaml @@ -0,0 +1,34 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "k8s-agents-operator.fullname" . }}-proxy-role + labels: + {{- include "k8s-agents-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "k8s-agents-operator.fullname" . }}-proxy-rolebinding + labels: + {{- include "k8s-agents-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: '{{ template "k8s-agents-operator.fullname" . }}-proxy-role' +subjects: +- kind: ServiceAccount + name: '{{ template "k8s-agents-operator.serviceAccountName" . }}' + namespace: '{{ .Release.Namespace }}' \ No newline at end of file diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/reader-rbac.yaml b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/reader-rbac.yaml new file mode 100644 index 000000000..6482ff0db --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/reader-rbac.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "k8s-agents-operator.fullname" . }}-metrics-reader + labels: + {{- include "k8s-agents-operator.labels" . | nindent 4 }} +rules: +- nonResourceURLs: + - /metrics + verbs: + - get \ No newline at end of file diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/selfsigned-issuer.yaml b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/selfsigned-issuer.yaml new file mode 100644 index 000000000..31c0cc79f --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/selfsigned-issuer.yaml @@ -0,0 +1,8 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ template "k8s-agents-operator.fullname" . }}-selfsigned-issuer + labels: + {{- include "k8s-agents-operator.labels" . | nindent 4 }} +spec: + selfSigned: {} \ No newline at end of file diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/service.yaml b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/service.yaml new file mode 100644 index 000000000..892b1b3e8 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "k8s-agents-operator.fullname" . }} + labels: + control-plane: controller-manager + {{- include "k8s-agents-operator.labels" . | nindent 4 }} +spec: + type: {{ .Values.metricsService.type }} + selector: + app.kubernetes.io/name: {{ include "k8s-agents-operator.chart" . }} + control-plane: controller-manager + {{- include "k8s-agents-operator.labels" . | nindent 4 }} + ports: + {{- .Values.metricsService.ports | toYaml | nindent 2 -}} \ No newline at end of file diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/validating-webhook-configuration.yaml b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/validating-webhook-configuration.yaml new file mode 100644 index 000000000..f98608b7e --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/validating-webhook-configuration.yaml @@ -0,0 +1,48 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ template "k8s-agents-operator.fullname" . }}-validating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "k8s-agents-operator.fullname" . }}-serving-cert + labels: + {{- include "k8s-agents-operator.labels" . | nindent 4 }} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ template "k8s-agents-operator.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-newrelic-com-v1alpha1-instrumentation + failurePolicy: Fail + name: vinstrumentationcreateupdate.kb.io + rules: + - apiGroups: + - newrelic.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instrumentations + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ template "k8s-agents-operator.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-newrelic-com-v1alpha1-instrumentation + failurePolicy: Ignore + name: vinstrumentationdelete.kb.io + rules: + - apiGroups: + - newrelic.com + apiVersions: + - v1alpha1 + operations: + - DELETE + resources: + - instrumentations + sideEffects: None \ No newline at end of file diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/webhook-service.yaml b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/webhook-service.yaml new file mode 100644 index 000000000..d2197c679 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/templates/webhook-service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "k8s-agents-operator.fullname" . }}-webhook-service + labels: + {{- include "k8s-agents-operator.labels" . | nindent 4 }} +spec: + type: {{ .Values.webhookService.type }} + selector: + app.kubernetes.io/name: {{ include "k8s-agents-operator.chart" . }} + app.kubernetes.io/name: k8s-agents-operator + control-plane: controller-manager + {{- include "k8s-agents-operator.labels" . | nindent 4 }} + ports: + {{- .Values.webhookService.ports | toYaml | nindent 2 -}} \ No newline at end of file diff --git a/charts/new-relic/nri-bundle/charts/k8s-agents-operator/values.yaml b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/values.yaml new file mode 100644 index 000000000..7cae82fb8 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/k8s-agents-operator/values.yaml @@ -0,0 +1,62 @@ +# -- Ingest license key to use +# licenseKey: + +controllerManager: + replicas: 1 + + kubeRbacProxy: + image: + repository: gcr.io/kubebuilder/kube-rbac-proxy + tag: v0.14.0 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + + manager: + image: + repository: newrelic/k8s-agents-operator + tag: + pullPolicy: + resources: + requests: + cpu: 100m + memory: 64Mi + serviceAccount: + create: true + # -- Source: https://docs.openshift.com/container-platform/4.10/operators/operator_sdk/osdk-leader-election.html + # -- Enable leader election mechanism for protecting against split brain if multiple operator pods/replicas are started + leaderElection: + enabled: true + +kubernetesClusterDomain: cluster.local + +metricsService: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + type: ClusterIP + +webhookService: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + type: ClusterIP + +# -- Source: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +# -- SecurityContext holds pod-level security attributes and common container settings +securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + fsGroup: 65532 + +# -- Admission webhooks make sure only requests with correctly formatted rules will get into the Operator +admissionWebhooks: + create: true diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.lock b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.lock index 4ba89500a..ccd9266c2 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.lock +++ b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common-library repository: https://helm-charts.newrelic.com - version: 1.1.1 -digest: sha256:3c9053021f3c22aa3cdfc6781d3498bcbedb0b973af9121b1722469744fb5162 -generated: "2023-03-22T00:04:09.514396222Z" + version: 1.2.0 +digest: sha256:fa87cb007564a39a72739a3e850a91d6b03c0fc27a1115deac042b3ef77b4142 +generated: "2024-06-21T17:38:34.069969308Z" diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml index 9a8ce6e24..170415002 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: 0.18.1 +appVersion: 0.19.0 dependencies: - name: common-library repository: https://helm-charts.newrelic.com - version: 1.1.1 + version: 1.2.0 description: A Helm chart to deploy the New Relic Infrastructure Kubernetes Operator. home: https://hub.docker.com/r/newrelic/newrelic-infra-operator icon: https://newrelic.com/themes/custom/curio/assets/mediakit/new_relic_logo_vertical.svg @@ -32,4 +32,4 @@ name: newrelic-infra-operator sources: - https://github.com/newrelic/newrelic-infra-operator - https://github.com/newrelic/newrelic-infra-operator/tree/main/charts/newrelic-infra-operator -version: 2.10.1 +version: 2.11.0 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/charts/common-library/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/charts/common-library/Chart.yaml index d01fcb482..b65ac15d4 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/charts/common-library/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/charts/common-library/Chart.yaml @@ -4,24 +4,14 @@ keywords: - newrelic - chart-library maintainers: -- name: nserrino - url: https://github.com/nserrino -- name: philkuz - url: https://github.com/philkuz -- name: htroisi - url: https://github.com/htroisi - name: juanjjaramillo url: https://github.com/juanjjaramillo -- name: svetlanabrennan - url: https://github.com/svetlanabrennan -- name: nrepai - url: https://github.com/nrepai - name: csongnr url: https://github.com/csongnr -- name: vuqtran88 - url: https://github.com/vuqtran88 -- name: xqi-nr - url: https://github.com/xqi-nr +- name: dbudziwojskiNR + url: https://github.com/dbudziwojskiNR +- name: kang-makes + url: https://github.com/kang-makes name: common-library type: library -version: 1.1.1 +version: 1.2.0 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/charts/common-library/DEVELOPERS.md b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/charts/common-library/DEVELOPERS.md index f19983a67..3ccc108e2 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/charts/common-library/DEVELOPERS.md +++ b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/charts/common-library/DEVELOPERS.md @@ -462,6 +462,49 @@ You just must have a template with these two lines: +## _insights.tpl +### `newrelic.common.insightsKey.secretName` and ### `newrelic.common.insightsKey.secretKeyName` +Returns the secret and key inside the secret where to read the insights key. + +The common library will take care of using a user-provided custom secret or creating a secret that contains the insights key. + +To create the secret use `newrelic.common.insightsKey.secret`. + +Usage: +```mustache +apiVersion: v1 +kind: Pod +metadata: + name: statsd +spec: + containers: + - name: statsd + env: + - name: "INSIGHTS_KEY" + valueFrom: + secretKeyRef: + name: {{ include "newrelic.common.insightsKey.secretName" . }} + key: {{ include "newrelic.common.insightsKey.secretKeyName" . }} +``` + + + +## _insights_secret.tpl +### `newrelic.common.insightsKey.secret` +This function templates the secret that is used by agents and integrations with the insights key provided by the user. It will +template nothing (empty string) if the user provides a custom pair of secret name and key. + +This template also fails in case the user has not provided any insights key or custom secret so no safety checks have to be done +by chart writers. + +You just must have a template with these two lines: +```mustache +{{- /* Common library will take care of creating the secret or not. */ -}} +{{- include "newrelic.common.insightsKey.secret" . -}} +``` + + + ## _low-data-mode.tpl ### `newrelic.common.lowDataMode` Like almost everything in this library, it reads global and local variables: diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/charts/common-library/templates/_insights.tpl b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/charts/common-library/templates/_insights.tpl new file mode 100644 index 000000000..895c37732 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/charts/common-library/templates/_insights.tpl @@ -0,0 +1,56 @@ +{{/* +Return the name of the secret holding the Insights Key. +*/}} +{{- define "newrelic.common.insightsKey.secretName" -}} +{{- $default := include "newrelic.common.naming.truncateToDNSWithSuffix" ( dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "insightskey" ) -}} +{{- include "newrelic.common.insightsKey._customSecretName" . | default $default -}} +{{- end -}} + +{{/* +Return the name key for the Insights Key inside the secret. +*/}} +{{- define "newrelic.common.insightsKey.secretKeyName" -}} +{{- include "newrelic.common.insightsKey._customSecretKey" . | default "insightsKey" -}} +{{- end -}} + +{{/* +Return local insightsKey if set, global otherwise. +This helper is for internal use. +*/}} +{{- define "newrelic.common.insightsKey._licenseKey" -}} +{{- if .Values.insightsKey -}} + {{- .Values.insightsKey -}} +{{- else if .Values.global -}} + {{- if .Values.global.insightsKey -}} + {{- .Values.global.insightsKey -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the name of the secret holding the Insights Key. +This helper is for internal use. +*/}} +{{- define "newrelic.common.insightsKey._customSecretName" -}} +{{- if .Values.customInsightsKeySecretName -}} + {{- .Values.customInsightsKeySecretName -}} +{{- else if .Values.global -}} + {{- if .Values.global.customInsightsKeySecretName -}} + {{- .Values.global.customInsightsKeySecretName -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the name key for the Insights Key inside the secret. +This helper is for internal use. +*/}} +{{- define "newrelic.common.insightsKey._customSecretKey" -}} +{{- if .Values.customInsightsKeySecretKey -}} + {{- .Values.customInsightsKeySecretKey -}} +{{- else if .Values.global -}} + {{- if .Values.global.customInsightsKeySecretKey }} + {{- .Values.global.customInsightsKeySecretKey -}} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/charts/common-library/templates/_insights_secret.yaml.tpl b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/charts/common-library/templates/_insights_secret.yaml.tpl new file mode 100644 index 000000000..556caa6ca --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/charts/common-library/templates/_insights_secret.yaml.tpl @@ -0,0 +1,21 @@ +{{/* +Renders the insights key secret if user has not specified a custom secret. +*/}} +{{- define "newrelic.common.insightsKey.secret" }} +{{- if not (include "newrelic.common.insightsKey._customSecretName" .) }} +{{- /* Fail if licenseKey is empty and required: */ -}} +{{- if not (include "newrelic.common.insightsKey._licenseKey" .) }} + {{- fail "You must specify a insightsKey or a customInsightsSecretName containing it" }} +{{- end }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "newrelic.common.insightsKey.secretName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "newrelic.common.labels" . | nindent 4 }} +data: + {{ include "newrelic.common.insightsKey.secretKeyName" . }}: {{ include "newrelic.common.insightsKey._licenseKey" . | b64enc }} +{{- end }} +{{- end }} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/charts/common-library/templates/_license.tpl b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/charts/common-library/templates/_license.tpl index d1ec88e49..647b4ff43 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/charts/common-library/templates/_license.tpl +++ b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/charts/common-library/templates/_license.tpl @@ -2,14 +2,15 @@ Return the name of the secret holding the License Key. */}} {{- define "newrelic.common.license.secretName" -}} -{{ include "newrelic.common.license._customSecretName" . | default (printf "%s-license" (include "newrelic.common.naming.fullname" . )) }} +{{- $default := include "newrelic.common.naming.truncateToDNSWithSuffix" ( dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "license" ) -}} +{{- include "newrelic.common.license._customSecretName" . | default $default -}} {{- end -}} {{/* Return the name key for the License Key inside the secret. */}} {{- define "newrelic.common.license.secretKeyName" -}} -{{ include "newrelic.common.license._customSecretKey" . | default "licenseKey" }} +{{- include "newrelic.common.license._customSecretKey" . | default "licenseKey" -}} {{- end -}} {{/* diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml index bc5a6043e..9cc72d892 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 3.28.9 +appVersion: 3.29.0 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -23,4 +23,4 @@ sources: - https://github.com/newrelic/nri-kubernetes/ - https://github.com/newrelic/nri-kubernetes/tree/main/charts/newrelic-infrastructure - https://github.com/newrelic/infrastructure-agent/ -version: 3.33.9 +version: 3.34.0 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/values.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/values.yaml index 17f3e5827..c4d789746 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/values.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/values.yaml @@ -23,7 +23,7 @@ images: forwarder: registry: "" repository: newrelic/k8s-events-forwarder - tag: 1.52.3 + tag: 1.53.0 pullPolicy: IfNotPresent # -- Image for the New Relic Infrastructure Agent plus integrations. # @default -- See `values.yaml` diff --git a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.lock b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.lock index a2f8a4d29..fc2918195 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.lock +++ b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common-library repository: https://helm-charts.newrelic.com - version: 1.1.1 -digest: sha256:3c9053021f3c22aa3cdfc6781d3498bcbedb0b973af9121b1722469744fb5162 -generated: "2023-03-22T00:07:39.997727169Z" + version: 1.2.0 +digest: sha256:fa87cb007564a39a72739a3e850a91d6b03c0fc27a1115deac042b3ef77b4142 +generated: "2024-06-22T03:37:58.957965768Z" diff --git a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml index d082ed836..2153a342f 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: 0.12.5 +appVersion: 0.13.0 dependencies: - name: common-library repository: https://helm-charts.newrelic.com - version: 1.1.1 + version: 1.2.0 description: A Helm chart to deploy the New Relic Kubernetes Metrics Adapter. home: https://hub.docker.com/r/newrelic/newrelic-k8s-metrics-adapter icon: https://newrelic.com/assets/newrelic/source/NewRelic-logo-square.svg @@ -22,4 +22,4 @@ name: newrelic-k8s-metrics-adapter sources: - https://github.com/newrelic/newrelic-k8s-metrics-adapter - https://github.com/newrelic/newrelic-k8s-metrics-adapter/tree/main/charts/newrelic-k8s-metrics-adapter -version: 1.10.5 +version: 1.11.0 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/README.md b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/README.md index e5a1b0996..9f3943ec4 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/README.md +++ b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/README.md @@ -15,7 +15,7 @@ A Helm chart to deploy the New Relic Kubernetes Metrics Adapter. | Repository | Name | Version | |------------|------|---------| -| https://helm-charts.newrelic.com | common-library | 1.1.1 | +| https://helm-charts.newrelic.com | common-library | 1.2.0 | ## Values diff --git a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/charts/common-library/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/charts/common-library/Chart.yaml index d01fcb482..b65ac15d4 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/charts/common-library/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/charts/common-library/Chart.yaml @@ -4,24 +4,14 @@ keywords: - newrelic - chart-library maintainers: -- name: nserrino - url: https://github.com/nserrino -- name: philkuz - url: https://github.com/philkuz -- name: htroisi - url: https://github.com/htroisi - name: juanjjaramillo url: https://github.com/juanjjaramillo -- name: svetlanabrennan - url: https://github.com/svetlanabrennan -- name: nrepai - url: https://github.com/nrepai - name: csongnr url: https://github.com/csongnr -- name: vuqtran88 - url: https://github.com/vuqtran88 -- name: xqi-nr - url: https://github.com/xqi-nr +- name: dbudziwojskiNR + url: https://github.com/dbudziwojskiNR +- name: kang-makes + url: https://github.com/kang-makes name: common-library type: library -version: 1.1.1 +version: 1.2.0 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/charts/common-library/DEVELOPERS.md b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/charts/common-library/DEVELOPERS.md index f19983a67..3ccc108e2 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/charts/common-library/DEVELOPERS.md +++ b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/charts/common-library/DEVELOPERS.md @@ -462,6 +462,49 @@ You just must have a template with these two lines: +## _insights.tpl +### `newrelic.common.insightsKey.secretName` and ### `newrelic.common.insightsKey.secretKeyName` +Returns the secret and key inside the secret where to read the insights key. + +The common library will take care of using a user-provided custom secret or creating a secret that contains the insights key. + +To create the secret use `newrelic.common.insightsKey.secret`. + +Usage: +```mustache +apiVersion: v1 +kind: Pod +metadata: + name: statsd +spec: + containers: + - name: statsd + env: + - name: "INSIGHTS_KEY" + valueFrom: + secretKeyRef: + name: {{ include "newrelic.common.insightsKey.secretName" . }} + key: {{ include "newrelic.common.insightsKey.secretKeyName" . }} +``` + + + +## _insights_secret.tpl +### `newrelic.common.insightsKey.secret` +This function templates the secret that is used by agents and integrations with the insights key provided by the user. It will +template nothing (empty string) if the user provides a custom pair of secret name and key. + +This template also fails in case the user has not provided any insights key or custom secret so no safety checks have to be done +by chart writers. + +You just must have a template with these two lines: +```mustache +{{- /* Common library will take care of creating the secret or not. */ -}} +{{- include "newrelic.common.insightsKey.secret" . -}} +``` + + + ## _low-data-mode.tpl ### `newrelic.common.lowDataMode` Like almost everything in this library, it reads global and local variables: diff --git a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/charts/common-library/templates/_insights.tpl b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/charts/common-library/templates/_insights.tpl new file mode 100644 index 000000000..895c37732 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/charts/common-library/templates/_insights.tpl @@ -0,0 +1,56 @@ +{{/* +Return the name of the secret holding the Insights Key. +*/}} +{{- define "newrelic.common.insightsKey.secretName" -}} +{{- $default := include "newrelic.common.naming.truncateToDNSWithSuffix" ( dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "insightskey" ) -}} +{{- include "newrelic.common.insightsKey._customSecretName" . | default $default -}} +{{- end -}} + +{{/* +Return the name key for the Insights Key inside the secret. +*/}} +{{- define "newrelic.common.insightsKey.secretKeyName" -}} +{{- include "newrelic.common.insightsKey._customSecretKey" . | default "insightsKey" -}} +{{- end -}} + +{{/* +Return local insightsKey if set, global otherwise. +This helper is for internal use. +*/}} +{{- define "newrelic.common.insightsKey._licenseKey" -}} +{{- if .Values.insightsKey -}} + {{- .Values.insightsKey -}} +{{- else if .Values.global -}} + {{- if .Values.global.insightsKey -}} + {{- .Values.global.insightsKey -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the name of the secret holding the Insights Key. +This helper is for internal use. +*/}} +{{- define "newrelic.common.insightsKey._customSecretName" -}} +{{- if .Values.customInsightsKeySecretName -}} + {{- .Values.customInsightsKeySecretName -}} +{{- else if .Values.global -}} + {{- if .Values.global.customInsightsKeySecretName -}} + {{- .Values.global.customInsightsKeySecretName -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the name key for the Insights Key inside the secret. +This helper is for internal use. +*/}} +{{- define "newrelic.common.insightsKey._customSecretKey" -}} +{{- if .Values.customInsightsKeySecretKey -}} + {{- .Values.customInsightsKeySecretKey -}} +{{- else if .Values.global -}} + {{- if .Values.global.customInsightsKeySecretKey }} + {{- .Values.global.customInsightsKeySecretKey -}} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/charts/common-library/templates/_insights_secret.yaml.tpl b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/charts/common-library/templates/_insights_secret.yaml.tpl new file mode 100644 index 000000000..556caa6ca --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/charts/common-library/templates/_insights_secret.yaml.tpl @@ -0,0 +1,21 @@ +{{/* +Renders the insights key secret if user has not specified a custom secret. +*/}} +{{- define "newrelic.common.insightsKey.secret" }} +{{- if not (include "newrelic.common.insightsKey._customSecretName" .) }} +{{- /* Fail if licenseKey is empty and required: */ -}} +{{- if not (include "newrelic.common.insightsKey._licenseKey" .) }} + {{- fail "You must specify a insightsKey or a customInsightsSecretName containing it" }} +{{- end }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "newrelic.common.insightsKey.secretName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "newrelic.common.labels" . | nindent 4 }} +data: + {{ include "newrelic.common.insightsKey.secretKeyName" . }}: {{ include "newrelic.common.insightsKey._licenseKey" . | b64enc }} +{{- end }} +{{- end }} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/charts/common-library/templates/_license.tpl b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/charts/common-library/templates/_license.tpl index d1ec88e49..647b4ff43 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/charts/common-library/templates/_license.tpl +++ b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/charts/common-library/templates/_license.tpl @@ -2,14 +2,15 @@ Return the name of the secret holding the License Key. */}} {{- define "newrelic.common.license.secretName" -}} -{{ include "newrelic.common.license._customSecretName" . | default (printf "%s-license" (include "newrelic.common.naming.fullname" . )) }} +{{- $default := include "newrelic.common.naming.truncateToDNSWithSuffix" ( dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "license" ) -}} +{{- include "newrelic.common.license._customSecretName" . | default $default -}} {{- end -}} {{/* Return the name key for the License Key inside the secret. */}} {{- define "newrelic.common.license.secretKeyName" -}} -{{ include "newrelic.common.license._customSecretKey" . | default "licenseKey" }} +{{- include "newrelic.common.license._customSecretKey" . | default "licenseKey" -}} {{- end -}} {{/* diff --git a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.lock b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.lock index 63a6a1f58..18bbb9ef4 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.lock +++ b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common-library repository: https://helm-charts.newrelic.com - version: 1.1.1 -digest: sha256:3c9053021f3c22aa3cdfc6781d3498bcbedb0b973af9121b1722469744fb5162 -generated: "2023-03-17T21:52:16.727868721Z" + version: 1.2.0 +digest: sha256:fa87cb007564a39a72739a3e850a91d6b03c0fc27a1115deac042b3ef77b4142 +generated: "2024-06-21T18:14:01.260095101Z" diff --git a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml index ac3955353..7d4e67469 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml @@ -1,11 +1,11 @@ annotations: - configuratorVersion: 1.16.4 + configuratorVersion: 1.17.0 apiVersion: v2 appVersion: v2.37.8 dependencies: - name: common-library repository: https://helm-charts.newrelic.com - version: 1.1.1 + version: 1.2.0 description: A Helm chart to deploy Prometheus with New Relic Prometheus Configurator. keywords: - newrelic @@ -19,4 +19,4 @@ maintainers: url: https://github.com/dbudziwojskiNR name: newrelic-prometheus-agent type: application -version: 1.13.4 +version: 1.14.0 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/charts/common-library/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/charts/common-library/Chart.yaml index d01fcb482..b65ac15d4 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/charts/common-library/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/charts/common-library/Chart.yaml @@ -4,24 +4,14 @@ keywords: - newrelic - chart-library maintainers: -- name: nserrino - url: https://github.com/nserrino -- name: philkuz - url: https://github.com/philkuz -- name: htroisi - url: https://github.com/htroisi - name: juanjjaramillo url: https://github.com/juanjjaramillo -- name: svetlanabrennan - url: https://github.com/svetlanabrennan -- name: nrepai - url: https://github.com/nrepai - name: csongnr url: https://github.com/csongnr -- name: vuqtran88 - url: https://github.com/vuqtran88 -- name: xqi-nr - url: https://github.com/xqi-nr +- name: dbudziwojskiNR + url: https://github.com/dbudziwojskiNR +- name: kang-makes + url: https://github.com/kang-makes name: common-library type: library -version: 1.1.1 +version: 1.2.0 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/charts/common-library/DEVELOPERS.md b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/charts/common-library/DEVELOPERS.md index f19983a67..3ccc108e2 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/charts/common-library/DEVELOPERS.md +++ b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/charts/common-library/DEVELOPERS.md @@ -462,6 +462,49 @@ You just must have a template with these two lines: +## _insights.tpl +### `newrelic.common.insightsKey.secretName` and ### `newrelic.common.insightsKey.secretKeyName` +Returns the secret and key inside the secret where to read the insights key. + +The common library will take care of using a user-provided custom secret or creating a secret that contains the insights key. + +To create the secret use `newrelic.common.insightsKey.secret`. + +Usage: +```mustache +apiVersion: v1 +kind: Pod +metadata: + name: statsd +spec: + containers: + - name: statsd + env: + - name: "INSIGHTS_KEY" + valueFrom: + secretKeyRef: + name: {{ include "newrelic.common.insightsKey.secretName" . }} + key: {{ include "newrelic.common.insightsKey.secretKeyName" . }} +``` + + + +## _insights_secret.tpl +### `newrelic.common.insightsKey.secret` +This function templates the secret that is used by agents and integrations with the insights key provided by the user. It will +template nothing (empty string) if the user provides a custom pair of secret name and key. + +This template also fails in case the user has not provided any insights key or custom secret so no safety checks have to be done +by chart writers. + +You just must have a template with these two lines: +```mustache +{{- /* Common library will take care of creating the secret or not. */ -}} +{{- include "newrelic.common.insightsKey.secret" . -}} +``` + + + ## _low-data-mode.tpl ### `newrelic.common.lowDataMode` Like almost everything in this library, it reads global and local variables: diff --git a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/charts/common-library/templates/_insights.tpl b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/charts/common-library/templates/_insights.tpl new file mode 100644 index 000000000..895c37732 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/charts/common-library/templates/_insights.tpl @@ -0,0 +1,56 @@ +{{/* +Return the name of the secret holding the Insights Key. +*/}} +{{- define "newrelic.common.insightsKey.secretName" -}} +{{- $default := include "newrelic.common.naming.truncateToDNSWithSuffix" ( dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "insightskey" ) -}} +{{- include "newrelic.common.insightsKey._customSecretName" . | default $default -}} +{{- end -}} + +{{/* +Return the name key for the Insights Key inside the secret. +*/}} +{{- define "newrelic.common.insightsKey.secretKeyName" -}} +{{- include "newrelic.common.insightsKey._customSecretKey" . | default "insightsKey" -}} +{{- end -}} + +{{/* +Return local insightsKey if set, global otherwise. +This helper is for internal use. +*/}} +{{- define "newrelic.common.insightsKey._licenseKey" -}} +{{- if .Values.insightsKey -}} + {{- .Values.insightsKey -}} +{{- else if .Values.global -}} + {{- if .Values.global.insightsKey -}} + {{- .Values.global.insightsKey -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the name of the secret holding the Insights Key. +This helper is for internal use. +*/}} +{{- define "newrelic.common.insightsKey._customSecretName" -}} +{{- if .Values.customInsightsKeySecretName -}} + {{- .Values.customInsightsKeySecretName -}} +{{- else if .Values.global -}} + {{- if .Values.global.customInsightsKeySecretName -}} + {{- .Values.global.customInsightsKeySecretName -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the name key for the Insights Key inside the secret. +This helper is for internal use. +*/}} +{{- define "newrelic.common.insightsKey._customSecretKey" -}} +{{- if .Values.customInsightsKeySecretKey -}} + {{- .Values.customInsightsKeySecretKey -}} +{{- else if .Values.global -}} + {{- if .Values.global.customInsightsKeySecretKey }} + {{- .Values.global.customInsightsKeySecretKey -}} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/charts/common-library/templates/_insights_secret.yaml.tpl b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/charts/common-library/templates/_insights_secret.yaml.tpl new file mode 100644 index 000000000..556caa6ca --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/charts/common-library/templates/_insights_secret.yaml.tpl @@ -0,0 +1,21 @@ +{{/* +Renders the insights key secret if user has not specified a custom secret. +*/}} +{{- define "newrelic.common.insightsKey.secret" }} +{{- if not (include "newrelic.common.insightsKey._customSecretName" .) }} +{{- /* Fail if licenseKey is empty and required: */ -}} +{{- if not (include "newrelic.common.insightsKey._licenseKey" .) }} + {{- fail "You must specify a insightsKey or a customInsightsSecretName containing it" }} +{{- end }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "newrelic.common.insightsKey.secretName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "newrelic.common.labels" . | nindent 4 }} +data: + {{ include "newrelic.common.insightsKey.secretKeyName" . }}: {{ include "newrelic.common.insightsKey._licenseKey" . | b64enc }} +{{- end }} +{{- end }} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/charts/common-library/templates/_license.tpl b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/charts/common-library/templates/_license.tpl index d1ec88e49..647b4ff43 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/charts/common-library/templates/_license.tpl +++ b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/charts/common-library/templates/_license.tpl @@ -2,14 +2,15 @@ Return the name of the secret holding the License Key. */}} {{- define "newrelic.common.license.secretName" -}} -{{ include "newrelic.common.license._customSecretName" . | default (printf "%s-license" (include "newrelic.common.naming.fullname" . )) }} +{{- $default := include "newrelic.common.naming.truncateToDNSWithSuffix" ( dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "license" ) -}} +{{- include "newrelic.common.license._customSecretName" . | default $default -}} {{- end -}} {{/* Return the name key for the License Key inside the secret. */}} {{- define "newrelic.common.license.secretKeyName" -}} -{{ include "newrelic.common.license._customSecretKey" . | default "licenseKey" }} +{{- include "newrelic.common.license._customSecretKey" . | default "licenseKey" -}} {{- end -}} {{/* diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.lock b/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.lock index ee899c0fb..dff6eab20 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.lock +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common-library repository: https://helm-charts.newrelic.com - version: 1.1.1 -digest: sha256:3c9053021f3c22aa3cdfc6781d3498bcbedb0b973af9121b1722469744fb5162 -generated: "2023-03-14T22:34:43.015395995Z" + version: 1.2.0 +digest: sha256:fa87cb007564a39a72739a3e850a91d6b03c0fc27a1115deac042b3ef77b4142 +generated: "2024-06-21T19:47:28.685291839Z" diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml b/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml index 0cf7458bc..0f6911a26 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: 2.9.10 +appVersion: 2.10.0 dependencies: - name: common-library repository: https://helm-charts.newrelic.com - version: 1.1.1 + version: 1.2.0 description: A Helm chart to deploy the New Relic Kube Events router home: https://docs.newrelic.com/docs/integrations/kubernetes-integration/kubernetes-events/install-kubernetes-events-integration icon: https://newrelic.com/themes/custom/curio/assets/mediakit/NR_logo_Horizontal.svg @@ -23,4 +23,4 @@ sources: - https://github.com/newrelic/nri-kube-events/ - https://github.com/newrelic/nri-kube-events/tree/main/charts/nri-kube-events - https://github.com/newrelic/infrastructure-agent/ -version: 3.9.10 +version: 3.10.0 diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md b/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md index 32039e3d3..93587461a 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md @@ -1,6 +1,6 @@ # nri-kube-events -![Version: 3.9.10](https://img.shields.io/badge/Version-3.9.10-informational?style=flat-square) ![AppVersion: 2.9.10](https://img.shields.io/badge/AppVersion-2.9.10-informational?style=flat-square) +![Version: 3.10.0](https://img.shields.io/badge/Version-3.10.0-informational?style=flat-square) ![AppVersion: 2.10.0](https://img.shields.io/badge/AppVersion-2.10.0-informational?style=flat-square) A Helm chart to deploy the New Relic Kube Events router diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/charts/common-library/Chart.yaml b/charts/new-relic/nri-bundle/charts/nri-kube-events/charts/common-library/Chart.yaml index d01fcb482..b65ac15d4 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/charts/common-library/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/charts/common-library/Chart.yaml @@ -4,24 +4,14 @@ keywords: - newrelic - chart-library maintainers: -- name: nserrino - url: https://github.com/nserrino -- name: philkuz - url: https://github.com/philkuz -- name: htroisi - url: https://github.com/htroisi - name: juanjjaramillo url: https://github.com/juanjjaramillo -- name: svetlanabrennan - url: https://github.com/svetlanabrennan -- name: nrepai - url: https://github.com/nrepai - name: csongnr url: https://github.com/csongnr -- name: vuqtran88 - url: https://github.com/vuqtran88 -- name: xqi-nr - url: https://github.com/xqi-nr +- name: dbudziwojskiNR + url: https://github.com/dbudziwojskiNR +- name: kang-makes + url: https://github.com/kang-makes name: common-library type: library -version: 1.1.1 +version: 1.2.0 diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/charts/common-library/DEVELOPERS.md b/charts/new-relic/nri-bundle/charts/nri-kube-events/charts/common-library/DEVELOPERS.md index f19983a67..3ccc108e2 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/charts/common-library/DEVELOPERS.md +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/charts/common-library/DEVELOPERS.md @@ -462,6 +462,49 @@ You just must have a template with these two lines: +## _insights.tpl +### `newrelic.common.insightsKey.secretName` and ### `newrelic.common.insightsKey.secretKeyName` +Returns the secret and key inside the secret where to read the insights key. + +The common library will take care of using a user-provided custom secret or creating a secret that contains the insights key. + +To create the secret use `newrelic.common.insightsKey.secret`. + +Usage: +```mustache +apiVersion: v1 +kind: Pod +metadata: + name: statsd +spec: + containers: + - name: statsd + env: + - name: "INSIGHTS_KEY" + valueFrom: + secretKeyRef: + name: {{ include "newrelic.common.insightsKey.secretName" . }} + key: {{ include "newrelic.common.insightsKey.secretKeyName" . }} +``` + + + +## _insights_secret.tpl +### `newrelic.common.insightsKey.secret` +This function templates the secret that is used by agents and integrations with the insights key provided by the user. It will +template nothing (empty string) if the user provides a custom pair of secret name and key. + +This template also fails in case the user has not provided any insights key or custom secret so no safety checks have to be done +by chart writers. + +You just must have a template with these two lines: +```mustache +{{- /* Common library will take care of creating the secret or not. */ -}} +{{- include "newrelic.common.insightsKey.secret" . -}} +``` + + + ## _low-data-mode.tpl ### `newrelic.common.lowDataMode` Like almost everything in this library, it reads global and local variables: diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/charts/common-library/templates/_insights.tpl b/charts/new-relic/nri-bundle/charts/nri-kube-events/charts/common-library/templates/_insights.tpl new file mode 100644 index 000000000..895c37732 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/charts/common-library/templates/_insights.tpl @@ -0,0 +1,56 @@ +{{/* +Return the name of the secret holding the Insights Key. +*/}} +{{- define "newrelic.common.insightsKey.secretName" -}} +{{- $default := include "newrelic.common.naming.truncateToDNSWithSuffix" ( dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "insightskey" ) -}} +{{- include "newrelic.common.insightsKey._customSecretName" . | default $default -}} +{{- end -}} + +{{/* +Return the name key for the Insights Key inside the secret. +*/}} +{{- define "newrelic.common.insightsKey.secretKeyName" -}} +{{- include "newrelic.common.insightsKey._customSecretKey" . | default "insightsKey" -}} +{{- end -}} + +{{/* +Return local insightsKey if set, global otherwise. +This helper is for internal use. +*/}} +{{- define "newrelic.common.insightsKey._licenseKey" -}} +{{- if .Values.insightsKey -}} + {{- .Values.insightsKey -}} +{{- else if .Values.global -}} + {{- if .Values.global.insightsKey -}} + {{- .Values.global.insightsKey -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the name of the secret holding the Insights Key. +This helper is for internal use. +*/}} +{{- define "newrelic.common.insightsKey._customSecretName" -}} +{{- if .Values.customInsightsKeySecretName -}} + {{- .Values.customInsightsKeySecretName -}} +{{- else if .Values.global -}} + {{- if .Values.global.customInsightsKeySecretName -}} + {{- .Values.global.customInsightsKeySecretName -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the name key for the Insights Key inside the secret. +This helper is for internal use. +*/}} +{{- define "newrelic.common.insightsKey._customSecretKey" -}} +{{- if .Values.customInsightsKeySecretKey -}} + {{- .Values.customInsightsKeySecretKey -}} +{{- else if .Values.global -}} + {{- if .Values.global.customInsightsKeySecretKey }} + {{- .Values.global.customInsightsKeySecretKey -}} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/charts/common-library/templates/_insights_secret.yaml.tpl b/charts/new-relic/nri-bundle/charts/nri-kube-events/charts/common-library/templates/_insights_secret.yaml.tpl new file mode 100644 index 000000000..556caa6ca --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/charts/common-library/templates/_insights_secret.yaml.tpl @@ -0,0 +1,21 @@ +{{/* +Renders the insights key secret if user has not specified a custom secret. +*/}} +{{- define "newrelic.common.insightsKey.secret" }} +{{- if not (include "newrelic.common.insightsKey._customSecretName" .) }} +{{- /* Fail if licenseKey is empty and required: */ -}} +{{- if not (include "newrelic.common.insightsKey._licenseKey" .) }} + {{- fail "You must specify a insightsKey or a customInsightsSecretName containing it" }} +{{- end }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "newrelic.common.insightsKey.secretName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "newrelic.common.labels" . | nindent 4 }} +data: + {{ include "newrelic.common.insightsKey.secretKeyName" . }}: {{ include "newrelic.common.insightsKey._licenseKey" . | b64enc }} +{{- end }} +{{- end }} diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/charts/common-library/templates/_license.tpl b/charts/new-relic/nri-bundle/charts/nri-kube-events/charts/common-library/templates/_license.tpl index d1ec88e49..647b4ff43 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/charts/common-library/templates/_license.tpl +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/charts/common-library/templates/_license.tpl @@ -2,14 +2,15 @@ Return the name of the secret holding the License Key. */}} {{- define "newrelic.common.license.secretName" -}} -{{ include "newrelic.common.license._customSecretName" . | default (printf "%s-license" (include "newrelic.common.naming.fullname" . )) }} +{{- $default := include "newrelic.common.naming.truncateToDNSWithSuffix" ( dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "license" ) -}} +{{- include "newrelic.common.license._customSecretName" . | default $default -}} {{- end -}} {{/* Return the name key for the License Key inside the secret. */}} {{- define "newrelic.common.license.secretKeyName" -}} -{{ include "newrelic.common.license._customSecretKey" . | default "licenseKey" }} +{{- include "newrelic.common.license._customSecretKey" . | default "licenseKey" -}} {{- end -}} {{/* diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/values.yaml b/charts/new-relic/nri-bundle/charts/nri-kube-events/values.yaml index d469810e1..f0d5fbe20 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/values.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/values.yaml @@ -27,7 +27,7 @@ images: agent: registry: repository: newrelic/k8s-events-forwarder - tag: 1.52.3 + tag: 1.53.0 pullPolicy: IfNotPresent # -- The secrets that are needed to pull images from a custom registry. pullSecrets: [] diff --git a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.lock b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.lock index 546738c19..c65e88efd 100644 --- a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.lock +++ b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common-library repository: https://helm-charts.newrelic.com - version: 1.1.1 -digest: sha256:3c9053021f3c22aa3cdfc6781d3498bcbedb0b973af9121b1722469744fb5162 -generated: "2023-03-21T23:56:18.46795845Z" + version: 1.2.0 +digest: sha256:fa87cb007564a39a72739a3e850a91d6b03c0fc27a1115deac042b3ef77b4142 +generated: "2024-06-21T17:31:31.266100576Z" diff --git a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml index 39f6a955d..2a1936952 100644 --- a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: 1.27.4 +appVersion: 1.28.0 dependencies: - name: common-library repository: https://helm-charts.newrelic.com - version: 1.1.1 + version: 1.2.0 description: A Helm chart to deploy the New Relic metadata injection webhook. home: https://hub.docker.com/r/newrelic/k8s-metadata-injection icon: https://newrelic.com/assets/newrelic/source/NewRelic-logo-square.svg @@ -22,4 +22,4 @@ name: nri-metadata-injection sources: - https://github.com/newrelic/k8s-metadata-injection - https://github.com/newrelic/k8s-metadata-injection/tree/master/charts/nri-metadata-injection -version: 4.19.4 +version: 4.20.0 diff --git a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/charts/common-library/Chart.yaml b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/charts/common-library/Chart.yaml index d01fcb482..b65ac15d4 100644 --- a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/charts/common-library/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/charts/common-library/Chart.yaml @@ -4,24 +4,14 @@ keywords: - newrelic - chart-library maintainers: -- name: nserrino - url: https://github.com/nserrino -- name: philkuz - url: https://github.com/philkuz -- name: htroisi - url: https://github.com/htroisi - name: juanjjaramillo url: https://github.com/juanjjaramillo -- name: svetlanabrennan - url: https://github.com/svetlanabrennan -- name: nrepai - url: https://github.com/nrepai - name: csongnr url: https://github.com/csongnr -- name: vuqtran88 - url: https://github.com/vuqtran88 -- name: xqi-nr - url: https://github.com/xqi-nr +- name: dbudziwojskiNR + url: https://github.com/dbudziwojskiNR +- name: kang-makes + url: https://github.com/kang-makes name: common-library type: library -version: 1.1.1 +version: 1.2.0 diff --git a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/charts/common-library/DEVELOPERS.md b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/charts/common-library/DEVELOPERS.md index f19983a67..3ccc108e2 100644 --- a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/charts/common-library/DEVELOPERS.md +++ b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/charts/common-library/DEVELOPERS.md @@ -462,6 +462,49 @@ You just must have a template with these two lines: +## _insights.tpl +### `newrelic.common.insightsKey.secretName` and ### `newrelic.common.insightsKey.secretKeyName` +Returns the secret and key inside the secret where to read the insights key. + +The common library will take care of using a user-provided custom secret or creating a secret that contains the insights key. + +To create the secret use `newrelic.common.insightsKey.secret`. + +Usage: +```mustache +apiVersion: v1 +kind: Pod +metadata: + name: statsd +spec: + containers: + - name: statsd + env: + - name: "INSIGHTS_KEY" + valueFrom: + secretKeyRef: + name: {{ include "newrelic.common.insightsKey.secretName" . }} + key: {{ include "newrelic.common.insightsKey.secretKeyName" . }} +``` + + + +## _insights_secret.tpl +### `newrelic.common.insightsKey.secret` +This function templates the secret that is used by agents and integrations with the insights key provided by the user. It will +template nothing (empty string) if the user provides a custom pair of secret name and key. + +This template also fails in case the user has not provided any insights key or custom secret so no safety checks have to be done +by chart writers. + +You just must have a template with these two lines: +```mustache +{{- /* Common library will take care of creating the secret or not. */ -}} +{{- include "newrelic.common.insightsKey.secret" . -}} +``` + + + ## _low-data-mode.tpl ### `newrelic.common.lowDataMode` Like almost everything in this library, it reads global and local variables: diff --git a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/charts/common-library/templates/_insights.tpl b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/charts/common-library/templates/_insights.tpl new file mode 100644 index 000000000..895c37732 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/charts/common-library/templates/_insights.tpl @@ -0,0 +1,56 @@ +{{/* +Return the name of the secret holding the Insights Key. +*/}} +{{- define "newrelic.common.insightsKey.secretName" -}} +{{- $default := include "newrelic.common.naming.truncateToDNSWithSuffix" ( dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "insightskey" ) -}} +{{- include "newrelic.common.insightsKey._customSecretName" . | default $default -}} +{{- end -}} + +{{/* +Return the name key for the Insights Key inside the secret. +*/}} +{{- define "newrelic.common.insightsKey.secretKeyName" -}} +{{- include "newrelic.common.insightsKey._customSecretKey" . | default "insightsKey" -}} +{{- end -}} + +{{/* +Return local insightsKey if set, global otherwise. +This helper is for internal use. +*/}} +{{- define "newrelic.common.insightsKey._licenseKey" -}} +{{- if .Values.insightsKey -}} + {{- .Values.insightsKey -}} +{{- else if .Values.global -}} + {{- if .Values.global.insightsKey -}} + {{- .Values.global.insightsKey -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the name of the secret holding the Insights Key. +This helper is for internal use. +*/}} +{{- define "newrelic.common.insightsKey._customSecretName" -}} +{{- if .Values.customInsightsKeySecretName -}} + {{- .Values.customInsightsKeySecretName -}} +{{- else if .Values.global -}} + {{- if .Values.global.customInsightsKeySecretName -}} + {{- .Values.global.customInsightsKeySecretName -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the name key for the Insights Key inside the secret. +This helper is for internal use. +*/}} +{{- define "newrelic.common.insightsKey._customSecretKey" -}} +{{- if .Values.customInsightsKeySecretKey -}} + {{- .Values.customInsightsKeySecretKey -}} +{{- else if .Values.global -}} + {{- if .Values.global.customInsightsKeySecretKey }} + {{- .Values.global.customInsightsKeySecretKey -}} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/charts/common-library/templates/_insights_secret.yaml.tpl b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/charts/common-library/templates/_insights_secret.yaml.tpl new file mode 100644 index 000000000..556caa6ca --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/charts/common-library/templates/_insights_secret.yaml.tpl @@ -0,0 +1,21 @@ +{{/* +Renders the insights key secret if user has not specified a custom secret. +*/}} +{{- define "newrelic.common.insightsKey.secret" }} +{{- if not (include "newrelic.common.insightsKey._customSecretName" .) }} +{{- /* Fail if licenseKey is empty and required: */ -}} +{{- if not (include "newrelic.common.insightsKey._licenseKey" .) }} + {{- fail "You must specify a insightsKey or a customInsightsSecretName containing it" }} +{{- end }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "newrelic.common.insightsKey.secretName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "newrelic.common.labels" . | nindent 4 }} +data: + {{ include "newrelic.common.insightsKey.secretKeyName" . }}: {{ include "newrelic.common.insightsKey._licenseKey" . | b64enc }} +{{- end }} +{{- end }} diff --git a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/charts/common-library/templates/_license.tpl b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/charts/common-library/templates/_license.tpl index d1ec88e49..647b4ff43 100644 --- a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/charts/common-library/templates/_license.tpl +++ b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/charts/common-library/templates/_license.tpl @@ -2,14 +2,15 @@ Return the name of the secret holding the License Key. */}} {{- define "newrelic.common.license.secretName" -}} -{{ include "newrelic.common.license._customSecretName" . | default (printf "%s-license" (include "newrelic.common.naming.fullname" . )) }} +{{- $default := include "newrelic.common.naming.truncateToDNSWithSuffix" ( dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "license" ) -}} +{{- include "newrelic.common.license._customSecretName" . | default $default -}} {{- end -}} {{/* Return the name key for the License Key inside the secret. */}} {{- define "newrelic.common.license.secretKeyName" -}} -{{ include "newrelic.common.license._customSecretKey" . | default "licenseKey" }} +{{- include "newrelic.common.license._customSecretKey" . | default "licenseKey" -}} {{- end -}} {{/* diff --git a/charts/new-relic/nri-bundle/values.yaml b/charts/new-relic/nri-bundle/values.yaml index 17b166ae6..47c58df8e 100644 --- a/charts/new-relic/nri-bundle/values.yaml +++ b/charts/new-relic/nri-bundle/values.yaml @@ -29,6 +29,10 @@ newrelic-pixie: # newrelic-pixie.enabled -- Install the [`newrelic-pixie`](https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-pixie) enabled: false +k8s-agents-operator: + # k8s-agents-operator.enabled -- Install the [`k8s-agents-operator` chart](https://github.com/newrelic/k8s-agents-operator/tree/main/charts/k8s-agents-operator) + enabled: false + pixie-chart: # pixie-chart.enabled -- Install the [`pixie-chart` chart](https://docs.pixielabs.ai/installing-pixie/install-schemes/helm/#3.-deploy) enabled: false diff --git a/charts/percona/psmdb-db/Chart.yaml b/charts/percona/psmdb-db/Chart.yaml index 26acbf27d..e4836a49c 100644 --- a/charts/percona/psmdb-db/Chart.yaml +++ b/charts/percona/psmdb-db/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21-0' catalog.cattle.io/release-name: psmdb-db apiVersion: v2 -appVersion: 1.16.0 +appVersion: 1.16.1 description: A Helm chart for installing Percona Server MongoDB Cluster Databases using the PSMDB Operator. home: https://www.percona.com/doc/kubernetes-operator-for-psmongodb/index.html @@ -15,4 +15,4 @@ maintainers: - email: natalia.marukovich@percona.com name: nmarukovich name: psmdb-db -version: 1.16.1 +version: 1.16.2 diff --git a/charts/percona/psmdb-db/README.md b/charts/percona/psmdb-db/README.md index bca257632..dd1d29ff1 100644 --- a/charts/percona/psmdb-db/README.md +++ b/charts/percona/psmdb-db/README.md @@ -8,7 +8,7 @@ Useful links: ## Pre-requisites * Percona Operator for MongoDB running in your Kubernetes cluster. See installation details [here](https://github.com/percona/percona-helm-charts/blob/main/charts/psmdb-operator) or in the [Operator Documentation](https://www.percona.com/doc/kubernetes-operator-for-psmongodb/helm.html). -* Kubernetes 1.25+ +* Kubernetes 1.26+ * Helm v3 # Chart Details @@ -19,14 +19,14 @@ To install the chart with the `psmdb` release name using a dedicated namespace ( ```sh helm repo add percona https://percona.github.io/percona-helm-charts/ -helm install my-db percona/psmdb-db --version 1.16.0 --namespace my-namespace +helm install my-db percona/psmdb-db --version 1.16.1 --namespace my-namespace ``` The chart can be customized using the following configurable parameters: | Parameter | Description | Default | | ------------------------------- | ------------------------------------------------------------------------------|---------------------------------------| -| `crVersion` | CR Cluster Manifest version | `1.16.0` | +| `crVersion` | CR Cluster Manifest version | `1.16.1` | | `pause` | Stop PSMDB Database safely | `false` | | `unmanaged` | Start cluster and don't manage it (cross cluster replication) | `false` | | `unsafeFlags.tls` | Allows users from configuring a cluster without TLS/SSL certificates | `false` | diff --git a/charts/percona/psmdb-db/values.yaml b/charts/percona/psmdb-db/values.yaml index a46c700f9..608de5ef2 100644 --- a/charts/percona/psmdb-db/values.yaml +++ b/charts/percona/psmdb-db/values.yaml @@ -18,7 +18,7 @@ finalizers: nameOverride: "" fullnameOverride: "" -crVersion: 1.16.0 +crVersion: 1.16.1 pause: false unmanaged: false unsafeFlags: diff --git a/charts/percona/psmdb-operator/Chart.yaml b/charts/percona/psmdb-operator/Chart.yaml index 9fb9e4920..bea12aea1 100644 --- a/charts/percona/psmdb-operator/Chart.yaml +++ b/charts/percona/psmdb-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21-0' catalog.cattle.io/release-name: psmdb-operator apiVersion: v2 -appVersion: 1.16.0 +appVersion: 1.16.1 description: A Helm chart for deploying the Percona Operator for MongoDB home: https://docs.percona.com/percona-operator-for-mongodb/ icon: https://raw.githubusercontent.com/percona/percona-server-mongodb-operator/main/operator.png @@ -16,4 +16,4 @@ maintainers: - email: sergey.pronin@percona.com name: spron-in name: psmdb-operator -version: 1.16.1 +version: 1.16.2 diff --git a/charts/percona/psmdb-operator/README.md b/charts/percona/psmdb-operator/README.md index 0fb153cf9..5ced069c0 100644 --- a/charts/percona/psmdb-operator/README.md +++ b/charts/percona/psmdb-operator/README.md @@ -6,7 +6,7 @@ Useful links: - [Operator Documentation](https://www.percona.com/doc/kubernetes-operator-for-psmongodb/index.html) ## Pre-requisites -* Kubernetes 1.25+ +* Kubernetes 1.26+ * Helm v3 # Installation @@ -19,7 +19,7 @@ To install the chart with the `psmdb` release name using a dedicated namespace ( ```sh helm repo add percona https://percona.github.io/percona-helm-charts/ -helm install my-operator percona/psmdb-operator --version 1.16.0 --namespace my-namespace +helm install my-operator percona/psmdb-operator --version 1.16.1 --namespace my-namespace ``` The chart can be customized using the following configurable parameters: @@ -27,7 +27,7 @@ The chart can be customized using the following configurable parameters: | Parameter | Description | Default | | ------------------------------- | ------------------------------------------------------------------------------| ------------------------------------------| | `image.repository` | PSMDB Operator Container image name | `percona/percona-server-mongodb-operator` | -| `image.tag` | PSMDB Operator Container image tag | `1.16.0` | +| `image.tag` | PSMDB Operator Container image tag | `1.16.1` | | `image.pullPolicy` | PSMDB Operator Container pull policy | `Always` | | `image.pullSecrets` | PSMDB Operator Pod pull secret | `[]` | | `replicaCount` | PSMDB Operator Pod quantity | `1` | diff --git a/charts/percona/psmdb-operator/values.yaml b/charts/percona/psmdb-operator/values.yaml index 936e04680..29d8bba02 100644 --- a/charts/percona/psmdb-operator/values.yaml +++ b/charts/percona/psmdb-operator/values.yaml @@ -6,7 +6,7 @@ replicaCount: 1 image: repository: percona/percona-server-mongodb-operator - tag: 1.16.0 + tag: 1.16.1 pullPolicy: IfNotPresent # disableTelemetry: according to diff --git a/charts/percona/pxc-operator/Chart.yaml b/charts/percona/pxc-operator/Chart.yaml index 1ef0eb790..2d77c0cc2 100644 --- a/charts/percona/pxc-operator/Chart.yaml +++ b/charts/percona/pxc-operator/Chart.yaml @@ -18,4 +18,4 @@ maintainers: - email: sergey.pronin@percona.com name: spron-in name: pxc-operator -version: 1.14.1 +version: 1.14.2 diff --git a/charts/percona/pxc-operator/README.md b/charts/percona/pxc-operator/README.md index 291e81a57..671ec3be6 100644 --- a/charts/percona/pxc-operator/README.md +++ b/charts/percona/pxc-operator/README.md @@ -38,6 +38,7 @@ The chart can be customized using the following configurable parameters: | `logStructured` | Force PXC operator to print JSON-wrapped log messages | `false` | | `logLevel` | PXC Operator logging level | `INFO` | | `disableTelemetry` | Disable sending PXC Operator telemetry data to Percona | `false` | +| `watchAllNamespaces` | Watch all namespaces (Install cluster-wide) | `false` | | `watchNamespace` | Comma separated list of namespace(s) to watch when different from release namespace | `""` | | `createNamespace` | Create the watched namespace(s) | `false` | | `rbac.create` | If false RBAC will not be created. RBAC resources will need to be created manually | `true` | diff --git a/charts/redpanda/redpanda/Chart.yaml b/charts/redpanda/redpanda/Chart.yaml index fc8e158d4..cf9fdd88b 100644 --- a/charts/redpanda/redpanda/Chart.yaml +++ b/charts/redpanda/redpanda/Chart.yaml @@ -17,7 +17,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21-0' catalog.cattle.io/release-name: redpanda apiVersion: v2 -appVersion: v24.1.1 +appVersion: v24.1.8 dependencies: - condition: console.enabled name: console @@ -37,4 +37,4 @@ name: redpanda sources: - https://github.com/redpanda-data/helm-charts type: application -version: 5.8.8 +version: 5.8.11 diff --git a/charts/redpanda/redpanda/README.md b/charts/redpanda/redpanda/README.md index 2efd3517c..631cfce7f 100644 --- a/charts/redpanda/redpanda/README.md +++ b/charts/redpanda/redpanda/README.md @@ -3,7 +3,7 @@ description: Find the default values and descriptions of settings in the Redpanda Helm chart. --- -![Version: 5.8.8](https://img.shields.io/badge/Version-5.8.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v24.1.1](https://img.shields.io/badge/AppVersion-v24.1.1-informational?style=flat-square) +![Version: 5.8.11](https://img.shields.io/badge/Version-5.8.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v24.1.8](https://img.shields.io/badge/AppVersion-v24.1.8-informational?style=flat-square) This page describes the official Redpanda Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/redpanda/values.yaml). Each of the settings is listed and described on this page, along with any default values. diff --git a/charts/redpanda/redpanda/templates/_configmap.go.tpl b/charts/redpanda/redpanda/templates/_configmap.go.tpl index 63718952c..5bd0f406d 100644 --- a/charts/redpanda/redpanda/templates/_configmap.go.tpl +++ b/charts/redpanda/redpanda/templates/_configmap.go.tpl @@ -1,11 +1,415 @@ {{- /* Generated from "configmap.tpl.go" */ -}} +{{- define "redpanda.ConfigMaps" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $cms := (list (get (fromJson (include "redpanda.RedpandaConfigMap" (dict "a" (list $dot true) ))) "r")) -}} +{{- $cms = (concat (default (list ) $cms) (default (list ) (get (fromJson (include "redpanda.RPKProfile" (dict "a" (list $dot) ))) "r"))) -}} +{{- (dict "r" $cms) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ConfigMapsWithoutSeedServer" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $cms := (list (get (fromJson (include "redpanda.RedpandaConfigMap" (dict "a" (list $dot false) ))) "r")) -}} +{{- $cms = (concat (default (list ) $cms) (default (list ) (get (fromJson (include "redpanda.RPKProfile" (dict "a" (list $dot) ))) "r"))) -}} +{{- (dict "r" $cms) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaConfigMap" -}} +{{- $dot := (index .a 0) -}} +{{- $includeSeedServer := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ConfigMap" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "data" (dict "bootstrap.yaml" (get (fromJson (include "redpanda.BootstrapFile" (dict "a" (list $dot) ))) "r") "redpanda.yaml" (get (fromJson (include "redpanda.RedpandaConfigFile" (dict "a" (list $dot $includeSeedServer) ))) "r") ) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapFile" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $bootstrap := (dict "kafka_enable_authorization" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") "enable_sasl" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") "enable_rack_awareness" $values.rackAwareness.enabled "storage_min_free_bytes" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64) ) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.AuditLogging.Translate" (dict "a" (list $values.auditLogging $dot (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.Logging.Translate" (dict "a" (list $values.logging) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.TunableConfig.Translate" (dict "a" (list $values.config.tunable) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.ClusterConfig.Translate" (dict "a" (list $values.config.cluster ($values.statefulset.replicas | int) false) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.Auth.Translate" (dict "a" (list $values.auth (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- (dict "r" (toYaml $bootstrap)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaConfigFile" -}} +{{- $dot := (index .a 0) -}} +{{- $includeSeedServer := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $redpanda := (dict "kafka_enable_authorization" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") "enable_sasl" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") "empty_seed_starts_cluster" false "storage_min_free_bytes" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64) ) -}} +{{- if $includeSeedServer -}} +{{- $_ := (set $redpanda "seed_servers" (get (fromJson (include "redpanda.Listeners.CreateSeedServers" (dict "a" (list $values.listeners ($values.statefulset.replicas | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) ))) "r")) -}} +{{- end -}} +{{- $redpanda = (merge (dict ) $redpanda (get (fromJson (include "redpanda.AuditLogging.Translate" (dict "a" (list $values.auditLogging $dot (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $redpanda = (merge (dict ) $redpanda (get (fromJson (include "redpanda.Logging.Translate" (dict "a" (list $values.logging) ))) "r")) -}} +{{- $redpanda = (merge (dict ) $redpanda (get (fromJson (include "redpanda.TunableConfig.Translate" (dict "a" (list $values.config.tunable) ))) "r")) -}} +{{- $redpanda = (merge (dict ) $redpanda (get (fromJson (include "redpanda.ClusterConfig.Translate" (dict "a" (list $values.config.cluster ($values.statefulset.replicas | int) true) ))) "r")) -}} +{{- $redpanda = (merge (dict ) $redpanda (get (fromJson (include "redpanda.Auth.Translate" (dict "a" (list $values.auth (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $redpanda = (merge (dict ) $redpanda (get (fromJson (include "redpanda.NodeConfig.Translate" (dict "a" (list $values.config.node) ))) "r")) -}} +{{- $_ := (get (fromJson (include "redpanda.configureListeners" (dict "a" (list $redpanda $dot) ))) "r") -}} +{{- $redpandaYaml := (dict "redpanda" $redpanda "schema_registry" (get (fromJson (include "redpanda.schemaRegistry" (dict "a" (list $dot) ))) "r") "schema_registry_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r") "pandaproxy" (get (fromJson (include "redpanda.pandaProxyListener" (dict "a" (list $dot) ))) "r") "pandaproxy_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r") "rpk" (get (fromJson (include "redpanda.rpkConfiguration" (dict "a" (list $dot) ))) "r") "config_file" "/etc/redpanda/redpanda.yaml" ) -}} +{{- if (and (and (get (fromJson (include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list $dot) ))) "r") $values.auditLogging.enabled) (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) -}} +{{- $_ := (set $redpandaYaml "audit_log_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r")) -}} +{{- end -}} +{{- $redpandaYaml = (merge (dict ) $redpandaYaml (get (fromJson (include "redpanda.Storage.Translate" (dict "a" (list $values.storage) ))) "r")) -}} +{{- (dict "r" (toYaml $redpandaYaml)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RPKProfile" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.external.enabled) -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ConfigMap" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-rpk" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "data" (dict "profile" (toYaml (get (fromJson (include "redpanda.rpkProfile" (dict "a" (list $dot) ))) "r")) ) )))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkProfile" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $brokerList := (list ) -}} +{{- range $_, $i := untilStep ((0 | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $brokerList = (concat (default (list ) $brokerList) (list (printf "%s:%d" (get (fromJson (include "redpanda.advertisedHost" (dict "a" (list $dot $i) ))) "r") (((get (fromJson (include "redpanda.advertisedKafkaPort" (dict "a" (list $dot $i) ))) "r") | int) | int)))) -}} +{{- end -}} +{{- $adminAdvertisedList := (list ) -}} +{{- range $_, $i := untilStep ((0 | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $adminAdvertisedList = (concat (default (list ) $adminAdvertisedList) (list (printf "%s:%d" (get (fromJson (include "redpanda.advertisedHost" (dict "a" (list $dot $i) ))) "r") (((get (fromJson (include "redpanda.advertisedAdminPort" (dict "a" (list $dot $i) ))) "r") | int) | int)))) -}} +{{- end -}} +{{- $kafkaTLS := (get (fromJson (include "redpanda.brokersTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $kafkaTLS "truststore_file" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_1 := $tmp_tuple_1.T2 -}} +{{- if $ok_1 -}} +{{- $_ := (set $kafkaTLS "ca_file" "ca.crt") -}} +{{- $_ := (unset $kafkaTLS "truststore_file") -}} +{{- end -}} +{{- $adminTLS := (get (fromJson (include "redpanda.adminTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $adminTLS "truststore_file" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_2 := $tmp_tuple_2.T2 -}} +{{- if $ok_2 -}} +{{- $_ := (set $adminTLS "ca_file" "ca.crt") -}} +{{- $_ := (unset $adminTLS "truststore_file") -}} +{{- end -}} +{{- $ka := (dict "brokers" $brokerList "tls" (coalesce nil) ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $kafkaTLS) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $ka "tls" $kafkaTLS) -}} +{{- end -}} +{{- $aa := (dict "addresses" $adminAdvertisedList "tls" (coalesce nil) ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $adminTLS) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $aa "tls" $adminTLS) -}} +{{- end -}} +{{- $result := (dict "name" (get (fromJson (include "redpanda.getFirstExternalKafkaListener" (dict "a" (list $dot) ))) "r") "kafka_api" $ka "admin_api" $aa ) -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedKafkaPort" -}} +{{- $dot := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $externalKafkaListenerName := (get (fromJson (include "redpanda.getFirstExternalKafkaListener" (dict "a" (list $dot) ))) "r") -}} +{{- $listener := (index $values.listeners.kafka.external $externalKafkaListenerName) -}} +{{- $port := (($values.listeners.kafka.port | int) | int) -}} +{{- if (gt (($listener.port | int) | int) ((1 | int) | int)) -}} +{{- $port = (($listener.port | int) | int) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts $i) | int) -}} +{{- else -}}{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts (0 | int)) | int) -}} +{{- end -}} +{{- end -}} +{{- (dict "r" $port) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedAdminPort" -}} +{{- $dot := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $keys := (keys $values.listeners.admin.external) -}} +{{- $_ := (sortAlpha $keys) -}} +{{- $externalAdminListenerName := (first $keys) -}} +{{- $listener := (index $values.listeners.admin.external (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $externalAdminListenerName) ))) "r")) -}} +{{- $port := (($values.listeners.admin.port | int) | int) -}} +{{- if (gt (($listener.port | int) | int) (1 | int)) -}} +{{- $port = (($listener.port | int) | int) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts $i) | int) -}} +{{- else -}}{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts (0 | int)) | int) -}} +{{- end -}} +{{- end -}} +{{- (dict "r" $port) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedHost" -}} +{{- $dot := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $address := (printf "%s-%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") ($i | int)) -}} +{{- if (ne (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") "") -}} +{{- $address = (printf "%s.%s" $address (tpl $values.external.domain $dot)) -}} +{{- end -}} +{{- if (le ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (0 | int)) -}} +{{- (dict "r" $address) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (1 | int)) -}} +{{- $address = (index $values.external.addresses (0 | int)) -}} +{{- else -}} +{{- $address = (index $values.external.addresses $i) -}} +{{- end -}} +{{- if (ne (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") "") -}} +{{- $address = (printf "%s.%s" $address $values.external.domain) -}} +{{- end -}} +{{- (dict "r" $address) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.getFirstExternalKafkaListener" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $keys := (keys $values.listeners.kafka.external) -}} +{{- $_ := (sortAlpha $keys) -}} +{{- (dict "r" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" (first $keys)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkConfiguration" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $brokerList := (list ) -}} +{{- $r := ($values.statefulset.replicas | int) -}} +{{- range $_, $i := untilStep ((0 | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $brokerList = (concat (default (list ) $brokerList) (list (printf "%s-%d.%s:%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") (($values.listeners.kafka.port | int) | int)))) -}} +{{- end -}} +{{- $adminTLS := (coalesce nil) -}} +{{- $tls_3 := (get (fromJson (include "redpanda.adminTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_3) ))) "r") | int) (0 | int)) -}} +{{- $adminTLS = $tls_3 -}} +{{- end -}} +{{- $brokerTLS := (coalesce nil) -}} +{{- $tls_4 := (get (fromJson (include "redpanda.brokersTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_4) ))) "r") | int) (0 | int)) -}} +{{- $brokerTLS = $tls_4 -}} +{{- end -}} +{{- $result := (dict "overprovisioned" (get (fromJson (include "redpanda.RedpandaResources.GetOverProvisionValue" (dict "a" (list $values.resources) ))) "r") "enable_memory_locking" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.resources.memory.enable_memory_locking false) ))) "r") "additional_start_flags" (get (fromJson (include "redpanda.RedpandaAdditionalStartFlags" (dict "a" (list $dot ((get (fromJson (include "redpanda.RedpandaSMP" (dict "a" (list $dot) ))) "r") | int64)) ))) "r") "kafka_api" (dict "brokers" $brokerList "tls" $brokerTLS ) "admin_api" (dict "addresses" (get (fromJson (include "redpanda.Listeners.AdminList" (dict "a" (list $values.listeners ($values.statefulset.replicas | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) ))) "r") "tls" $adminTLS ) ) -}} +{{- $result = (merge (dict ) $result (get (fromJson (include "redpanda.Tuning.Translate" (dict "a" (list $values.tuning) ))) "r")) -}} +{{- $result = (merge (dict ) $result (get (fromJson (include "redpanda.Config.CreateRPKConfiguration" (dict "a" (list $values.config) ))) "r")) -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.brokersTLSConfiguration" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.kafka.tls $values.tls) ))) "r")) -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $result := (dict ) -}} +{{- $truststore_5 := (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $values.listeners.kafka.tls $values.tls) ))) "r") -}} +{{- if (ne $truststore_5 "/etc/ssl/certs/ca-certificates.crt") -}} +{{- $_ := (set $result "truststore_file" $truststore_5) -}} +{{- end -}} +{{- if $values.listeners.kafka.tls.requireClientAuth -}} +{{- $_ := (set $result "cert_file" (printf "/etc/tls/certs/%s-client/tls.crt" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_ := (set $result "key_file" (printf "/etc/tls/certs/%s-client/tls.key" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- end -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminTLSConfiguration" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $result := (dict ) -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r")) -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- $truststore_6 := (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}} +{{- if (ne $truststore_6 "/etc/ssl/certs/ca-certificates.crt") -}} +{{- $_ := (set $result "truststore_file" $truststore_6) -}} +{{- end -}} +{{- if $values.listeners.admin.tls.requireClientAuth -}} +{{- $_ := (set $result "cert_file" (printf "/etc/tls/certs/%s-client/tls.crt" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_ := (set $result "key_file" (printf "/etc/tls/certs/%s-client/tls.key" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- end -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.kafkaClient" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $brokerList := (list ) -}} +{{- range $_, $i := untilStep ((0 | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $brokerList = (concat (default (list ) $brokerList) (list (dict "address" (printf "%s-%d.%s" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) "port" ($values.listeners.kafka.port | int) ))) -}} +{{- end -}} +{{- $kafkaTLS := $values.listeners.kafka.tls -}} +{{- $brokerTLS := (coalesce nil) -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.kafka.tls $values.tls) ))) "r") -}} +{{- $brokerTLS = (dict "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $kafkaTLS.cert) "key_file" (printf "/etc/tls/certs/%s/tls.key" $kafkaTLS.cert) "require_client_auth" $kafkaTLS.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $kafkaTLS $values.tls) ))) "r") ) -}} +{{- end -}} +{{- $cfg := (dict "brokers" $brokerList ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $brokerTLS) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $cfg "broker_tls" $brokerTLS) -}} +{{- end -}} +{{- (dict "r" $cfg) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.configureListeners" -}} +{{- $redpanda := (index .a 0) -}} +{{- $dot := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_ := (set $redpanda "admin" (get (fromJson (include "redpanda.AdminListeners.Listeners" (dict "a" (list $values.listeners.admin) ))) "r")) -}} +{{- $_ := (set $redpanda "kafka_api" (get (fromJson (include "redpanda.KafkaListeners.Listeners" (dict "a" (list $values.listeners.kafka $values.auth) ))) "r")) -}} +{{- $_ := (set $redpanda "rpc_server" (get (fromJson (include "redpanda.rpcListeners" (dict "a" (list $dot) ))) "r")) -}} +{{- $_ := (set $redpanda "admin_api_tls" (coalesce nil)) -}} +{{- $tls_7 := (get (fromJson (include "redpanda.AdminListeners.ListenersTLS" (dict "a" (list $values.listeners.admin $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_7) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $redpanda "admin_api_tls" $tls_7) -}} +{{- end -}} +{{- $_ := (set $redpanda "kafka_api_tls" (coalesce nil)) -}} +{{- $tls_8 := (get (fromJson (include "redpanda.KafkaListeners.ListenersTLS" (dict "a" (list $values.listeners.kafka $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_8) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $redpanda "kafka_api_tls" $tls_8) -}} +{{- end -}} +{{- $tls_9 := (get (fromJson (include "redpanda.rpcListenersTLS" (dict "a" (list $dot) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_9) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $redpanda "rpc_server_tls" $tls_9) -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.pandaProxyListener" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $pandaProxy := (dict ) -}} +{{- $_ := (set $pandaProxy "pandaproxy_api" (get (fromJson (include "redpanda.HTTPListeners.Listeners" (dict "a" (list $values.listeners.http (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $_ := (set $pandaProxy "pandaproxy_api_tls" (coalesce nil)) -}} +{{- $tls_10 := (get (fromJson (include "redpanda.HTTPListeners.ListenersTLS" (dict "a" (list $values.listeners.http $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_10) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $pandaProxy "pandaproxy_api_tls" $tls_10) -}} +{{- end -}} +{{- (dict "r" $pandaProxy) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.schemaRegistry" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $schemaReg := (dict ) -}} +{{- $_ := (set $schemaReg "schema_registry_api" (get (fromJson (include "redpanda.SchemaRegistryListeners.Listeners" (dict "a" (list $values.listeners.schemaRegistry (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $_ := (set $schemaReg "schema_registry_api_tls" (coalesce nil)) -}} +{{- $tls_11 := (get (fromJson (include "redpanda.SchemaRegistryListeners.ListenersTLS" (dict "a" (list $values.listeners.schemaRegistry $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_11) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $schemaReg "schema_registry_api_tls" $tls_11) -}} +{{- end -}} +{{- (dict "r" $schemaReg) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpcListenersTLS" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $r := $values.listeners.rpc -}} +{{- if (and (not ((or (or (get (fromJson (include "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" (dict "a" (list $dot) ))) "r")) (get (fromJson (include "redpanda.RedpandaAtLeast_23_1_2" (dict "a" (list $dot) ))) "r")))) ((or (and (eq $r.tls.enabled (coalesce nil)) $values.tls.enabled) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $r.tls.enabled false) ))) "r")))) -}} +{{- $_ := (fail (printf "Redpanda version v%s does not support TLS on the RPC port. Please upgrade. See technical service bulletin 2023-01." (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")))) -}} +{{- end -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $r.tls $values.tls) ))) "r")) -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $certName := $r.tls.cert -}} +{{- (dict "r" (dict "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" $r.tls.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $r.tls $values.tls) ))) "r") )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpcListeners" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- (dict "r" (dict "address" "0.0.0.0" "port" ($values.listeners.rpc.port | int) )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.createInternalListenerTLSCfg" -}} +{{- $tls := (index .a 0) -}} +{{- $internal := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $internal $tls) ))) "r")) -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- (dict "r" (dict "name" "internal" "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $internal.cert) "key_file" (printf "/etc/tls/certs/%s/tls.key" $internal.cert) "require_client_auth" $internal.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $internal $tls) ))) "r") )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.createInternalListenerCfg" -}} +{{- $port := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- (dict "r" (dict "name" "internal" "address" "0.0.0.0" "port" $port )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + {{- define "redpanda.RedpandaAdditionalStartFlags" -}} {{- $dot := (index .a 0) -}} {{- $smp := (index .a 1) -}} {{- range $_ := (list 1) -}} {{- $values := $dot.Values.AsMap -}} -{{- $chartFlags := (dict "smp" $smp "memory" (printf "%dM" (int (get (fromJson (include "redpanda.RedpandaMemory" (dict "a" (list $dot) ))) "r"))) "reserve-memory" (printf "%dM" (int (get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r"))) "default-log-level" $values.logging.logLevel ) -}} +{{- $chartFlags := (dict "smp" (printf "%d" ($smp | int)) "memory" (printf "%dM" (((get (fromJson (include "redpanda.RedpandaMemory" (dict "a" (list $dot) ))) "r") | int64) | int)) "reserve-memory" (printf "%dM" (((get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") | int64) | int)) "default-log-level" $values.logging.logLevel ) -}} {{- if (eq (index $values.config.node "developer_mode") true) -}} {{- $_ := (unset $chartFlags "reserve-memory") -}} {{- end -}} @@ -20,9 +424,9 @@ {{- $_ := (sortAlpha $keys) -}} {{- $flags := (list ) -}} {{- range $_, $key := $keys -}} -{{- $flags = (mustAppend $flags (printf "--%s=%s" $key (index $chartFlags $key))) -}} +{{- $flags = (concat (default (list ) $flags) (list (printf "--%s=%s" $key (index $chartFlags $key)))) -}} {{- end -}} -{{- (dict "r" (concat $flags $values.statefulset.additionalRedpandaCmdFlags)) | toJson -}} +{{- (dict "r" (concat (default (list ) $flags) (default (list ) $values.statefulset.additionalRedpandaCmdFlags))) | toJson -}} {{- break -}} {{- end -}} {{- end -}} diff --git a/charts/redpanda/redpanda/templates/_configmap.tpl b/charts/redpanda/redpanda/templates/_configmap.tpl deleted file mode 100644 index e285f4b1c..000000000 --- a/charts/redpanda/redpanda/templates/_configmap.tpl +++ /dev/null @@ -1,718 +0,0 @@ -{{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- define "configmap-content-no-seed" -}} -{{- /* - configmap content without seed list. -*/ -}} -{{- $root := . }} -{{- $values := .Values }} - -{{- /* - It's impossible to do a rolling upgrade from not-tls-enabled rpc to tls-enabled rpc. -*/ -}} -{{- $check := list - (include "redpanda-atleast-23-1-2" .|fromJson).bool - (include "redpanda-22-3-atleast-22-3-13" .|fromJson).bool - (include "redpanda-22-2-atleast-22-2-10" .|fromJson).bool --}} -{{- $wantedRPCTLS := (include "rpc-tls-enabled" . | fromJson).bool -}} -{{- if and (not (mustHas true $check)) $wantedRPCTLS -}} - {{- fail (printf "Redpanda version v%s does not support TLS on the RPC port. Please upgrade. See technical service bulletin 2023-01." (include "redpanda.semver" .)) -}} -{{- end -}} -{{- $cm := lookup "v1" "ConfigMap" .Release.Namespace (include "redpanda.fullname" .) -}} -{{- $redpandaYAML := dig "data" "redpanda.yaml" "" $cm | fromYaml -}} -{{- $currentRPCTLS := dig "redpanda" "rpc_server_tls" "enabled" false $redpandaYAML -}} -{{- /* Lookup will return an empty map when running `helm template` or when `--dry-run` is passed. */ -}} -{{- if (and .Release.IsUpgrade $cm) -}} - {{- if ne $currentRPCTLS $wantedRPCTLS -}} - {{- if eq (get .Values "force" | default false) false -}} - {{- fail (join "\n" (list - (printf "\n\nError: Cannot do a rolling restart to enable or disable tls at the RPC layer: changing listeners.rpc.tls.enabled (redpanda.yaml:repdanda.rpc_server_tls.enabled) from %v to %v" $currentRPCTLS $wantedRPCTLS) - "***WARNING The following instructions will result in a short period of downtime." - "To accept this risk, run the upgrade again adding `--force=true` and do the following:\n" - "While helm is upgrading the release, manually delete ALL the pods:" - (printf " kubectl -n %s delete pod -l app.kubernetes.io/component=redpanda-statefulset" .Release.Namespace) - "\nIf you got here thinking rpc tls was already enabled, see technical service bulletin 2023-01." - )) - -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- $users := list -}} -{{- if (include "sasl-enabled" . | fromJson).bool -}} - {{- range $user := .Values.auth.sasl.users -}} - {{- $users = append $users $user.name -}} - {{- end -}} -{{- end -}} - -bootstrap.yaml: | -{{- if .Values.logging.usageStats.enabled }} - {{- with (dig "usageStats" "organization" "" .Values.logging) }} - organization: {{ . }} - {{- end }} - {{- with (dig "usageStats" "clusterId" "" .Values.logging) }} - cluster_id: {{ . }} - {{- end }} -{{- end }} - kafka_enable_authorization: {{ (include "sasl-enabled" . | fromJson).bool }} - enable_sasl: {{ (include "sasl-enabled" . | fromJson).bool }} - enable_rack_awareness: {{ .Values.rackAwareness.enabled }} -{{- with $users }} - superusers: {{ toYaml . | nindent 4 }} -{{- end }} -{{- with (dig "cluster" dict .Values.config) }} - {{- range $key, $element := .}} - {{- if eq $key "default_topic_replications" }} - {{/* "sub (add $i (mod $i 2)) 1" calculates the closest odd number less than or equal to $element: 1=1, 2=1, 3=3, ... */}} - {{- $r := $.Values.statefulset.replicas }} - {{- $element = min $element (sub (add $r (mod $r 2)) 1) }} - {{- end }} - {{- if eq (typeOf $element) "bool" }} - {{- dict $key $element | toYaml | nindent 2 }} - {{- else if eq (typeOf $element) "[]interface {}" }} - {{- if not ( empty $element ) }} - {{ dict $key $element | toYaml | nindent 2 }} - {{- end }} - {{- else if $element }} - {{- dict $key $element | toYaml | nindent 2 }} - {{- end }} - {{- end }} - {{- end }} - {{- include "tunable" . | nindent 2 }} - {{- if and (not (hasKey .Values.config.cluster "storage_min_free_bytes")) ((include "redpanda-atleast-22-2-0" . | fromJson).bool) }} - storage_min_free_bytes: {{ include "storage-min-free-bytes" . }} - {{- end }} -{{/* AUDIT LOGS */}} -{{- if (include "redpanda-atleast-23-3-0" . | fromJson).bool }} - {{- if and ( dig "enabled" "false" .Values.auditLogging ) (include "sasl-enabled" $root | fromJson).bool }} - audit_enabled: true - {{- if not (eq (int .Values.auditLogging.clientMaxBufferSize) 16777216 ) }} - audit_client_max_buffer_size: {{ .Values.auditLogging.clientMaxBufferSize }} - {{- end }} - {{- if not (eq (int .Values.auditLogging.queueDrainIntervalMs) 500) }} - audit_queue_drain_interval_ms: {{ .Values.auditLogging.queueDrainIntervalMs }} - {{- end }} - {{- if not (eq (int .Values.auditLogging.queueMaxBufferSizePerShard) 1048576) }} - audit_queue_max_buffer_size_per_shard: {{ .Values.auditLogging.queueMaxBufferSizePerShard }} - {{- end }} - {{- if not (eq (int .Values.auditLogging.partitions) 12) }} - audit_log_num_partitions: {{ .Values.auditLogging.partitions }} - {{- end }} - {{- if (dig "replicationFactor" "" .Values.auditLogging) }} - audit_log_replication_factor: {{ .Values.auditLogging.replicationFactor }} - {{- end }} - {{- if dig "enabledEventTypes" "" .Values.auditLogging }} - audit_enabled_event_types: - {{- with .Values.auditLogging.enabledEventTypes }} - {{- toYaml . | nindent 2 }} - {{- end }} - {{- end }} - {{- if dig "excludedTopics" "" .Values.auditLogging }} - audit_excluded_topics: - {{- with .Values.auditLogging.excludedTopics }} - {{- toYaml . | nindent 2 }} - {{- end }} - {{- end }} - {{- if dig "excludedPrincipals" "" .Values.auditLogging }} - audit_excluded_principals: - {{- with .Values.auditLogging.excludedPrincipals }} - {{- toYaml . | nindent 2 }} - {{- end }} - {{- end }} - {{- else }} - audit_enabled: false - {{- end }} -{{- end }} - -redpanda.yaml: | - config_file: /etc/redpanda/redpanda.yaml - redpanda: -{{- if .Values.logging.usageStats.enabled }} - {{- with (dig "usageStats" "organization" "" .Values.logging) }} - organization: {{ . }} - {{- end }} - {{- with (dig "usageStats" "clusterId" "" .Values.logging) }} - cluster_id: {{ . }} - {{- end }} -{{- end }} -{{- if (include "redpanda-atleast-22-3-0" . | fromJson).bool }} - empty_seed_starts_cluster: false -{{- end }} - kafka_enable_authorization: {{ (include "sasl-enabled" . | fromJson).bool }} - enable_sasl: {{ (include "sasl-enabled" . | fromJson).bool }} -{{- if $users }} - superusers: {{ toJson $users }} -{{- end }} -{{- with (dig "cluster" dict .Values.config) }} - {{- range $key, $element := . }} - {{- if eq (typeOf $element) "bool" }} - {{ $key }}: {{ $element | toYaml }} - {{- else if eq (typeOf $element) "[]interface {}" }} - {{- if not ( empty $element ) }} - {{ $key }}: {{ $element | toYaml | nindent 4 }} - {{- end }} - {{- else if $element }} - {{ $key }}: {{ $element | toYaml }} - {{- end }} - {{- end }} -{{- end }} -{{- with (dig "tunable" dict .Values.config) }} - {{- range $key, $element := .}} - {{- if or (eq (typeOf $element) "bool") $element }} - {{ $key }}: {{ $element | toYaml }} - {{- end }} - {{- end }} -{{- end }} -{{- if not (hasKey .Values.config.cluster "storage_min_free_bytes") }} - storage_min_free_bytes: {{ include "storage-min-free-bytes" . }} -{{- end }} -{{- with dig "node" dict .Values.config }} - {{- range $key, $element := .}} - {{- $line := dict $key (toYaml $element) }} - {{- if and (eq $key "crash_loop_limit") (not (include "redpanda-atleast-23-1-1" $root | fromJson).bool) }} - {{- $line = dict }} - {{- end }} - {{- if not (or (eq (typeOf $element) "bool") $element) }} - {{- $line = dict }} - {{- end }} - {{- with $line }} - {{ toYaml . | nindent 4 }} - {{- end }} - {{- end }} -{{- end -}} -{{/* AUDIT LOGS */}} -{{- if (include "redpanda-atleast-23-3-0" . | fromJson).bool }} - {{- if and ( dig "enabled" "false" .Values.auditLogging ) (include "sasl-enabled" $root | fromJson).bool }} - audit_enabled: true - {{- if not (eq (int .Values.auditLogging.clientMaxBufferSize) 16777216) }} - audit_client_max_buffer_size: {{ .Values.auditLogging.clientMaxBufferSize }} - {{- end }} - {{- if not (eq (int .Values.auditLogging.queueDrainIntervalMs) 500) }} - audit_queue_drain_interval_ms: {{ .Values.auditLogging.queueDrainIntervalMs }} - {{- end }} - {{- if not (eq (int .Values.auditLogging.queueMaxBufferSizePerShard) 1048576) }} - audit_queue_max_buffer_size_per_shard: {{ .Values.auditLogging.queueMaxBufferSizePerShard }} - {{- end }} - {{- if not (eq (int .Values.auditLogging.partitions) 12) }} - audit_log_num_partitions: {{ .Values.auditLogging.partitions }} - {{- end }} - {{- if dig "enabledEventTypes" "" .Values.auditLogging }} - audit_enabled_event_types: - {{- with .Values.auditLogging.enabledEventTypes }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- end }} - {{- if dig "excludedTopics" "" .Values.auditLogging }} - audit_excluded_topics: - {{- with .Values.auditLogging.excludedTopics }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- end }} - {{- if dig "excludedPrincipals" "" .Values.auditLogging }} - audit_excluded_principals: - {{- with .Values.auditLogging.excludedPrincipals }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- end }} - {{- else }} - audit_enabled: false - {{- end }} -{{- end }} -{{/* LISTENERS */}} -{{/* Admin API */}} -{{- $service := .Values.listeners.admin }} - admin: - - name: internal - address: 0.0.0.0 - port: {{ $service.port }} -{{- range $name, $listener := $service.external }} - {{- if and $listener.port $name (dig "enabled" true $listener) }} - - name: {{ $name }} - address: 0.0.0.0 - port: {{ $listener.port }} - {{- end }} -{{- end }} - admin_api_tls: -{{- if (include "admin-internal-tls-enabled" . | fromJson).bool }} - - name: internal - enabled: true - cert_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.crt - key_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.key - require_client_auth: {{ $service.tls.requireClientAuth }} - {{- $cert := get .Values.tls.certs $service.tls.cert }} - {{- if empty $cert }} - {{- fail (printf "Certificate used but not defined")}} - {{- end }} - {{- if $cert.caEnabled }} - truststore_file: /etc/tls/certs/{{ $service.tls.cert }}/ca.crt - {{- else }} - {{/* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} -{{- end }} -{{- range $name, $listener := $service.external }} - {{- $k := dict "Values" $values "listener" $listener }} - {{- if and (include "admin-external-tls-enabled" $k | fromJson).bool (dig "enabled" true $listener) }} - {{- $mtls := dig "tls" "requireClientAuth" false $listener }} - {{- $mtls = dig "tls" "requireClientAuth" $mtls $k }} - {{- $certName := include "admin-external-tls-cert" $k }} - {{- $certPath := printf "/etc/tls/certs/%s" $certName }} - {{- $cert := get $values.tls.certs $certName }} - {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined" $certName)}} - {{- end }} - - name: {{ $name }} - enabled: true - cert_file: {{ $certPath }}/tls.crt - key_file: {{ $certPath }}/tls.key - require_client_auth: {{ $mtls }} - {{- if $cert.caEnabled }} - truststore_file: {{ $certPath }}/ca.crt - {{- else }} - {{- /* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} - {{- end }} -{{- end -}} -{{/* Kafka API */}} -{{- $kafkaService := .Values.listeners.kafka }} - kafka_api: - - name: internal - address: 0.0.0.0 - port: {{ $kafkaService.port }} -{{- if or (include "sasl-enabled" $root | fromJson).bool $kafkaService.authenticationMethod }} - authentication_method: {{ default "sasl" $kafkaService.authenticationMethod }} -{{- end }} -{{- range $name, $listener := $kafkaService.external }} - {{- if and $listener.port $name (dig "enabled" true $listener) }} - - name: {{ $name }} - address: 0.0.0.0 - port: {{ $listener.port }} - {{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }} - authentication_method: {{ default "sasl" $listener.authenticationMethod }} - {{- end }} - {{- end }} -{{- end }} - kafka_api_tls: -{{- if (include "kafka-internal-tls-enabled" . | fromJson).bool }} - - name: internal - enabled: true - cert_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/tls.crt - key_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/tls.key - require_client_auth: {{ $kafkaService.tls.requireClientAuth }} - {{- $cert := get .Values.tls.certs $kafkaService.tls.cert }} - {{- if empty $cert }} - {{- fail (printf "Certificate used but not defined")}} - {{- end }} - {{- if $cert.caEnabled }} - truststore_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/ca.crt - {{- else }} - {{/* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} -{{- end }} -{{- range $name, $listener := $kafkaService.external }} - {{- $k := dict "Values" $values "listener" $listener }} - {{- if and (include "kafka-external-tls-enabled" $k | fromJson).bool (dig "enabled" true $listener) }} - {{- $mtls := dig "tls" "requireClientAuth" false $listener }} - {{- $mtls = dig "tls" "requireClientAuth" $mtls $k }} - {{- $certName := include "kafka-external-tls-cert" $k }} - {{- $certPath := printf "/etc/tls/certs/%s" $certName }} - {{- $cert := get $values.tls.certs $certName }} - {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined" $certName)}} - {{- end }} - - name: {{ $name }} - enabled: true - cert_file: {{ $certPath }}/tls.crt - key_file: {{ $certPath }}/tls.key - require_client_auth: {{ $mtls }} - {{- if $cert.caEnabled }} - truststore_file: {{ $certPath }}/ca.crt - {{- else }} - {{/* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} - {{- end }} -{{- end -}} -{{/* RPC Server */}} -{{- $service = .Values.listeners.rpc }} - rpc_server: - address: 0.0.0.0 - port: {{ $service.port }} -{{- if (include "rpc-tls-enabled" . | fromJson).bool }} - rpc_server_tls: - enabled: true - cert_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.crt - key_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.key - require_client_auth: {{ $service.tls.requireClientAuth }} - {{- $cert := get .Values.tls.certs $service.tls.cert }} - {{- if empty $cert }} - {{- fail (printf "Certificate used but not defined")}} - {{- end }} - {{- if $cert.caEnabled }} - truststore_file: /etc/tls/certs/{{ $service.tls.cert }}/ca.crt - {{- else }} - {{- /* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} -{{- end -}} -{{- with $root.tempConfigMapServerList }} - seed_servers: {{ toYaml . | nindent 6 }} -{{- end }} -{{- if (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }} - {{- $tieredStorageConfig := (include "storage-tiered-config" .|fromJson) }} - {{- if not (include "redpanda-atleast-22-3-0" . | fromJson).bool }} - {{- $tieredStorageConfig = unset $tieredStorageConfig "cloud_storage_credentials_source" }} - {{- end }} - {{- range $key, $element := $tieredStorageConfig }} - {{- if or (eq (typeOf $element) "bool") $element }} - {{- if eq $key "cloud_storage_cache_size" }} - {{- if typeIs "string" $element -}} - {{- dict $key ((get (fromJson (include "redpanda.SIToBytes" (dict "a" (list $element)) )) "r") | int64 | toString) | toYaml | nindent 2 -}} - {{- else }} - {{- dict $key ($element | int64 | toString )| toYaml | nindent 2 -}} - {{- end }} - {{- else }} - {{- dict $key $element | toYaml | nindent 2 -}} - {{- end }} - {{- end }} - {{- end }} -{{- end }} -{{/* Schema Registry API */}} -{{- if and .Values.listeners.schemaRegistry.enabled (include "redpanda-22-2-x-without-sasl" $root | fromJson).bool }} - {{- $schemaRegistryService := .Values.listeners.schemaRegistry }} - schema_registry_client: - brokers: - {{- range $id, $item := $root.tempConfigMapServerList }} - - address: {{ $item.host.address }} - port: {{ $kafkaService.port }} - {{- end }} - {{- if (include "kafka-internal-tls-enabled" . | fromJson).bool }} - broker_tls: - enabled: true - require_client_auth: {{ $kafkaService.tls.requireClientAuth }} - cert_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/tls.crt - key_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/tls.key - {{- $cert := get .Values.tls.certs $kafkaService.tls.cert }} - {{- if empty $cert }} - {{- fail (printf "Certificate used but not defined")}} - {{- end }} - {{- if $cert.caEnabled }} - truststore_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/ca.crt - {{- else }} - {{- /* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} - {{- end }} - {{- with .Values.config.schema_registry_client }} - {{- toYaml . | nindent 6 }} - {{- end }} - schema_registry: - schema_registry_api: - - name: internal - address: 0.0.0.0 - port: {{ $schemaRegistryService.port }} - {{- if or (include "sasl-enabled" $root | fromJson).bool $schemaRegistryService.authenticationMethod }} - authentication_method: {{ default "http_basic" $schemaRegistryService.authenticationMethod }} - {{- end }} - {{- range $name, $listener := $schemaRegistryService.external }} - {{- if dig "enabled" true $listener }} - - name: {{ $name }} - address: 0.0.0.0 - {{- /* - when upgrading from an older version that had a missing port, fail if we cannot guess a default - this should work in all cases as the older versions would have failed with multiple listeners anyway - */}} - {{- if and (empty $listener.port) (ne (len $schemaRegistryService.external) 1) }} - {{- fail "missing required port for schemaRegistry listener $listener.name" }} - {{- end }} - port: {{ $listener.port }} - {{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }} - authentication_method: {{ default "http_basic" $listener.authenticationMethod }} - {{- end }} - {{- end }} - {{- end }} - schema_registry_api_tls: - {{- if (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool }} - - name: internal - enabled: true - cert_file: /etc/tls/certs/{{ $schemaRegistryService.tls.cert }}/tls.crt - key_file: /etc/tls/certs/{{ $schemaRegistryService.tls.cert }}/tls.key - require_client_auth: {{ $schemaRegistryService.tls.requireClientAuth }} - {{- $cert := get .Values.tls.certs $schemaRegistryService.tls.cert }} - {{- if empty $cert }} - {{- fail ( printf "Certificate used but not defined" )}} - {{- end }} - {{- if $cert.caEnabled }} - truststore_file: /etc/tls/certs/{{ $schemaRegistryService.tls.cert }}/ca.crt - {{- else }} - {{- /* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} - {{- end }} - {{- range $name, $listener := $schemaRegistryService.external }} - {{- $k := dict "Values" $values "listener" $listener }} - {{- if and (include "schemaRegistry-external-tls-enabled" $k | fromJson).bool (dig "enabled" true $listener) }} - {{- $mtls := dig "tls" "requireClientAuth" false $listener }} - {{- $mtls = dig "tls" "requireClientAuth" $mtls $k }} - {{- $certName := include "schemaRegistry-external-tls-cert" $k }} - {{- $certPath := printf "/etc/tls/certs/%s" $certName }} - {{- $cert := get $values.tls.certs $certName }} - {{- if empty $cert }} - {{- fail ( printf "Certificate, '%s', used but not defined" $certName )}} - {{- end }} - - name: {{ $name }} - enabled: true - cert_file: {{ $certPath }}/tls.crt - key_file: {{ $certPath }}/tls.key - require_client_auth: {{ $mtls }} - {{- if $cert.caEnabled }} - truststore_file: {{ $certPath }}/ca.crt - {{- else }} - {{- /* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} - {{- end }} - {{- end }} -{{- end -}} -{{/* AUDIT LOGS: Client Details */}} -{{- if (include "redpanda-atleast-23-3-0" . | fromJson).bool }} - {{- if and ( dig "enabled" "false" .Values.auditLogging ) (include "sasl-enabled" $root | fromJson).bool }} - {{- if not ( empty ( include "kafka-brokers-sasl-enabled" . | fromJson ) ) }} - audit_log_client: - {{- include "kafka-brokers-sasl-enabled" . | nindent 4 -}} - {{- end }} - {{- end }} -{{- end }} -{{/* HTTP Proxy */}} -{{- if and .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" $root | fromJson).bool }} - {{- $HTTPService := .Values.listeners.http }} - pandaproxy_client: - brokers: - {{- range $id, $item := $root.tempConfigMapServerList }} - - address: {{ $item.host.address }} - port: {{ $kafkaService.port }} - {{- end }} - {{- if (include "kafka-internal-tls-enabled" . | fromJson).bool }} - broker_tls: - enabled: true - require_client_auth: {{ $kafkaService.tls.requireClientAuth }} - cert_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/tls.crt - key_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/tls.key - {{- $cert := get .Values.tls.certs $kafkaService.tls.cert }} - {{- if empty $cert }} - {{- fail (printf "Certificate used but not defined")}} - {{- end }} - {{- if $cert.caEnabled }} - truststore_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/ca.crt - {{- else }} - {{- /* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} - {{- with .Values.config.pandaproxy_client }} - {{- toYaml . | nindent 6 }} - {{- end }} -{{- end }} - pandaproxy: - pandaproxy_api: - - name: internal - address: 0.0.0.0 - port: {{ $HTTPService.port }} -{{- if or (include "sasl-enabled" $root | fromJson).bool $HTTPService.authenticationMethod }} - authentication_method: {{ default "http_basic" $HTTPService.authenticationMethod }} -{{- end }} -{{- range $name, $listener := $HTTPService.external }} - {{- if and $listener.port $name (dig "enabled" true $listener) }} - - name: {{ $name }} - address: 0.0.0.0 - port: {{ $listener.port }} - {{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }} - authentication_method: {{ default "http_basic" $listener.authenticationMethod }} - {{- end }} - {{- end }} -{{- end }} - pandaproxy_api_tls: -{{- if (include "http-internal-tls-enabled" . | fromJson).bool }} - - name: internal - enabled: true - cert_file: /etc/tls/certs/{{ $HTTPService.tls.cert }}/tls.crt - key_file: /etc/tls/certs/{{ $HTTPService.tls.cert }}/tls.key - require_client_auth: {{ $HTTPService.tls.requireClientAuth }} - {{- $cert := get .Values.tls.certs $HTTPService.tls.cert }} - {{- if empty $cert }} - {{- fail (printf "Certificate used but not defined")}} - {{- end }} - {{- if $cert.caEnabled }} - truststore_file: /etc/tls/certs/{{ $HTTPService.tls.cert }}/ca.crt - {{- else }} - {{- /* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} - {{- end }} - {{- range $name, $listener := $HTTPService.external }} - {{- $k := dict "Values" $values "listener" $listener }} - {{- if and (include "http-external-tls-enabled" $k | fromJson).bool (dig "enabled" true $listener) }} - {{- $mtls := dig "tls" "requireClientAuth" false $listener }} - {{- $mtls = dig "tls" "requireClientAuth" $mtls $k }} - {{- $certName := include "http-external-tls-cert" $k }} - {{- $certPath := printf "/etc/tls/certs/%s" $certName }} - {{- $cert := get $values.tls.certs $certName }} - {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined" $certName )}} - {{- end }} - - name: {{ $name }} - enabled: true - cert_file: {{ $certPath }}/tls.crt - key_file: {{ $certPath }}/tls.key - require_client_auth: {{ $mtls }} - {{- if $cert.caEnabled }} - truststore_file: {{ $certPath }}/ca.crt - {{- else }} - {{- /* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} - {{- end }} - {{- end }} -{{- end }} -{{/* END LISTENERS */}} -{{- end -}} - -{{- define "rpk-config-internal" -}} - {{- $brokers := list -}} - {{- $admin := list -}} - {{- range $i := untilStep 0 (.Values.statefulset.replicas|int) 1 -}} - {{- $podName := printf "%s-%d.%s" (include "redpanda.fullname" $) $i (include "redpanda.internal.domain" $) -}} - {{- $brokers = concat $brokers (list (printf "%s:%d" $podName (int $.Values.listeners.kafka.port))) -}} - {{- $admin = concat $admin (list (printf "%s:%d" $podName (int $.Values.listeners.admin.port))) -}} - {{- end -}} -rpk: - # redpanda server configuration - overprovisioned: {{ dig "cpu" "overprovisioned" false .Values.resources }} - enable_memory_locking: {{ dig "memory" "enable_memory_locking" false .Values.resources }} - additional_start_flags: - {{- get ((include "redpanda.RedpandaAdditionalStartFlags" (dict "a" (list . (include "redpanda-smp" .) ))) | fromJson) "r" | toYaml | nindent 4 }} - - {{- with dig "config" "rpk" dict .Values.AsMap }} - # config.rpk entries - {{- toYaml . | nindent 2 }} - {{- end }} - - {{- with dig "tuning" dict .Values.AsMap }} - # rpk tune entries - {{- toYaml . | nindent 2 }} - {{- end }} - - # kafka connection configuration - kafka_api: - brokers: {{ toYaml $brokers | nindent 6 }} - tls: - {{- if (include "kafka-internal-tls-enabled" . | fromJson).bool }} - {{- $cert := get .Values.tls.certs .Values.listeners.kafka.tls.cert }} - {{- if $cert.caEnabled }} - truststore_file: {{ printf "/etc/tls/certs/%s/ca.crt" .Values.listeners.kafka.tls.cert }} - {{- end }} - {{- if .Values.listeners.kafka.tls.requireClientAuth }} - cert_file: {{ printf "/etc/tls/certs/%s-client/tls.crt" (include "redpanda.fullname" .) }} - key_file: {{ printf "/etc/tls/certs/%s-client/tls.key" (include "redpanda.fullname" .) }} - {{- end }} - {{- end }} - admin_api: - addresses: {{ toYaml $admin | nindent 6 }} - tls: - {{- if (include "admin-internal-tls-enabled" . | fromJson).bool }} - {{- $cert := get .Values.tls.certs .Values.listeners.admin.tls.cert }} - {{- if $cert.caEnabled }} - truststore_file: {{ printf "/etc/tls/certs/%s/ca.crt" .Values.listeners.admin.tls.cert }} - {{- end }} - {{- if .Values.listeners.admin.tls.requireClientAuth }} - cert_file: {{ printf "/etc/tls/certs/%s-client/tls.crt" (include "redpanda.fullname" .) }} - key_file: {{ printf "/etc/tls/certs/%s-client/tls.key" (include "redpanda.fullname" .) }} - {{- end }} - {{- end }} -{{- end -}} - -{{- define "configmap-server-list" -}} - {{- $serverList := list -}} - {{- range (include "seed-server-list" . | mustFromJson) -}} - {{- $server := dict "host" (dict "address" . "port" $.Values.listeners.rpc.port) -}} - {{- $serverList = append $serverList $server -}} - {{- end -}} - {{- toJson (dict "serverList" $serverList) -}} -{{- end -}} - -{{- define "full-configmap" -}} - {{- $serverList := (fromJson (include "configmap-server-list" .)).serverList -}} - {{- $r := set . "tempConfigMapServerList" $serverList -}} - {{ include "configmap-content-no-seed" $r | nindent 0 }} - {{ include "rpk-config-internal" $ | nindent 2 }} -{{- end -}} - -{{- define "rpk-config-external" -}} - {{- $brokers := list -}} - {{- $admin := list -}} - {{- $profile := keys .Values.listeners.kafka.external | sortAlpha | first -}} - {{- $kafkaListener := get .Values.listeners.kafka.external $profile -}} - {{- $adminListener := dict -}} - {{- if .Values.listeners.admin.external -}} - {{- $adminprofile := keys .Values.listeners.admin.external | first -}} - {{- $adminListener = get .Values.listeners.admin.external $adminprofile -}} - {{- end -}} - {{- range $i := until (.Values.statefulset.replicas|int) -}} - {{- $externalAdvertiseAddress := printf "%s-%d" (include "redpanda.fullname" $) $i -}} - {{- if (tpl ($.Values.external.domain | default "") $) -}} - {{- $externalAdvertiseAddress = printf "%s.%s" $externalAdvertiseAddress (tpl $.Values.external.domain $) -}} - {{- end -}} - {{- $tmplVals := dict "listenerVals" $.Values.listeners.kafka "externalVals" $kafkaListener "externalName" $profile "externalAdvertiseAddress" $externalAdvertiseAddress "values" $.Values "replicaIndex" $i -}} - {{- $port := int (include "advertised-port" $tmplVals) -}} - {{- $host := fromJson (include "advertised-host" (mustMerge $tmplVals (dict "port" $port) $)) -}} - {{- $brokers = concat $brokers (list (printf "%s:%d" (get $host "address") (get $host "port" | int))) -}} - {{- $tmplVals = dict "listenerVals" $.Values.listeners.admin "externalVals" $adminListener "externalName" $profile "externalAdvertiseAddress" $externalAdvertiseAddress "values" $.Values "replicaIndex" $i -}} - {{- $port = int (include "advertised-port" $tmplVals) -}} - {{- $host = fromJson (include "advertised-host" (mustMerge $tmplVals (dict "port" $port) $)) -}} - {{- $admin = concat $admin (list (printf "%s:%d" (get $host "address") (get $host "port" | int))) -}} - {{- end -}} -name: {{ $profile }} -kafka_api: - brokers: {{ toYaml $brokers | nindent 6 }} - tls: - {{- if and (include "kafka-external-tls-enabled" (dict "Values" .Values "listener" $kafkaListener) | fromJson).bool (dig "enabled" true $adminListener) }} - {{- $cert := get .Values.tls.certs .Values.listeners.kafka.tls.cert }} - {{- if $cert.caEnabled }} - ca_file: ca.crt - {{- end }} - {{- if .Values.listeners.kafka.tls.requireClientAuth }} - cert_file: tls.crt - key_file: tls.key - {{- end }} - {{- end }} -admin_api: - addresses: {{ toYaml $admin | nindent 6 }} - tls: - {{- if and (include "admin-external-tls-enabled" (dict "Values" .Values "listener" $adminListener) | fromJson).bool (dig "enabled" true $adminListener) }} - {{- $cert := get .Values.tls.certs .Values.listeners.admin.tls.cert }} - {{- if $cert.caEnabled }} - ca_file: ca.crt - {{- end }} - {{- if .Values.listeners.admin.tls.requireClientAuth }} - cert_file: tls.crt - key_file: tls.key - {{- end }} - {{- end }} -{{- end -}} diff --git a/charts/redpanda/redpanda/templates/_helpers.go.tpl b/charts/redpanda/redpanda/templates/_helpers.go.tpl index 41e0cd0b6..200b195a6 100644 --- a/charts/redpanda/redpanda/templates/_helpers.go.tpl +++ b/charts/redpanda/redpanda/templates/_helpers.go.tpl @@ -33,7 +33,7 @@ {{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $override_3) ))) "r")) | toJson -}} {{- break -}} {{- end -}} -{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list (printf "%s" $dot.Release.Name)) ))) "r")) | toJson -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -171,7 +171,7 @@ {{- define "redpanda.DefaultMounts" -}} {{- $dot := (index .a 0) -}} {{- range $_ := (list 1) -}} -{{- (dict "r" (concat (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" ))) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- (dict "r" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )))) (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")))) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -183,16 +183,16 @@ {{- $mounts := (list ) -}} {{- $sasl_5 := $values.auth.sasl -}} {{- if (and $sasl_5.enabled (ne $sasl_5.secretRef "")) -}} -{{- $mounts = (mustAppend $mounts (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "users" "mountPath" "/etc/secrets/users" "readOnly" true ))) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "users" "mountPath" "/etc/secrets/users" "readOnly" true )))) -}} {{- end -}} {{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}} {{- $certNames := (keys $values.tls.certs) -}} {{- $_ := (sortAlpha $certNames) -}} {{- range $_, $name := $certNames -}} -{{- $mounts = (mustAppend $mounts (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "redpanda-%s-cert" $name) "mountPath" (printf "/etc/tls/certs/%s" $name) ))) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "redpanda-%s-cert" $name) "mountPath" (printf "/etc/tls/certs/%s" $name) )))) -}} {{- end -}} {{- if (get (fromJson (include "redpanda.ClientAuthRequired" (dict "a" (list $dot) ))) "r") -}} -{{- $mounts = (mustAppend $mounts (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "mtls-client" "mountPath" (printf "/etc/tls/certs/%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "mtls-client" "mountPath" (printf "/etc/tls/certs/%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) )))) -}} {{- end -}} {{- end -}} {{- (dict "r" $mounts) | toJson -}} @@ -203,7 +203,7 @@ {{- define "redpanda.DefaultVolumes" -}} {{- $dot := (index .a 0) -}} {{- range $_ := (list 1) -}} -{{- (dict "r" (concat (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) (dict )) )) (dict "name" "config" ))) (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- (dict "r" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) (dict )) )) (dict "name" "config" )))) (default (list ) (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r")))) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -218,15 +218,15 @@ {{- $_ := (sortAlpha $certNames) -}} {{- range $_, $name := $certNames -}} {{- $cert := (index $values.tls.certs $name) -}} -{{- $volumes = (mustAppend $volumes (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (get (fromJson (include "redpanda.CertSecretName" (dict "a" (list $dot $name $cert) ))) "r") "defaultMode" 0o440 )) )) (dict "name" (printf "redpanda-%s-cert" $name) ))) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (get (fromJson (include "redpanda.CertSecretName" (dict "a" (list $dot $name $cert) ))) "r") "defaultMode" (0o440 | int) )) )) (dict "name" (printf "redpanda-%s-cert" $name) )))) -}} {{- end -}} {{- if (get (fromJson (include "redpanda.ClientAuthRequired" (dict "a" (list $dot) ))) "r") -}} -{{- $volumes = (mustAppend $volumes (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "defaultMode" 0o440 )) )) (dict "name" "mtls-client" ))) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "defaultMode" (0o440 | int) )) )) (dict "name" "mtls-client" )))) -}} {{- end -}} {{- end -}} {{- $sasl_6 := $values.auth.sasl -}} {{- if (and $sasl_6.enabled (ne $sasl_6.secretRef "")) -}} -{{- $volumes = (mustAppend $volumes (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $sasl_6.secretRef )) )) (dict "name" "users" ))) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $sasl_6.secretRef )) )) (dict "name" "users" )))) -}} {{- end -}} {{- (dict "r" $volumes) | toJson -}} {{- break -}} @@ -355,7 +355,21 @@ {{- define "redpanda.cleanForK8s" -}} {{- $in := (index .a 0) -}} {{- range $_ := (list 1) -}} -{{- (dict "r" (trimSuffix "-" (trunc 63 $in))) | toJson -}} +{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $in))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaSMP" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $coresInMillies := ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $values.resources.cpu.cores) ))) "r") | int64) -}} +{{- if (lt $coresInMillies (1000 | int64)) -}} +{{- (dict "r" (1 | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- (dict "r" ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $values.resources.cpu.cores) ))) "r") | int64)) | toJson -}} {{- break -}} {{- end -}} {{- end -}} diff --git a/charts/redpanda/redpanda/templates/_helpers.tpl b/charts/redpanda/redpanda/templates/_helpers.tpl index 96b560714..07c38d508 100644 --- a/charts/redpanda/redpanda/templates/_helpers.tpl +++ b/charts/redpanda/redpanda/templates/_helpers.tpl @@ -145,19 +145,6 @@ Use AppVersion if image.tag is not set {{- toJson (dict "bool" (dig "enabled" false .Values.auth.sasl)) -}} {{- end -}} -{{- define "external-loadbalancer-enabled" -}} -{{- $values := .Values -}} -{{- $enabled := and .Values.external.enabled (eq .Values.external.type "LoadBalancer") -}} -{{- range $listener := .Values.listeners -}} - {{- range $external := $listener.external -}} - {{- if and (dig "enabled" false $external) (eq (dig "type" $values.external.type $external) "LoadBalancer") -}} - {{- $enabled = true -}} - {{- end -}} - {{- end -}} -{{- end -}} -{{- toJson (dict "bool" $enabled) -}} -{{- end -}} - {{/* Returns the value of "resources.cpu.cores" in millicores. And ensures CPU units are using known suffix (really only "m") or no suffix at all. @@ -204,16 +191,7 @@ than 1 core. {{- end -}} {{- define "storage-min-free-bytes" -}} -{{- $fiveGiB := 5368709120 -}} -{{- if dig "enabled" false .Values.storage.persistentVolume -}} - {{- if typeIs "string" .Values.storage.persistentVolume.size -}} - {{- min $fiveGiB (mulf (get ((include "redpanda.SIToBytes" (dict "a" (list .Values.storage.persistentVolume.size))) | fromJson) "r" ) 0.05 | int64) -}} - {{- else -}} - {{- min $fiveGiB (mulf .Values.storage.persistentVolume.size 0.05 | int64) -}} - {{- end -}} -{{- else -}} -{{- $fiveGiB -}} -{{- end -}} +{{- get ((include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list .Values.storage))) | fromJson) "r" | int64 -}} {{- end -}} {{- define "tunable" -}} diff --git a/charts/redpanda/redpanda/templates/_post-install-upgrade-job.go.tpl b/charts/redpanda/redpanda/templates/_post-install-upgrade-job.go.tpl index 551e75e94..802c7ee5f 100644 --- a/charts/redpanda/redpanda/templates/_post-install-upgrade-job.go.tpl +++ b/charts/redpanda/redpanda/templates/_post-install-upgrade-job.go.tpl @@ -8,19 +8,16 @@ {{- $license_1 := (get (fromJson (include "redpanda.GetLicenseLiteral" (dict "a" (list $dot) ))) "r") -}} {{- $secretReference_2 := (get (fromJson (include "redpanda.GetLicenseSecretReference" (dict "a" (list $dot) ))) "r") -}} {{- if (ne $license_1 "") -}} -{{- $envars = (mustAppend $envars (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_LICENSE" "value" $license_1 ))) -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_LICENSE" "value" $license_1 )))) -}} {{- else -}}{{- if (ne $secretReference_2 (coalesce nil)) -}} -{{- $envars = (mustAppend $envars (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" $secretReference_2 )) ))) -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" $secretReference_2 )) )))) -}} {{- end -}} {{- end -}} -{{- $tieredStorageConfig := $values.storage.tiered.config -}} -{{- if (gt (int (get (fromJson (include "_shims.len" (dict "a" (list $values.storage.tieredConfig) ))) "r")) 0) -}} -{{- $tieredStorageConfig = $values.storage.tieredConfig -}} -{{- end -}} -{{- if (not (get (fromJson (include "redpanda.IsTieredStorageEnabled" (dict "a" (list $tieredStorageConfig) ))) "r")) -}} +{{- if (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) -}} {{- (dict "r" $envars) | toJson -}} {{- break -}} {{- end -}} +{{- $tieredStorageConfig := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r") -}} {{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $tieredStorageConfig "cloud_storage_azure_container" (coalesce nil)) ))) "r")) ))) "r") -}} {{- $azureContainerExists := $tmp_tuple_1.T2 -}} {{- $ac := $tmp_tuple_1.T1 -}} @@ -28,11 +25,11 @@ {{- $azureStorageAccountExists := $tmp_tuple_2.T2 -}} {{- $asa := $tmp_tuple_2.T1 -}} {{- if (and (and (and $azureContainerExists (ne $ac (coalesce nil))) $azureStorageAccountExists) (ne $asa (coalesce nil))) -}} -{{- $envars = (concat $envars (get (fromJson (include "redpanda.addAzureSharedKey" (dict "a" (list $tieredStorageConfig $values) ))) "r")) -}} +{{- $envars = (concat (default (list ) $envars) (default (list ) (get (fromJson (include "redpanda.addAzureSharedKey" (dict "a" (list $tieredStorageConfig $values) ))) "r"))) -}} {{- else -}} -{{- $envars = (concat $envars (get (fromJson (include "redpanda.addCloudStorageSecretKey" (dict "a" (list $tieredStorageConfig $values) ))) "r")) -}} +{{- $envars = (concat (default (list ) $envars) (default (list ) (get (fromJson (include "redpanda.addCloudStorageSecretKey" (dict "a" (list $tieredStorageConfig $values) ))) "r"))) -}} {{- end -}} -{{- $envars = (concat $envars (get (fromJson (include "redpanda.addCloudStorageAccessKey" (dict "a" (list $tieredStorageConfig $values) ))) "r")) -}} +{{- $envars = (concat (default (list ) $envars) (default (list ) (get (fromJson (include "redpanda.addCloudStorageAccessKey" (dict "a" (list $tieredStorageConfig $values) ))) "r"))) -}} {{- range $k, $v := $tieredStorageConfig -}} {{- if (or (or (eq $k "cloud_storage_access_key") (eq $k "cloud_storage_secret_key")) (eq $k "cloud_storage_azure_shared_key")) -}} {{- continue -}} @@ -40,20 +37,17 @@ {{- if (or (eq $v (coalesce nil)) (empty $v)) -}} {{- continue -}} {{- end -}} -{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" $v "") ))) "r")) ))) "r") -}} -{{- $isStr_4 := $tmp_tuple_3.T2 -}} -{{- $asStr_3 := $tmp_tuple_3.T1 -}} -{{- if (and (and (eq $k "cloud_storage_cache_size") $isStr_4) (ne $asStr_3 "")) -}} -{{- $envars = (mustAppend $envars (mustMergeOverwrite (dict "name" "" ) (dict "name" (printf "RPK_%s" (upper $k)) "value" (toJson (get (fromJson (include "redpanda.SIToBytes" (dict "a" (list (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $v) ))) "r")) ))) "r")) ))) -}} +{{- if (and (eq $k "cloud_storage_cache_size") (ne $v (coalesce nil))) -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" (printf "RPK_%s" (upper $k)) "value" (toJson ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $v) ))) "r") | int64)) )))) -}} {{- continue -}} {{- end -}} -{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" $v "") ))) "r")) ))) "r") -}} -{{- $ok_6 := $tmp_tuple_4.T2 -}} -{{- $str_5 := $tmp_tuple_4.T1 -}} -{{- if $ok_6 -}} -{{- $envars = (mustAppend $envars (mustMergeOverwrite (dict "name" "" ) (dict "name" (printf "RPK_%s" (upper $k)) "value" $str_5 ))) -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" $v "") ))) "r")) ))) "r") -}} +{{- $ok_4 := $tmp_tuple_3.T2 -}} +{{- $str_3 := $tmp_tuple_3.T1 -}} +{{- if $ok_4 -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" (printf "RPK_%s" (upper $k)) "value" $str_3 )))) -}} {{- else -}} -{{- $envars = (mustAppend $envars (mustMergeOverwrite (dict "name" "" ) (dict "name" (printf "RPK_%s" (upper $k)) "value" (mustToJson $v) ))) -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" (printf "RPK_%s" (upper $k)) "value" (mustToJson $v) )))) -}} {{- end -}} {{- end -}} {{- (dict "r" $envars) | toJson -}} @@ -65,15 +59,15 @@ {{- $tieredStorageConfig := (index .a 0) -}} {{- $values := (index .a 1) -}} {{- range $_ := (list 1) -}} -{{- $tmp_tuple_5 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $tieredStorageConfig "cloud_storage_access_key" (coalesce nil)) ))) "r")) ))) "r") -}} -{{- $ok_8 := $tmp_tuple_5.T2 -}} -{{- $v_7 := $tmp_tuple_5.T1 -}} -{{- $ak_9 := $values.storage.tiered.credentialsSecretRef.accessKey -}} -{{- if (and $ok_8 (ne $v_7 "")) -}} -{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_ACCESS_KEY" "value" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $v_7) ))) "r") )))) | toJson -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $tieredStorageConfig "cloud_storage_access_key" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_6 := $tmp_tuple_4.T2 -}} +{{- $v_5 := $tmp_tuple_4.T1 -}} +{{- $ak_7 := $values.storage.tiered.credentialsSecretRef.accessKey -}} +{{- if (and $ok_6 (ne $v_5 "")) -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_ACCESS_KEY" "value" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $v_5) ))) "r") )))) | toJson -}} {{- break -}} -{{- else -}}{{- if (and (and (ne $ak_9 (coalesce nil)) (not (empty $ak_9.name))) (not (empty $ak_9.key))) -}} -{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_ACCESS_KEY" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $ak_9.name )) (dict "key" $ak_9.key )) )) )))) | toJson -}} +{{- else -}}{{- if (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $ak_7) ))) "r") -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_ACCESS_KEY" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $ak_7.name )) (dict "key" $ak_7.key )) )) )))) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -86,15 +80,15 @@ {{- $tieredStorageConfig := (index .a 0) -}} {{- $values := (index .a 1) -}} {{- range $_ := (list 1) -}} -{{- $tmp_tuple_6 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $tieredStorageConfig "cloud_storage_secret_key" (coalesce nil)) ))) "r")) ))) "r") -}} -{{- $ok_11 := $tmp_tuple_6.T2 -}} -{{- $v_10 := $tmp_tuple_6.T1 -}} -{{- $sk_12 := $values.storage.tiered.credentialsSecretRef.secretKey -}} -{{- if (and $ok_11 (ne $v_10 "")) -}} -{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_SECRET_KEY" "value" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $v_10) ))) "r") )))) | toJson -}} +{{- $tmp_tuple_5 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $tieredStorageConfig "cloud_storage_secret_key" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_9 := $tmp_tuple_5.T2 -}} +{{- $v_8 := $tmp_tuple_5.T1 -}} +{{- $sk_10 := $values.storage.tiered.credentialsSecretRef.secretKey -}} +{{- if (and $ok_9 (ne $v_8 "")) -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_SECRET_KEY" "value" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $v_8) ))) "r") )))) | toJson -}} {{- break -}} -{{- else -}}{{- if (and (and (ne $sk_12 (coalesce nil)) (not (empty $sk_12.name))) (not (empty $sk_12.key))) -}} -{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_SECRET_KEY" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $sk_12.name )) (dict "key" $sk_12.key )) )) )))) | toJson -}} +{{- else -}}{{- if (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $sk_10) ))) "r") -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_SECRET_KEY" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $sk_10.name )) (dict "key" $sk_10.key )) )) )))) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -107,15 +101,15 @@ {{- $tieredStorageConfig := (index .a 0) -}} {{- $values := (index .a 1) -}} {{- range $_ := (list 1) -}} -{{- $tmp_tuple_7 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $tieredStorageConfig "cloud_storage_azure_shared_key" (coalesce nil)) ))) "r")) ))) "r") -}} -{{- $ok_14 := $tmp_tuple_7.T2 -}} -{{- $v_13 := $tmp_tuple_7.T1 -}} -{{- $sk_15 := $values.storage.tiered.credentialsSecretRef.secretKey -}} -{{- if (and $ok_14 (ne $v_13 "")) -}} -{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_AZURE_SHARED_KEY" "value" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $v_13) ))) "r") )))) | toJson -}} +{{- $tmp_tuple_6 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $tieredStorageConfig "cloud_storage_azure_shared_key" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_12 := $tmp_tuple_6.T2 -}} +{{- $v_11 := $tmp_tuple_6.T1 -}} +{{- $sk_13 := $values.storage.tiered.credentialsSecretRef.secretKey -}} +{{- if (and $ok_12 (ne $v_11 "")) -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_AZURE_SHARED_KEY" "value" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $v_11) ))) "r") )))) | toJson -}} {{- break -}} -{{- else -}}{{- if (and (and (ne $sk_15 (coalesce nil)) (not (empty $sk_15.name))) (not (empty $sk_15.key))) -}} -{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_AZURE_SHARED_KEY" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $sk_15.name )) (dict "key" $sk_15.key )) )) )))) | toJson -}} +{{- else -}}{{- if (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $sk_13) ))) "r") -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_AZURE_SHARED_KEY" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $sk_13.name )) (dict "key" $sk_13.key )) )) )))) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -154,18 +148,3 @@ {{- end -}} {{- end -}} -{{- define "redpanda.IsTieredStorageEnabled" -}} -{{- $tieredStorageConfig := (index .a 0) -}} -{{- range $_ := (list 1) -}} -{{- $tmp_tuple_8 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $tieredStorageConfig "cloud_storage_enabled" (coalesce nil)) ))) "r")) ))) "r") -}} -{{- $ok_17 := $tmp_tuple_8.T2 -}} -{{- $b_16 := $tmp_tuple_8.T1 -}} -{{- if (and $ok_17 (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" $b_16) ))) "r")) -}} -{{- (dict "r" true) | toJson -}} -{{- break -}} -{{- end -}} -{{- (dict "r" false) | toJson -}} -{{- break -}} -{{- end -}} -{{- end -}} - diff --git a/charts/redpanda/redpanda/templates/_shims.tpl b/charts/redpanda/redpanda/templates/_shims.tpl index 194bf34a0..e33e45673 100644 --- a/charts/redpanda/redpanda/templates/_shims.tpl +++ b/charts/redpanda/redpanda/templates/_shims.tpl @@ -45,7 +45,7 @@ {{- range $_ := (list 1) -}} {{- $out := (dict ) -}} {{- range $i, $e := $args -}} -{{- $_ := (set $out (printf "T%d" (int (add 1 $i))) $e) -}} +{{- $_ := (set $out (printf "T%d" ((add (1 | int) $i) | int)) $e) -}} {{- end -}} {{- (dict "r" $out) | toJson -}} {{- break -}} @@ -67,7 +67,7 @@ {{- $m := (index .a 0) -}} {{- range $_ := (list 1) -}} {{- if (eq $m (coalesce nil)) -}} -{{- (dict "r" 0) | toJson -}} +{{- (dict "r" (0 | int)) | toJson -}} {{- break -}} {{- end -}} {{- (dict "r" (len $m)) | toJson -}} @@ -117,3 +117,111 @@ {{- end -}} {{- end -}} +{{- define "_shims.asnumeric" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- if (typeIs "float64" $value) -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int64" $value) -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int" $value) -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asintegral" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.parseResource" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- if (typeIs "float64" $repr) -}} +{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (not (typeIs "string" $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}} +{{- end -}} +{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}} +{{- end -}} +{{- $reprStr := (toString $repr) -}} +{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}} +{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_1.T2 -}} +{{- $scale := ($tmp_tuple_1.T1 | float64) -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}} +{{- end -}} +{{- (dict "r" (list $numeric $scale)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MustParse" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_2.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_2.T1 | float64) -}} +{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}} +{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}} +{{- $idx := -1 -}} +{{- range $i, $s := $scales -}} +{{- if (eq ($s | float64) ($scale | float64)) -}} +{{- $idx = $i -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if (eq $idx -1) -}} +{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}} +{{- end -}} +{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_Value" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_3.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_3.T1 | float64) -}} +{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MilliValue" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_4.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_4.T1 | float64) -}} +{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/templates/_statefulset.go.tpl b/charts/redpanda/redpanda/templates/_statefulset.go.tpl index 4cdf9a95f..957c05300 100644 --- a/charts/redpanda/redpanda/templates/_statefulset.go.tpl +++ b/charts/redpanda/redpanda/templates/_statefulset.go.tpl @@ -4,13 +4,13 @@ {{- $dot := (index .a 0) -}} {{- range $_ := (list 1) -}} {{- $values := $dot.Values.AsMap -}} -{{- $userEnv := (list ) -}} +{{- $userEnv := (coalesce nil) -}} {{- range $_, $container := $values.statefulset.podTemplate.spec.containers -}} {{- if (eq $container.name "redpanda") -}} {{- $userEnv = $container.env -}} {{- end -}} {{- end -}} -{{- (dict "r" (concat (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "SERVICE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "metadata.name" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "POD_IP" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "status.podIP" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "HOST_IP" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "status.hostIP" )) )) ))) $userEnv)) | toJson -}} +{{- (dict "r" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "SERVICE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "metadata.name" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "POD_IP" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "status.podIP" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "HOST_IP" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "status.hostIP" )) )) )))) (default (list ) $userEnv))) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -22,7 +22,7 @@ {{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.lookup" (dict "a" (list "apps/v1" "StatefulSet" $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")) ))) "r") -}} {{- $ok_2 := $tmp_tuple_1.T2 -}} {{- $existing_1 := $tmp_tuple_1.T1 -}} -{{- if (and $ok_2 (gt (int (get (fromJson (include "_shims.len" (dict "a" (list $existing_1.spec.selector.matchLabels) ))) "r")) 0)) -}} +{{- if (and $ok_2 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $existing_1.spec.selector.matchLabels) ))) "r") | int) (0 | int))) -}} {{- (dict "r" $existing_1.spec.selector.matchLabels) | toJson -}} {{- break -}} {{- end -}} @@ -32,7 +32,7 @@ {{- if (ne $values.statefulset.additionalSelectorLabels (coalesce nil)) -}} {{- $additionalSelectorLabels = $values.statefulset.additionalSelectorLabels -}} {{- end -}} -{{- $component := (printf "%s-statefulset" (trimSuffix "-" (trunc 51 (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")))) -}} +{{- $component := (printf "%s-statefulset" (trimSuffix "-" (trunc (51 | int) (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")))) -}} {{- $defaults := (dict "app.kubernetes.io/component" $component "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) -}} {{- (dict "r" (merge (dict ) $additionalSelectorLabels $defaults)) | toJson -}} {{- break -}} @@ -46,7 +46,7 @@ {{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.lookup" (dict "a" (list "apps/v1" "StatefulSet" $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")) ))) "r") -}} {{- $ok_4 := $tmp_tuple_2.T2 -}} {{- $existing_3 := $tmp_tuple_2.T1 -}} -{{- if (and $ok_4 (gt (int (get (fromJson (include "_shims.len" (dict "a" (list $existing_3.spec.template.metadata.labels) ))) "r")) 0)) -}} +{{- if (and $ok_4 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $existing_3.spec.template.metadata.labels) ))) "r") | int) (0 | int))) -}} {{- (dict "r" $existing_3.spec.template.metadata.labels) | toJson -}} {{- break -}} {{- end -}} @@ -77,3 +77,33 @@ {{- end -}} {{- end -}} +{{- define "redpanda.StatefulSetVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $fullname := (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") -}} +{{- $volumes := (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r") -}} +{{- $values := $dot.Values.AsMap -}} +{{- $volumes = (concat (default (list ) $volumes) (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.50s-sts-lifecycle" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" "lifecycle-scripts" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $fullname )) (dict )) )) (dict "name" $fullname )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) (dict "name" "config" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.51s-configurator" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%.51s-configurator" $fullname) )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%s-config-watcher" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%s-config-watcher" $fullname) )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.49s-fs-validator" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%.49s-fs-validator" $fullname) ))))) -}} +{{- $vol_5 := (get (fromJson (include "redpanda.Listeners.TrustStoreVolume" (dict "a" (list $values.listeners $values.tls) ))) "r") -}} +{{- if (ne $vol_5 (coalesce nil)) -}} +{{- $volumes = (concat (default (list ) $volumes) (list $vol_5)) -}} +{{- end -}} +{{- (dict "r" $volumes) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetVolumeMounts" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $mounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r") -}} +{{- $values := $dot.Values.AsMap -}} +{{- $mounts = (concat (default (list ) $mounts) (default (list ) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "mountPath" "/tmp/base-config" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "lifecycle-scripts" "mountPath" "/var/lifecycle" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "datadir" "mountPath" "/var/lib/redpanda/data" ))))) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list (get (fromJson (include "redpanda.Listeners.TrustStores" (dict "a" (list $values.listeners $values.tls) ))) "r")) ))) "r") | int) (0 | int)) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "truststores" "mountPath" "/etc/truststores" "readOnly" true )))) -}} +{{- end -}} +{{- (dict "r" $mounts) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/templates/_statefulset.tpl b/charts/redpanda/redpanda/templates/_statefulset.tpl index d3a32a70b..1feaeeb79 100644 --- a/charts/redpanda/redpanda/templates/_statefulset.tpl +++ b/charts/redpanda/redpanda/templates/_statefulset.tpl @@ -110,7 +110,7 @@ to the $dependencies list. */}} {{- define "statefulset-checksum-annotation" -}} {{- $dependencies := list -}} - {{- $dependencies = append $dependencies (include "configmap-content-no-seed" .) -}} + {{- $dependencies = append $dependencies (get ((include "redpanda.ConfigMapsWithoutSeedServer" (dict "a" (list .))) | fromJson) "r") -}} {{- if .Values.external.enabled -}} {{- $dependencies = append $dependencies (dig "domain" "" .Values.external) -}} {{- $dependencies = append $dependencies (dig "addresses" "" .Values.external) -}} diff --git a/charts/redpanda/redpanda/templates/certs.go.tpl b/charts/redpanda/redpanda/templates/certs.go.tpl index 8056e0659..21cd26b93 100644 --- a/charts/redpanda/redpanda/templates/certs.go.tpl +++ b/charts/redpanda/redpanda/templates/certs.go.tpl @@ -12,33 +12,33 @@ {{- $service := (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") -}} {{- $ns := $dot.Release.Namespace -}} {{- $domain := (trimSuffix "." $values.clusterDomain) -}} -{{- $certs := (list ) -}} +{{- $certs := (coalesce nil) -}} {{- range $name, $data := $values.tls.certs -}} {{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.enabled true) ))) "r"))) -}} {{- continue -}} {{- end -}} -{{- $names := (list ) -}} +{{- $names := (coalesce nil) -}} {{- if (or (eq $data.issuerRef (coalesce nil)) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.applyInternalDNSNames false) ))) "r")) -}} -{{- $names = (mustAppend $names (printf "%s-cluster.%s.%s.svc.%s" $fullname $service $ns $domain)) -}} -{{- $names = (mustAppend $names (printf "%s-cluster.%s.%s.svc" $fullname $service $ns)) -}} -{{- $names = (mustAppend $names (printf "%s-cluster.%s.%s" $fullname $service $ns)) -}} -{{- $names = (mustAppend $names (printf "*.%s-cluster.%s.%s.svc.%s" $fullname $service $ns $domain)) -}} -{{- $names = (mustAppend $names (printf "*.%s-cluster.%s.%s.svc" $fullname $service $ns)) -}} -{{- $names = (mustAppend $names (printf "*.%s-cluster.%s.%s" $fullname $service $ns)) -}} -{{- $names = (mustAppend $names (printf "%s.%s.svc.%s" $service $ns $domain)) -}} -{{- $names = (mustAppend $names (printf "%s.%s.svc" $service $ns)) -}} -{{- $names = (mustAppend $names (printf "%s.%s" $service $ns)) -}} -{{- $names = (mustAppend $names (printf "*.%s.%s.svc.%s" $service $ns $domain)) -}} -{{- $names = (mustAppend $names (printf "*.%s.%s.svc" $service $ns)) -}} -{{- $names = (mustAppend $names (printf "*.%s.%s" $service $ns)) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s.svc.%s" $fullname $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s.svc" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s.svc.%s" $fullname $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s.svc" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s.%s.svc.%s" $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s.%s.svc" $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s.%s" $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s.svc.%s" $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s.svc" $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s" $service $ns))) -}} {{- end -}} {{- if (ne $values.external.domain (coalesce nil)) -}} -{{- $names = (mustAppend $names (tpl $values.external.domain $dot)) -}} -{{- $names = (mustAppend $names (tpl (printf "*.%s" $values.external.domain) $dot)) -}} +{{- $names = (concat (default (list ) $names) (list (tpl $values.external.domain $dot))) -}} +{{- $names = (concat (default (list ) $names) (list (tpl (printf "*.%s" $values.external.domain) $dot))) -}} {{- end -}} {{- $duration := (default "43800h" $data.duration) -}} {{- $issuerRef := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.issuerRef (mustMergeOverwrite (dict "name" "" ) (dict "kind" "Issuer" "group" "cert-manager.io" "name" (printf "%s-%s-root-issuer" $fullname $name) ))) ))) "r") -}} -{{- $certs = (mustAppend $certs (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-%s-cert" $fullname $name) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "dnsNames" $names "duration" $duration "isCA" false "issuerRef" $issuerRef "secretName" (printf "%s-%s-cert" $fullname $name) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" 256 )) )) ))) -}} +{{- $certs = (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-%s-cert" $fullname $name) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "dnsNames" $names "duration" $duration "isCA" false "issuerRef" $issuerRef "secretName" (printf "%s-%s-cert" $fullname $name) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) )) )))) -}} {{- end -}} {{- $name := $values.listeners.kafka.tls.cert -}} {{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.tls.certs $name (coalesce nil)) ))) "r")) ))) "r") -}} @@ -57,7 +57,7 @@ {{- $_ := (set $issuerRef "group" "cert-manager.io") -}} {{- end -}} {{- $duration := (default "43800h" $data.duration) -}} -{{- (dict "r" (mustAppend $certs (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-client" $fullname) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "commonName" (printf "%s-client" $fullname) "duration" $duration "isCA" false "secretName" (printf "%s-client" $fullname) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" 256 )) "issuerRef" $issuerRef )) )))) | toJson -}} +{{- (dict "r" (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-client" $fullname) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "commonName" (printf "%s-client" $fullname) "duration" $duration "isCA" false "secretName" (printf "%s-client" $fullname) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) "issuerRef" $issuerRef )) ))))) | toJson -}} {{- break -}} {{- end -}} {{- end -}} diff --git a/charts/redpanda/redpanda/templates/configmap.yaml b/charts/redpanda/redpanda/templates/configmap.yaml index 5f5704c9f..6b8c6fc33 100644 --- a/charts/redpanda/redpanda/templates/configmap.yaml +++ b/charts/redpanda/redpanda/templates/configmap.yaml @@ -14,29 +14,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "redpanda.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: -{{- with include "full.labels" . }} - {{- . | nindent 4 }} -{{- end }} -data: {{ include "full-configmap" . | nindent 2 }} - -{{- if .Values.external.enabled }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "redpanda.fullname" . }}-rpk - namespace: {{ .Release.Namespace | quote }} - labels: -{{- with include "full.labels" . }} - {{- . | nindent 4 }} -{{- end }} -data: - profile: | {{ include "rpk-config-external" . | nindent 4 }} -{{- end }} \ No newline at end of file +{{- $cms := (get ((include "redpanda.ConfigMaps" (dict "a" (list .))) | fromJson) "r") -}} +{{- range $cm := $cms -}} +{{ printf "\n---" }} +{{toYaml $cm}} +{{- end -}} diff --git a/charts/redpanda/redpanda/templates/memory.yaml b/charts/redpanda/redpanda/templates/memory.yaml index cc2960e1a..ab2f557f9 100644 --- a/charts/redpanda/redpanda/templates/memory.yaml +++ b/charts/redpanda/redpanda/templates/memory.yaml @@ -6,13 +6,10 @@ {{- $values := $dot.Values.AsMap -}} {{- $rpMem_1 := $values.resources.memory.redpanda -}} {{- if (and (ne $rpMem_1 (coalesce nil)) (ne $rpMem_1.reserveMemory (coalesce nil))) -}} -{{- if (kindIs "string" $rpMem_1.reserveMemory) -}} -{{- (dict "r" (get (fromJson (include "redpanda.RedpandaMemoryToMi" (dict "a" (list $rpMem_1.reserveMemory) ))) "r")) | toJson -}} +{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $rpMem_1.reserveMemory) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}} {{- break -}} {{- end -}} -{{- $_ := (fail (printf "Redpanda.ReserveMemory (%v) is not type of string" $rpMem_1.reserveMemory)) -}} -{{- end -}} -{{- (dict "r" (int (add (int (float64 (mulf (float64 (get (fromJson (include "redpanda.ContainerMemory" (dict "a" (list $dot) ))) "r")) 0.002))) 200))) | toJson -}} +{{- (dict "r" ((add (((mulf (((get (fromJson (include "redpanda.ContainerMemory" (dict "a" (list $dot) ))) "r") | int64) | float64) 0.002) | float64) | int64) (200 | int64)) | int64)) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -21,131 +18,37 @@ {{- $dot := (index .a 0) -}} {{- range $_ := (list 1) -}} {{- $values := $dot.Values.AsMap -}} -{{- $memory := 0 -}} -{{- $containerMemory := (get (fromJson (include "redpanda.ContainerMemory" (dict "a" (list $dot) ))) "r") -}} +{{- $memory := ((0 | int64) | int64) -}} +{{- $containerMemory := ((get (fromJson (include "redpanda.ContainerMemory" (dict "a" (list $dot) ))) "r") | int64) -}} {{- $rpMem_2 := $values.resources.memory.redpanda -}} {{- if (and (ne $rpMem_2 (coalesce nil)) (ne $rpMem_2.memory (coalesce nil))) -}} -{{- if (kindIs "string" $rpMem_2.memory) -}} -{{- $memory = (int (get (fromJson (include "redpanda.RedpandaMemoryToMi" (dict "a" (list $rpMem_2.memory) ))) "r")) -}} +{{- $memory = ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $rpMem_2.memory) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64) -}} {{- else -}} -{{- $_ := (fail (printf "Redpanda.Memory (%v) is not type of string" $rpMem_2.reserveMemory)) -}} +{{- $memory = (((mulf ($containerMemory | float64) 0.8) | float64) | int64) -}} {{- end -}} -{{- else -}} -{{- $memory = (int (float64 (mulf (float64 $containerMemory) 0.8))) -}} -{{- end -}} -{{- if (eq $memory 0) -}} +{{- if (eq $memory (0 | int64)) -}} {{- $_ := (fail "unable to get memory value redpanda-memory") -}} {{- end -}} -{{- if (lt $memory 256) -}} +{{- if (lt $memory (256 | int64)) -}} {{- $_ := (fail (printf "%d is below the minimum value for Redpanda" $memory)) -}} {{- end -}} -{{- if (gt (int (add $memory (int (get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r")))) (int $containerMemory)) -}} -{{- $_ := (fail (printf "Not enough container memory for Redpanda memory values where Redpanda: %d, reserve: %d, container: %d" $memory (get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") $containerMemory)) -}} +{{- if (gt ((add $memory ((get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") | int64)) | int64) $containerMemory) -}} +{{- $_ := (fail (printf "Not enough container memory for Redpanda memory values where Redpanda: %d, reserve: %d, container: %d" $memory ((get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") | int64) $containerMemory)) -}} {{- end -}} {{- (dict "r" $memory) | toJson -}} {{- break -}} {{- end -}} {{- end -}} -{{- define "redpanda.SIToBytes" -}} -{{- $amount := (index .a 0) -}} -{{- range $_ := (list 1) -}} -{{- $matched := (regexMatch `^[0-9]+(\.[0-9]){0,1}(k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $amount) -}} -{{- if (not $matched) -}} -{{- $_ := (fail (printf "amount (%s) does not match regex" $amount)) -}} -{{- end -}} -{{- $unit := (substr (int (sub (int (get (fromJson (include "_shims.len" (dict "a" (list $amount) ))) "r")) 1)) -1 $amount) -}} -{{- $amount = (substr 0 (int (sub (int (get (fromJson (include "_shims.len" (dict "a" (list $amount) ))) "r")) 1)) $amount) -}} -{{- if (eq $unit "i") -}} -{{- $unit = (printf "%s%s" (substr (int (sub (int (get (fromJson (include "_shims.len" (dict "a" (list $amount) ))) "r")) 1)) -1 $amount) $unit) -}} -{{- $amount = (substr 0 (int (sub (int (get (fromJson (include "_shims.len" (dict "a" (list $amount) ))) "r")) 1)) $amount) -}} -{{- else -}}{{- if (regexMatch `\d` $unit) -}} -{{- $amount = (printf "%s%s" $amount $unit) -}} -{{- $unit = "" -}} -{{- end -}} -{{- end -}} -{{- $k := 1000 -}} -{{- $m := (int (mul $k $k)) -}} -{{- $g := (int (mul (int (mul $k $k)) $k)) -}} -{{- $t := (int (mul (int (mul (int (mul $k $k)) $k)) $k)) -}} -{{- $p := (int (mul (int (mul (int (mul (int (mul $k $k)) $k)) $k)) $k)) -}} -{{- $ki := 1024 -}} -{{- $mi := (int (mul $ki $ki)) -}} -{{- $gi := (int (mul (int (mul $ki $ki)) $ki)) -}} -{{- $ti := (int (mul (int (mul (int (mul $ki $ki)) $ki)) $ki)) -}} -{{- $pi := (int (mul (int (mul (int (mul (int (mul $ki $ki)) $ki)) $ki)) $ki)) -}} -{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (list (float64 $amount) nil)) ))) "r") -}} -{{- $err := $tmp_tuple_1.T2 -}} -{{- $amountFloat := $tmp_tuple_1.T1 -}} -{{- if (ne $err (coalesce nil)) -}} -{{- $_ := (fail (printf "SI to bytes conversion : %v" $err)) -}} -{{- end -}} -{{- if (eq $unit "") -}} -{{- (dict "r" (int $amountFloat)) | toJson -}} -{{- break -}} -{{- else -}}{{- if (eq $unit "k") -}} -{{- (dict "r" (int (float64 (mulf $amountFloat (float64 $k))))) | toJson -}} -{{- break -}} -{{- else -}}{{- if (eq $unit "M") -}} -{{- (dict "r" (int (float64 (mulf $amountFloat (float64 $m))))) | toJson -}} -{{- break -}} -{{- else -}}{{- if (eq $unit "G") -}} -{{- (dict "r" (int (float64 (mulf $amountFloat (float64 $g))))) | toJson -}} -{{- break -}} -{{- else -}}{{- if (eq $unit "T") -}} -{{- (dict "r" (int (float64 (mulf $amountFloat (float64 $t))))) | toJson -}} -{{- break -}} -{{- else -}}{{- if (eq $unit "P") -}} -{{- (dict "r" (int (float64 (mulf $amountFloat (float64 $p))))) | toJson -}} -{{- break -}} -{{- else -}}{{- if (eq $unit "Ki") -}} -{{- (dict "r" (int (float64 (mulf $amountFloat (float64 $ki))))) | toJson -}} -{{- break -}} -{{- else -}}{{- if (eq $unit "Mi") -}} -{{- (dict "r" (int (float64 (mulf $amountFloat (float64 $mi))))) | toJson -}} -{{- break -}} -{{- else -}}{{- if (eq $unit "Gi") -}} -{{- (dict "r" (int (float64 (mulf $amountFloat (float64 $gi))))) | toJson -}} -{{- break -}} -{{- else -}}{{- if (eq $unit "Ti") -}} -{{- (dict "r" (int (float64 (mulf $amountFloat (float64 $ti))))) | toJson -}} -{{- break -}} -{{- else -}}{{- if (eq $unit "Pi") -}} -{{- (dict "r" (int (float64 (mulf $amountFloat (float64 $pi))))) | toJson -}} -{{- break -}} -{{- else -}} -{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "redpanda.RedpandaMemoryToMi" -}} -{{- $amount := (index .a 0) -}} -{{- range $_ := (list 1) -}} -{{- (dict "r" (int (div (get (fromJson (include "redpanda.SIToBytes" (dict "a" (list (toString $amount)) ))) "r") ((mul 1024 1024))))) | toJson -}} -{{- break -}} -{{- end -}} -{{- end -}} - {{- define "redpanda.ContainerMemory" -}} {{- $dot := (index .a 0) -}} {{- range $_ := (list 1) -}} {{- $values := $dot.Values.AsMap -}} {{- if (ne $values.resources.memory.container.min (coalesce nil)) -}} -{{- (dict "r" (get (fromJson (include "redpanda.RedpandaMemoryToMi" (dict "a" (list $values.resources.memory.container.min) ))) "r")) | toJson -}} +{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $values.resources.memory.container.min) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}} {{- break -}} {{- end -}} -{{- (dict "r" (get (fromJson (include "redpanda.RedpandaMemoryToMi" (dict "a" (list $values.resources.memory.container.max) ))) "r")) | toJson -}} +{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $values.resources.memory.container.max) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}} {{- break -}} {{- end -}} {{- end -}} diff --git a/charts/redpanda/redpanda/templates/poddisruptionbudget.go.tpl b/charts/redpanda/redpanda/templates/poddisruptionbudget.go.tpl new file mode 100644 index 000000000..56ff53fdf --- /dev/null +++ b/charts/redpanda/redpanda/templates/poddisruptionbudget.go.tpl @@ -0,0 +1,19 @@ +{{- /* Generated from "poddisruptionbudget.go" */ -}} + +{{- define "redpanda.PodDisruptionBudget" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $budget := ($values.statefulset.budget.maxUnavailable | int) -}} +{{- $minReplicas := ((div ($values.statefulset.replicas | int) (2 | int)) | int) -}} +{{- if (and (gt $budget (1 | int)) (gt $budget $minReplicas)) -}} +{{- $_ := (fail (printf "statefulset.budget.maxUnavailable is set too high to maintain quorum: %d > %d" $budget $minReplicas)) -}} +{{- end -}} +{{- $maxUnavailable := ($budget | int) -}} +{{- $matchLabels := (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (set $matchLabels "redpanda.com/poddisruptionbudget" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "disruptionsAllowed" 0 "currentHealthy" 0 "desiredHealthy" 0 "expectedPods" 0 ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "policy/v1" "kind" "PodDisruptionBudget" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (dict "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" $matchLabels )) "maxUnavailable" $maxUnavailable )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/templates/poddisruptionbudget.yaml b/charts/redpanda/redpanda/templates/poddisruptionbudget.yaml index 62fb6777e..daa92b0c9 100644 --- a/charts/redpanda/redpanda/templates/poddisruptionbudget.yaml +++ b/charts/redpanda/redpanda/templates/poddisruptionbudget.yaml @@ -14,25 +14,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} -{{- $budget := .Values.statefulset.budget.maxUnavailable -}} -{{- /* to maintain quorum, raft cannot lose more than half its members */ -}} -{{- $minReplicas := divf .Values.statefulset.replicas 2 | floor -}} -{{- /* the lowest we can go is 1 so allow that always */ -}} -{{- if and (gt $budget (float64 1)) (gt $budget $minReplicas) -}} - {{ fail "statefulset.budget.maxUnavailable is set too high to maintain quorum: $budget > $minReplicas" }} +{{- $pdb := (get ((include "redpanda.PodDisruptionBudget" (dict "a" (list .))) | fromJson) "r") }} +{{- if ne $pdb nil -}} +--- +{{toYaml $pdb}} {{- end -}} - -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ template "redpanda.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: -{{- with include "full.labels" . }} - {{- . | nindent 4 }} -{{- end }} -spec: - maxUnavailable: {{ $budget | int64 }} - selector: - matchLabels: {{ (include "statefulset-pod-labels-selector" .) | nindent 6 }} - redpanda.com/poddisruptionbudget: {{ template "redpanda.fullname" . }} diff --git a/charts/redpanda/redpanda/templates/post-install-upgrade-job.go.tpl b/charts/redpanda/redpanda/templates/post-install-upgrade-job.go.tpl new file mode 100644 index 000000000..b3dda62f3 --- /dev/null +++ b/charts/redpanda/redpanda/templates/post-install-upgrade-job.go.tpl @@ -0,0 +1,54 @@ +{{- /* Generated from "post_install_upgrade_job.go" */ -}} + +{{- define "redpanda.PostInstallUpgradeJob" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.post_install_job.enabled) -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $job := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "batch/v1" "kind" "Job" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-configuration" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") (default (dict ) $values.post_install_job.labels)) "annotations" (merge (dict ) (dict "helm.sh/hook" "post-install,post-upgrade" "helm.sh/hook-delete-policy" "before-hook-creation" "helm.sh/hook-weight" "-5" ) (default (dict ) $values.post_install_job.annotations)) )) "spec" (mustMergeOverwrite (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) (dict "template" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "generateName" (printf "%s-post-" $dot.Release.Name) "labels" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (printf "%.50s-post-install" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) ) (default (dict ) $values.commonLabels)) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "nodeSelector" $values.nodeSelector "affinity" (get (fromJson (include "redpanda.postInstallJobAffinity" (dict "a" (list $dot) ))) "r") "tolerations" (get (fromJson (include "redpanda.tolerations" (dict "a" (list $dot) ))) "r") "restartPolicy" "Never" "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" (printf "%s-post-install" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "env" (get (fromJson (include "redpanda.PostInstallUpgradeEnvironmentVariables" (dict "a" (list $dot) ))) "r") "command" (list "bash" "-c") "args" (list ) "resources" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_install_job.resources (mustMergeOverwrite (dict ) (dict ))) ))) "r") "securityContext" (merge (dict ) (default (mustMergeOverwrite (dict ) (dict )) $values.post_install_job.securityContext) (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r")) "volumeMounts" (get (fromJson (include "redpanda.DefaultMounts" (dict "a" (list $dot) ))) "r") ))) "volumes" (get (fromJson (include "redpanda.DefaultVolumes" (dict "a" (list $dot) ))) "r") "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") )) )) )) )) -}} +{{- $script := (coalesce nil) -}} +{{- $script = (concat (default (list ) $script) (list `set -e`)) -}} +{{- if (get (fromJson (include "redpanda.RedpandaAtLeast_22_2_0" (dict "a" (list $dot) ))) "r") -}} +{{- $script = (concat (default (list ) $script) (list `if [[ -n "$REDPANDA_LICENSE" ]] then` ` rpk cluster license set "$REDPANDA_LICENSE"` `fi`)) -}} +{{- end -}} +{{- $script = (concat (default (list ) $script) (list `` `` `` `` `rpk cluster config export -f /tmp/cfg.yml` `` `` `for KEY in "${!RPK_@}"; do` ` config="${KEY#*RPK_}"` ` rpk redpanda config set --config /tmp/cfg.yml "${config,,}" "${!KEY}"` `done` `` `` `rpk cluster config import -f /tmp/cfg.yml` ``)) -}} +{{- $_ := (set (index $job.spec.template.spec.containers (0 | int)) "args" (concat (default (list ) (index $job.spec.template.spec.containers (0 | int)).args) (list (get (fromJson (include "redpanda.unlines" (dict "a" (list $script) ))) "r")))) -}} +{{- (dict "r" $job) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.postInstallJobAffinity" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $affinity := (dict ) -}} +{{- if (not (empty $values.post_install_job.affinity)) -}} +{{- $affinity = (merge (dict ) $values.post_install_job.affinity) -}} +{{- (dict "r" $affinity) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $affinity "nodeAffinity" (merge (dict ) (default (dict ) $values.affinity.nodeAffinity))) -}} +{{- $_ := (set $affinity "podAffinity" (merge (dict ) (default (dict ) $values.affinity.podAffinity))) -}} +{{- $_ := (set $affinity "podAntiAffinity" (merge (dict ) (default (dict ) $values.affinity.podAntiAffinity))) -}} +{{- (dict "r" $affinity) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.tolerations" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $result := (coalesce nil) -}} +{{- range $_, $t := $values.tolerations -}} +{{- $result = (concat (default (list ) $result) (list (merge (dict ) $t))) -}} +{{- end -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/templates/post-install-upgrade-job.yaml b/charts/redpanda/redpanda/templates/post-install-upgrade-job.yaml index d3d96ef11..7b7e8b53e 100644 --- a/charts/redpanda/redpanda/templates/post-install-upgrade-job.yaml +++ b/charts/redpanda/redpanda/templates/post-install-upgrade-job.yaml @@ -14,122 +14,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.post_install_job.enabled }} -{{- $values := .Values }} +{{- $job := (get ((include "redpanda.PostInstallUpgradeJob" (dict "a" (list .))) | fromJson) "r") }} +{{- if ne $job nil -}} --- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "redpanda.fullname" . }}-configuration - namespace: {{ .Release.Namespace | quote }} - labels: -{{- with include "full.labels" . }} - {{- . | nindent 4 }} -{{- end }} -{{- with .Values.post_install_job.labels }} - {{- toYaml . | nindent 4 }} -{{- end }} - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation - "helm.sh/hook-weight": "-5" -{{- with .Values.post_install_job.annotations }} - {{- toYaml . | nindent 4 }} -{{- end }} -spec: - template: - metadata: - generateName: "{{ .Release.Name }}-post-" - labels: - app.kubernetes.io/name: {{ template "redpanda.name" . }} - app.kubernetes.io/instance: {{ .Release.Name | quote }} - app.kubernetes.io/component: {{ (include "redpanda.name" .) | trunc 50 }}-post-install -{{- with .Values.commonLabels }} - {{- toYaml . | nindent 8 }} -{{- end }} - spec: - {{- with .Values.nodeSelector }} - nodeSelector: {{- toYaml . | nindent 8 }} - {{- end }} - {{- with ( include "post-install-job-affinity" . ) }} - affinity: {{- . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: {{- toYaml . | nindent 8 }} - {{- end }} - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 8 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: {{ template "redpanda.name" . }}-post-install - image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} - {{ (dict "env" (get ((include "redpanda.PostInstallUpgradeEnvironmentVariables" (dict "a" (list .))) | fromJson) "r")) | toYaml | nindent 8 }} - command: ["bash","-c"] - args: - - | - set -e - {{- if (include "redpanda-atleast-22-2-0" . | fromJson).bool }} - if [[ -n "$REDPANDA_LICENSE" ]] then - rpk cluster license set "$REDPANDA_LICENSE" - fi - {{- end }} - - {{/* ### Here be dragons ### - This block of bash configures cluster configuration settings by - pulling them from environment variables. - - This allows us to support configurations from secrets or their raw - values. - - WARNING: There is a small race condition here. `rpk cluster config - import` will reset any values that are not specified. To work - around this, we first export the the configuration. If there's a - change to the configuration while we're updating the exported - config on disk, said change will be reverted. - - TODO(chrisseto): Consolidate all cluster configuration setting to - this job. - */}} - - {{/* First: dump the existing cluster configuration. - - We need to use config import to handle conditional configurations - (e.g. cloud_storage_enabled). Maintaining a DAG of configurations - is not an option for the helm chart. */}} - rpk cluster config export -f /tmp/cfg.yml - - {{/* Second: For each environment variable with the prefix RPK - ("${!RPK_@}"), use `rpk redpanda config set` to update the exported - config. - - Lots of Bash Jargon here: - "${KEY#*RPK_}" => Strip the RPK_ prefix from KEY. - "${config,,}" => config.toLower() - "${!KEY}" => Dynamic variable resolution. ie: What is the value of the variable with a name equal to the value of $KEY? - */}} - for KEY in "${!RPK_@}"; do - config="${KEY#*RPK_}" - rpk redpanda config set --config /tmp/cfg.yml "${config,,}" "${!KEY}" - done - - {{/* - The updated file is then loaded via `rpk cluster config import` which - ensures that conditional configurations (cloud_storage_enabled) - "see" all their dependent keys. - */}} - rpk cluster config import -f /tmp/cfg.yml - {{- with .Values.post_install_job.resources }} - resources: - {{- toYaml . | nindent 10 }} - {{- end }} - securityContext: {{- $defaultContext := include "container-security-context" . | fromYaml -}} - {{- $customContext := .Values.post_install_job.securityContext -}} - {{- merge $defaultContext $customContext | toYaml | nindent 10 }} - volumeMounts: {{- include "default-mounts" . | nindent 10 }} - volumes: {{ include "default-volumes" . | nindent 8 }} - serviceAccountName: {{ include "redpanda.serviceAccountName" . }} +{{toYaml $job}} {{- end -}} diff --git a/charts/redpanda/redpanda/templates/secrets.go.tpl b/charts/redpanda/redpanda/templates/secrets.go.tpl new file mode 100644 index 000000000..26875eca2 --- /dev/null +++ b/charts/redpanda/redpanda/templates/secrets.go.tpl @@ -0,0 +1,350 @@ +{{- /* Generated from "secrets.go" */ -}} + +{{- define "redpanda.Secrets" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $secrets := (coalesce nil) -}} +{{- $secrets = (concat (default (list ) $secrets) (list (get (fromJson (include "redpanda.SecretSTSLifecycle" (dict "a" (list $dot) ))) "r"))) -}} +{{- $saslUsers_1 := (get (fromJson (include "redpanda.SecretSASLUsers" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $saslUsers_1 (coalesce nil)) -}} +{{- $secrets = (concat (default (list ) $secrets) (list $saslUsers_1)) -}} +{{- end -}} +{{- $configWatcher_2 := (get (fromJson (include "redpanda.SecretConfigWatcher" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $configWatcher_2 (coalesce nil)) -}} +{{- $secrets = (concat (default (list ) $secrets) (list $configWatcher_2)) -}} +{{- end -}} +{{- $secrets = (concat (default (list ) $secrets) (list (get (fromJson (include "redpanda.SecretConfigurator" (dict "a" (list $dot) ))) "r"))) -}} +{{- $fsValidator_3 := (get (fromJson (include "redpanda.SecretFSValidator" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $fsValidator_3 (coalesce nil)) -}} +{{- $secrets = (concat (default (list ) $secrets) (list $fsValidator_3)) -}} +{{- end -}} +{{- (dict "r" $secrets) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretSTSLifecycle" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-sts-lifecycle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $adminCurlFlags := (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (set $secret.stringData "common.sh" (get (fromJson (include "redpanda.unlines" (dict "a" (list (list `#!/usr/bin/env bash` `` `# the SERVICE_NAME comes from the metadata.name of the pod, essentially the POD_NAME` (printf `CURL_URL="%s"` (get (fromJson (include "redpanda.adminInternalURL" (dict "a" (list $dot) ))) "r")) `` `# commands used throughout` (printf `CURL_NODE_ID_CMD="curl --silent --fail %s ${CURL_URL}/v1/node_config"` $adminCurlFlags) `` `CURL_MAINTENANCE_DELETE_CMD_PREFIX='curl -X DELETE --silent -o /dev/null -w "%{http_code}"'` `CURL_MAINTENANCE_PUT_CMD_PREFIX='curl -X PUT --silent -o /dev/null -w "%{http_code}"'` (printf `CURL_MAINTENANCE_GET_CMD="curl -X GET --silent %s ${CURL_URL}/v1/maintenance"` $adminCurlFlags))) ))) "r")) -}} +{{- $postStartSh := (list `#!/usr/bin/env bash` `# This code should be similar if not exactly the same as that found in the panda-operator, see` `# https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go` `` `# path below should match the path defined on the statefulset` `source /var/lifecycle/common.sh` `` `postStartHook () {` ` set -x` `` ` touch /tmp/postStartHookStarted` `` ` until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do` ` sleep 0.5` ` done` `` ` echo "Clearing maintenance mode on node ${NODE_ID}"` (printf ` CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} %s ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance"` $adminCurlFlags) ` # a 400 here would mean not in maintenance mode` ` until [ "${status:-}" = '"200"' ] || [ "${status:-}" = '"400"' ]; do` ` status=$(${CURL_MAINTENANCE_DELETE_CMD})` ` sleep 0.5` ` done`) -}} +{{- if (and $values.auth.sasl.enabled (ne $values.auth.sasl.secretRef "")) -}} +{{- $postStartSh = (concat (default (list ) $postStartSh) (list ` # Setup and export SASL bootstrap-user` ` IFS=":" read -r USER_NAME PASSWORD MECHANISM < <(grep "" $(find /etc/secrets/users/* -print))` (printf ` MECHANISM=${MECHANISM:-%s}` (dig "auth" "sasl" "mechanism" "SCRAM-SHA-512" $dot.Values.AsMap)) ` rpk acl user create ${USER_NAME} --password=${PASSWORD} --mechanism ${MECHANISM} || true`)) -}} +{{- end -}} +{{- $postStartSh = (concat (default (list ) $postStartSh) (list `` ` touch /tmp/postStartHookFinished` `}` `` `postStartHook` `true`)) -}} +{{- $_ := (set $secret.stringData "postStart.sh" (get (fromJson (include "redpanda.unlines" (dict "a" (list $postStartSh) ))) "r")) -}} +{{- $preStopSh := (list `#!/usr/bin/env bash` `# This code should be similar if not exactly the same as that found in the panda-operator, see` `# https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go` `` `touch /tmp/preStopHookStarted` `` `# path below should match the path defined on the statefulset` `source /var/lifecycle/common.sh` `` `set -x` `` `preStopHook () {` ` until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do` ` sleep 0.5` ` done` `` ` echo "Setting maintenance mode on node ${NODE_ID}"` (printf ` CURL_MAINTENANCE_PUT_CMD="${CURL_MAINTENANCE_PUT_CMD_PREFIX} %s ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance"` $adminCurlFlags) ` until [ "${status:-}" = '"200"' ]; do` ` status=$(${CURL_MAINTENANCE_PUT_CMD})` ` sleep 0.5` ` done` `` ` until [ "${finished:-}" = "true" ] || [ "${draining:-}" = "false" ]; do` ` res=$(${CURL_MAINTENANCE_GET_CMD})` ` finished=$(echo $res | grep -o '\"finished\":[^,}]*' | grep -o '[^: ]*$')` ` draining=$(echo $res | grep -o '\"draining\":[^,}]*' | grep -o '[^: ]*$')` ` sleep 0.5` ` done` `` ` touch /tmp/preStopHookFinished` `}`) -}} +{{- if (and (gt ($values.statefulset.replicas | int) (2 | int)) (not (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" (dig "recovery_mode_enabled" false $values.config.node)) ))) "r"))) -}} +{{- $preStopSh = (concat (default (list ) $preStopSh) (list `preStopHook`)) -}} +{{- else -}} +{{- $preStopSh = (concat (default (list ) $preStopSh) (list `touch /tmp/preStopHookFinished` `echo "Not enough replicas or in recovery mode, cannot put a broker into maintenance mode."`)) -}} +{{- end -}} +{{- $preStopSh = (concat (default (list ) $preStopSh) (list `true`)) -}} +{{- $_ := (set $secret.stringData "preStop.sh" (get (fromJson (include "redpanda.unlines" (dict "a" (list $preStopSh) ))) "r")) -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretSASLUsers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (and (ne $values.auth.sasl.secretRef "") $values.auth.sasl.enabled) (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.auth.sasl.users) ))) "r") | int) (0 | int))) -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $values.auth.sasl.secretRef "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $usersTxt := (list ) -}} +{{- range $_, $user := $values.auth.sasl.users -}} +{{- if (ne $user.mechanism "") -}} +{{- $usersTxt = (concat (default (list ) $usersTxt) (list (printf "%s:%s:%s" $user.name $user.password $user.mechanism))) -}} +{{- else -}} +{{- $usersTxt = (concat (default (list ) $usersTxt) (list (printf "%s:%s" $user.name $user.password))) -}} +{{- end -}} +{{- end -}} +{{- $_ := (set $secret.stringData "users.txt" (get (fromJson (include "redpanda.unlines" (dict "a" (list $usersTxt) ))) "r")) -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- else -}}{{- if (and $values.auth.sasl.enabled (eq $values.auth.sasl.secretRef "")) -}} +{{- $_ := (fail "auth.sasl.secretRef cannot be empty when auth.sasl.enabled=true") -}} +{{- else -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretConfigWatcher" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.sideCars.configWatcher.enabled) -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sasl := $values.auth.sasl -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-config-watcher" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $saslUserSh := (coalesce nil) -}} +{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `#!/usr/bin/env bash` `` `trap 'error_handler $? $LINENO' ERR` `` `error_handler() {` ` echo "Error: ($1) occurred at line $2"` `}` `` `set -e` `` `# rpk cluster health can exit non-zero if it's unable to dial brokers. This` `# can happen for many reasons but we never want this script to crash as it` `# would take down yet another broker and make a bad situation worse.` `# Instead, just wait for the command to eventually exit zero.` `echo "Waiting for cluster to be ready"` `until rpk cluster health --watch --exit-when-healthy; do` ` echo "rpk cluster health failed. Waiting 5 seconds before trying again..."` ` sleep 5` `done`)) -}} +{{- if (and $sasl.enabled (ne $sasl.secretRef "")) -}} +{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `while true; do` ` echo "RUNNING: Monitoring and Updating SASL users"` ` USERS_DIR="/etc/secrets/users"` `` ` new_users_list(){` ` LIST=$1` ` NEW_USER=$2` ` if [[ -n "${LIST}" ]]; then` ` LIST="${NEW_USER},${LIST}"` ` else` ` LIST="${NEW_USER}"` ` fi` `` ` echo "${LIST}"` ` }` `` ` process_users() {` ` USERS_DIR=${1-"/etc/secrets/users"}` ` USERS_FILE=$(find ${USERS_DIR}/* -print)` ` USERS_LIST=""` ` READ_LIST_SUCCESS=0` ` # Read line by line, handle a missing EOL at the end of file` ` while read p || [ -n "$p" ] ; do` ` IFS=":" read -r USER_NAME PASSWORD MECHANISM <<< $p` ` # Do not process empty lines` ` if [ -z "$USER_NAME" ]; then` ` continue` ` fi` ` if [[ "${USER_NAME// /}" != "$USER_NAME" ]]; then` ` continue` ` fi` ` echo "Creating user ${USER_NAME}..."` (printf ` MECHANISM=${MECHANISM:-%s}` (dig "auth" "sasl" "mechanism" "SCRAM-SHA-512" $dot.Values.AsMap)) ` creation_result=$(rpk acl user create ${USER_NAME} --password=${PASSWORD} --mechanism ${MECHANISM} 2>&1) && creation_result_exit_code=$? || creation_result_exit_code=$? # On a non-success exit code` ` if [[ $creation_result_exit_code -ne 0 ]]; then` ` # Check if the stderr contains "User already exists"` ` # this error occurs when password has changed` ` if [[ $creation_result == *"User already exists"* ]]; then` ` echo "Update user ${USER_NAME}"` ` # we will try to update by first deleting` ` deletion_result=$(rpk acl user delete ${USER_NAME} 2>&1) && deletion_result_exit_code=$? || deletion_result_exit_code=$?` ` if [[ $deletion_result_exit_code -ne 0 ]]; then` ` echo "deletion of user ${USER_NAME} failed: ${deletion_result}"` ` READ_LIST_SUCCESS=1` ` break` ` fi` ` # Now we update the user` ` update_result=$(rpk acl user create ${USER_NAME} --password=${PASSWORD} --mechanism ${MECHANISM} 2>&1) && update_result_exit_code=$? || update_result_exit_code=$? # On a non-success exit code` ` if [[ $update_result_exit_code -ne 0 ]]; then` ` echo "updating user ${USER_NAME} failed: ${update_result}"` ` READ_LIST_SUCCESS=1` ` break` ` else` ` echo "Updated user ${USER_NAME}..."` ` USERS_LIST=$(new_users_list "${USERS_LIST}" "${USER_NAME}")` ` fi` ` else` ` # Another error occurred, so output the original message and exit code` ` echo "error creating user ${USER_NAME}: ${creation_result}"` ` READ_LIST_SUCCESS=1` ` break` ` fi` ` # On a success, the user was created so output that` ` else` ` echo "Created user ${USER_NAME}..."` ` USERS_LIST=$(new_users_list "${USERS_LIST}" "${USER_NAME}")` ` fi` ` done < $USERS_FILE` `` ` if [[ -n "${USERS_LIST}" && ${READ_LIST_SUCCESS} ]]; then` ` echo "Setting superusers configurations with users [${USERS_LIST}]"` ` superuser_result=$(rpk cluster config set superusers [${USERS_LIST}] 2>&1) && superuser_result_exit_code=$? || superuser_result_exit_code=$?` ` if [[ $superuser_result_exit_code -ne 0 ]]; then` ` echo "Setting superusers configurations failed: ${superuser_result}"` ` else` ` echo "Completed setting superusers configurations"` ` fi` ` fi` ` }` `` ` # first time processing` ` process_users $USERS_DIR` `` ` # subsequent changes detected here` ` # watching delete_self as documented in https://ahmet.im/blog/kubernetes-inotify/` ` USERS_FILE=$(find ${USERS_DIR}/* -print)` ` while RES=$(inotifywait -q -e delete_self ${USERS_FILE}); do` ` process_users $USERS_DIR` ` done` `done`)) -}} +{{- else -}} +{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `echo "Nothing to do. Sleeping..."` `sleep infinity`)) -}} +{{- end -}} +{{- $_ := (set $secret.stringData "sasl-user.sh" (get (fromJson (include "redpanda.unlines" (dict "a" (list $saslUserSh) ))) "r")) -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretFSValidator" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.initContainers.fsValidator.enabled) -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-fs-validator" (substr 0 (49 | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $_ := (set $secret.stringData "fsValidator.sh" `set -e +EXPECTED_FS_TYPE=$1 + +DATA_DIR="/var/lib/redpanda/data" +TEST_FILE="testfile" + +echo "checking data directory exist..." +if [ ! -d "${DATA_DIR}" ]; then + echo "data directory does not exists, exiting" + exit 1 +fi + +echo "checking filesystem type..." +FS_TYPE=$(df -T $DATA_DIR | tail -n +2 | awk '{print $2}') + +if [ "${FS_TYPE}" != "${EXPECTED_FS_TYPE}" ]; then + echo "file system found to be ${FS_TYPE} when expected ${EXPECTED_FS_TYPE}" + exit 1 +fi + +echo "checking if able to create a test file..." + +touch ${DATA_DIR}/${TEST_FILE} +result=$(touch ${DATA_DIR}/${TEST_FILE} 2> /dev/null; echo $?) +if [ "${result}" != "0" ]; then + echo "could not write testfile, may not have write permission" + exit 1 +fi + +echo "checking if able to delete a test file..." + +result=$(rm ${DATA_DIR}/${TEST_FILE} 2> /dev/null; echo $?) +if [ "${result}" != "0" ]; then + echo "could not delete testfile" + exit 1 +fi + +echo "passed"`) -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretConfigurator" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-configurator" (substr 0 (51 | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $configuratorSh := (list ) -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `set -xe` `SERVICE_NAME=$1` `KUBERNETES_NODE_NAME=$2` `POD_ORDINAL=${SERVICE_NAME##*-}` "BROKER_INDEX=`expr $POD_ORDINAL + 1`" `` `CONFIG=/etc/redpanda/redpanda.yaml` `` `# Setup config files` `cp /tmp/base-config/redpanda.yaml "${CONFIG}"` `cp /tmp/base-config/bootstrap.yaml /etc/redpanda/.bootstrap.yaml`)) -}} +{{- if (not (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list $dot) ))) "r")) -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `` `# Configure bootstrap` `## Not used for Redpanda v22.3.0+` `rpk --config "${CONFIG}" redpanda config set redpanda.node_id "${POD_ORDINAL}"` `if [ "${POD_ORDINAL}" = "0" ]; then` ` rpk --config "${CONFIG}" redpanda config set redpanda.seed_servers '[]' --format yaml` `fi`)) -}} +{{- end -}} +{{- $kafkaSnippet := (get (fromJson (include "redpanda.secretConfiguratorKafkaConfig" (dict "a" (list $dot) ))) "r") -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (default (list ) $kafkaSnippet)) -}} +{{- $httpSnippet := (get (fromJson (include "redpanda.secretConfiguratorHTTPConfig" (dict "a" (list $dot) ))) "r") -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (default (list ) $httpSnippet)) -}} +{{- if (and (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list $dot) ))) "r") $values.rackAwareness.enabled) -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `` `# Configure Rack Awareness` `set +x` (printf `RACK=$(curl --silent --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt --fail -H 'Authorization: Bearer '$(cat /run/secrets/kubernetes.io/serviceaccount/token) "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/api/v1/nodes/${KUBERNETES_NODE_NAME}?pretty=true" | grep %s | grep -v '\"key\":' | sed 's/.*": "\([^"]\+\).*/\1/')` (squote (quote $values.rackAwareness.nodeAnnotation))) `set -x` `rpk --config "$CONFIG" redpanda config set redpanda.rack "${RACK}"`)) -}} +{{- end -}} +{{- $_ := (set $secret.stringData "configurator.sh" (get (fromJson (include "redpanda.unlines" (dict "a" (list $configuratorSh) ))) "r")) -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.secretConfiguratorKafkaConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $internalAdvertiseAddress := (printf "%s.%s" "${SERVICE_NAME}" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}} +{{- $snippet := (coalesce nil) -}} +{{- $listenerName := "kafka" -}} +{{- $listenerAdvertisedName := $listenerName -}} +{{- $redpandaConfigPart := "redpanda" -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `LISTENER=%s` (quote (toJson (dict "name" "internal" "address" $internalAdvertiseAddress "port" ($values.listeners.kafka.port | int) )))) (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[0] "$LISTENER"` $redpandaConfigPart $listenerAdvertisedName))) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.listeners.kafka.external) ))) "r") | int) (0 | int)) -}} +{{- $externalCounter := (0 | int) -}} +{{- range $externalName, $externalVals := $values.listeners.kafka.external -}} +{{- $externalCounter = ((add $externalCounter (1 | int)) | int) -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `ADVERTISED_%s_ADDRESSES=()` (upper $listenerName)))) -}} +{{- range $_, $replicaIndex := (until ($values.statefulset.replicas | int)) -}} +{{- $port := ($externalVals.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = (index $externalVals.advertisedPorts (0 | int)) -}} +{{- else -}} +{{- $port = (index $externalVals.advertisedPorts $replicaIndex) -}} +{{- end -}} +{{- end -}} +{{- $host := (get (fromJson (include "redpanda.advertisedHostJSON" (dict "a" (list $dot $externalName $port $replicaIndex) ))) "r") -}} +{{- $address := (toJson $host) -}} +{{- $prefixTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $externalVals.prefixTemplate "") ))) "r") -}} +{{- if (eq $prefixTemplate "") -}} +{{- $prefixTemplate = (default "" $values.external.prefixTemplate) -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `PREFIX_TEMPLATE=%s` (quote $prefixTemplate)) (printf `ADVERTISED_%s_ADDRESSES+=(%s)` (upper $listenerName) (quote $address)))) -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[%d] "${ADVERTISED_%s_ADDRESSES[$POD_ORDINAL]}"` $redpandaConfigPart $listenerAdvertisedName $externalCounter (upper $listenerName)))) -}} +{{- end -}} +{{- end -}} +{{- (dict "r" $snippet) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.secretConfiguratorHTTPConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $internalAdvertiseAddress := (printf "%s.%s" "${SERVICE_NAME}" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}} +{{- $snippet := (coalesce nil) -}} +{{- $listenerName := "http" -}} +{{- $listenerAdvertisedName := "pandaproxy" -}} +{{- $redpandaConfigPart := "pandaproxy" -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `LISTENER=%s` (quote (toJson (dict "name" "internal" "address" $internalAdvertiseAddress "port" ($values.listeners.http.port | int) )))) (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[0] "$LISTENER"` $redpandaConfigPart $listenerAdvertisedName))) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.listeners.http.external) ))) "r") | int) (0 | int)) -}} +{{- $externalCounter := (0 | int) -}} +{{- range $externalName, $externalVals := $values.listeners.http.external -}} +{{- $externalCounter = ((add $externalCounter (1 | int)) | int) -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `ADVERTISED_%s_ADDRESSES=()` (upper $listenerName)))) -}} +{{- range $_, $replicaIndex := (until ($values.statefulset.replicas | int)) -}} +{{- $port := ($externalVals.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = (index $externalVals.advertisedPorts (0 | int)) -}} +{{- else -}} +{{- $port = (index $externalVals.advertisedPorts $replicaIndex) -}} +{{- end -}} +{{- end -}} +{{- $host := (get (fromJson (include "redpanda.advertisedHostJSON" (dict "a" (list $dot $externalName $port $replicaIndex) ))) "r") -}} +{{- $address := (toJson $host) -}} +{{- $prefixTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $externalVals.prefixTemplate "") ))) "r") -}} +{{- if (eq $prefixTemplate "") -}} +{{- $prefixTemplate = (default "" $values.external.prefixTemplate) -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `PREFIX_TEMPLATE=%s` (quote $prefixTemplate)) (printf `ADVERTISED_%s_ADDRESSES+=(%s)` (upper $listenerName) (quote $address)))) -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[%d] "${ADVERTISED_%s_ADDRESSES[$POD_ORDINAL]}"` $redpandaConfigPart $listenerAdvertisedName $externalCounter (upper $listenerName)))) -}} +{{- end -}} +{{- end -}} +{{- (dict "r" $snippet) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminTLSCurlFlags" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r")) -}} +{{- (dict "r" "") | toJson -}} +{{- break -}} +{{- end -}} +{{- $path := (printf "/etc/tls/certs/%s" $values.listeners.admin.tls.cert) -}} +{{- if $values.listeners.admin.tls.requireClientAuth -}} +{{- (dict "r" (printf "--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key" $path $path $path)) | toJson -}} +{{- break -}} +{{- end -}} +{{- (dict "r" (printf "--cacert %s/ca.crt" $path)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.externalAdvertiseAddress" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $eaa := "${SERVICE_NAME}" -}} +{{- $externalDomainTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") -}} +{{- $expanded := (tpl $externalDomainTemplate $dot) -}} +{{- if (not (empty $expanded)) -}} +{{- $eaa = (printf "%s.%s" "${SERVICE_NAME}" $expanded) -}} +{{- end -}} +{{- (dict "r" $eaa) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedHostJSON" -}} +{{- $dot := (index .a 0) -}} +{{- $externalName := (index .a 1) -}} +{{- $port := (index .a 2) -}} +{{- $replicaIndex := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $host := (dict "name" $externalName "address" (get (fromJson (include "redpanda.externalAdvertiseAddress" (dict "a" (list $dot) ))) "r") "port" $port ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (0 | int)) -}} +{{- $address := "" -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (1 | int)) -}} +{{- $address = (index $values.external.addresses $replicaIndex) -}} +{{- else -}} +{{- $address = (index $values.external.addresses (0 | int)) -}} +{{- end -}} +{{- $domain_4 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") -}} +{{- if (ne $domain_4 "") -}} +{{- $host = (dict "name" $externalName "address" (printf "%s.%s" $address $domain_4) "port" $port ) -}} +{{- else -}} +{{- $host = (dict "name" $externalName "address" $address "port" $port ) -}} +{{- end -}} +{{- end -}} +{{- (dict "r" $host) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminInternalHTTPProtocol" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}} +{{- (dict "r" "https") | toJson -}} +{{- break -}} +{{- end -}} +{{- (dict "r" "http") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminInternalURL" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- (dict "r" (printf "%s://%s.%s.%s.svc.%s:%d" (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") `${SERVICE_NAME}` (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") $dot.Release.Namespace (trimSuffix "." $values.clusterDomain) ($values.listeners.admin.port | int))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.unlines" -}} +{{- $lines := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $result := "" -}} +{{- range $_, $line := $lines -}} +{{- $result = (printf "%s\n%s" $result $line) -}} +{{- end -}} +{{- (dict "r" (substr (1 | int) -1 $result)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/templates/secrets.yaml b/charts/redpanda/redpanda/templates/secrets.yaml index 551f5d525..14a172b2e 100644 --- a/charts/redpanda/redpanda/templates/secrets.yaml +++ b/charts/redpanda/redpanda/templates/secrets.yaml @@ -6,7 +6,7 @@ The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at -http://www.apache.org/licenses/LICENSE-2.0 + http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, @@ -14,401 +14,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} -{{- $values := .Values -}} -{{- $internalAdvertiseAddress := printf "%s.%s" "${SERVICE_NAME}" (include "redpanda.internal.domain" .) -}} -{{- $externalAdvertiseAddress := printf "${SERVICE_NAME}" -}} -{{- if (tpl ($values.external.domain | default "") $) -}} - {{- $externalAdvertiseAddress = printf "${SERVICE_NAME}.%s" (tpl $values.external.domain $) -}} -{{- end -}} +{{- $secrets := (get ((include "redpanda.Secrets" (dict "a" (list .))) | fromJson) "r") }} +{{- range $_, $secret := $secrets }} --- -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "redpanda.fullname" . }}-sts-lifecycle - namespace: {{ .Release.Namespace | quote }} - labels: -{{- with include "full.labels" . }} - {{- . | nindent 4 }} -{{- end }} -type: Opaque -stringData: - common.sh: |- - #!/usr/bin/env bash - - # the SERVICE_NAME comes from the metadata.name of the pod, essentially the POD_NAME - CURL_URL="{{ include "admin-http-protocol" . }}://${SERVICE_NAME}.{{ template "redpanda.servicename" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain | trimSuffix "." }}:{{ .Values.listeners.admin.port }}" - - # commands used throughout - CURL_NODE_ID_CMD="curl --silent --fail {{ include "admin-tls-curl-flags" . }} ${CURL_URL}/v1/node_config" - - CURL_MAINTENANCE_DELETE_CMD_PREFIX='curl -X DELETE --silent -o /dev/null -w "%{http_code}"' - CURL_MAINTENANCE_PUT_CMD_PREFIX='curl -X PUT --silent -o /dev/null -w "%{http_code}"' - CURL_MAINTENANCE_GET_CMD="curl -X GET --silent {{ include "admin-tls-curl-flags" . }} ${CURL_URL}/v1/maintenance" - - postStart.sh: |- - #!/usr/bin/env bash - # This code should be similar if not exactly the same as that found in the panda-operator, see - # https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go - - # path below should match the path defined on the statefulset - source /var/lifecycle/common.sh - - postStartHook () { - set -x - - touch /tmp/postStartHookStarted - - until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do - sleep 0.5 - done - - echo "Clearing maintenance mode on node ${NODE_ID}" - CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} {{ include "admin-tls-curl-flags" . }} ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" - # a 400 here would mean not in maintenance mode - until [ "${status:-}" = '"200"' ] || [ "${status:-}" = '"400"' ]; do - status=$(${CURL_MAINTENANCE_DELETE_CMD}) - sleep 0.5 - done - -{{- if and .Values.auth.sasl.enabled (not (empty .Values.auth.sasl.secretRef )) }} - # Setup and export SASL bootstrap-user - IFS=":" read -r USER_NAME PASSWORD MECHANISM < <(grep "" $(find /etc/secrets/users/* -print)) - MECHANISM=${MECHANISM:-{{- include "sasl-mechanism" . }}} - rpk acl user create ${USER_NAME} --password=${PASSWORD} --mechanism ${MECHANISM} || true -{{- end }} - - touch /tmp/postStartHookFinished - } - - postStartHook - true - - preStop.sh: |- - #!/usr/bin/env bash - # This code should be similar if not exactly the same as that found in the panda-operator, see - # https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go - - touch /tmp/preStopHookStarted - - # path below should match the path defined on the statefulset - source /var/lifecycle/common.sh - - set -x - - preStopHook () { - until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do - sleep 0.5 - done - - echo "Setting maintenance mode on node ${NODE_ID}" - CURL_MAINTENANCE_PUT_CMD="${CURL_MAINTENANCE_PUT_CMD_PREFIX} {{ include "admin-tls-curl-flags" . }} ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" - until [ "${status:-}" = '"200"' ]; do - status=$(${CURL_MAINTENANCE_PUT_CMD}) - sleep 0.5 - done - - until [ "${finished:-}" = "true" ] || [ "${draining:-}" = "false" ]; do - res=$(${CURL_MAINTENANCE_GET_CMD}) - finished=$(echo $res | grep -o '\"finished\":[^,}]*' | grep -o '[^: ]*$') - draining=$(echo $res | grep -o '\"draining\":[^,}]*' | grep -o '[^: ]*$') - sleep 0.5 - done - - touch /tmp/preStopHookFinished - } - -{{- if and ( gt ( .Values.statefulset.replicas | int64 ) 2) ( not ( dig "node" "recovery_mode_enabled" false .Values.config ) ) }} - preStopHook -{{- else }} - touch /tmp/preStopHookFinished - echo "Not enough replicas or in recovery mode, cannot put a broker into maintenance mode." -{{- end }} - true -{{- if and (not (empty .Values.auth.sasl.secretRef)) (and .Values.auth.sasl.enabled .Values.auth.sasl.users) }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.auth.sasl.secretRef | quote }} - namespace: {{ .Release.Namespace | quote }} - labels: -{{- with include "full.labels" . }} - {{- . | nindent 4 }} -{{- end }} -type: Opaque -stringData: - users.txt: |- - {{- range $user := .Values.auth.sasl.users }} - {{- if not (empty $user.mechanism) }} - {{ printf "%s:%s:%s" $user.name $user.password $user.mechanism }} - {{- else }} - {{ printf "%s:%s" $user.name $user.password}} - {{- end }} - {{- end }} -{{- else if and .Values.auth.sasl.enabled ( empty .Values.auth.sasl.secretRef) }} -{{- fail "auth.sasl.secretRef cannot be empty when auth.sasl.enabled=true" }} -{{- end }} -{{- if .Values.statefulset.sideCars.configWatcher.enabled }} - {{- $values := .Values }} - {{- $sasl := .Values.auth.sasl }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "redpanda.fullname" . }}-config-watcher - namespace: {{ .Release.Namespace | quote }} - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} -type: Opaque -stringData: - sasl-user.sh: |- - #!/usr/bin/env bash - - trap 'error_handler $? $LINENO' ERR - - error_handler() { - echo "Error: ($1) occurred at line $2" - } - - set -e - - # rpk cluster health can exit non-zero if it's unable to dial brokers. This - # can happen for many reasons but we never want this script to crash as it - # would take down yet another broker and make a bad situation worse. - # Instead, just wait for the command to eventually exit zero. - echo "Waiting for cluster to be ready" - until rpk cluster health --watch --exit-when-healthy; do - echo "rpk cluster health failed. Waiting 5 seconds before trying again..." - sleep 5 - done - - {{- if and $sasl.enabled (not (empty $sasl.secretRef )) }} - while true; do - echo "RUNNING: Monitoring and Updating SASL users" - USERS_DIR="/etc/secrets/users" - - new_users_list(){ - LIST=$1 - NEW_USER=$2 - if [[ -n "${LIST}" ]]; then - LIST="${NEW_USER},${LIST}" - else - LIST="${NEW_USER}" - fi - - echo "${LIST}" - } - - process_users() { - USERS_DIR=${1-"/etc/secrets/users"} - USERS_FILE=$(find ${USERS_DIR}/* -print) - USERS_LIST="" - READ_LIST_SUCCESS=0 - # Read line by line, handle a missing EOL at the end of file - while read p || [ -n "$p" ] ; do - IFS=":" read -r USER_NAME PASSWORD MECHANISM <<< $p - # Do not process empty lines - if [ -z "$USER_NAME" ]; then - continue - fi - if [[ "${USER_NAME// /}" != "$USER_NAME" ]]; then - continue - fi - echo "Creating user ${USER_NAME}..." - MECHANISM=${MECHANISM:-{{- include "sasl-mechanism" . }}} - creation_result=$(rpk acl user create ${USER_NAME} --password=${PASSWORD} --mechanism ${MECHANISM} 2>&1) && creation_result_exit_code=$? || creation_result_exit_code=$? # On a non-success exit code - if [[ $creation_result_exit_code -ne 0 ]]; then - # Check if the stderr contains "User already exists" - # this error occurs when password has changed - if [[ $creation_result == *"User already exists"* ]]; then - echo "Update user ${USER_NAME}" - # we will try to update by first deleting - deletion_result=$(rpk acl user delete ${USER_NAME} 2>&1) && deletion_result_exit_code=$? || deletion_result_exit_code=$? - if [[ $deletion_result_exit_code -ne 0 ]]; then - echo "deletion of user ${USER_NAME} failed: ${deletion_result}" - READ_LIST_SUCCESS=1 - break - fi - # Now we update the user - update_result=$(rpk acl user create ${USER_NAME} --password=${PASSWORD} --mechanism ${MECHANISM} 2>&1) && update_result_exit_code=$? || update_result_exit_code=$? # On a non-success exit code - if [[ $update_result_exit_code -ne 0 ]]; then - echo "updating user ${USER_NAME} failed: ${update_result}" - READ_LIST_SUCCESS=1 - break - else - echo "Updated user ${USER_NAME}..." - USERS_LIST=$(new_users_list "${USERS_LIST}" "${USER_NAME}") - fi - else - # Another error occurred, so output the original message and exit code - echo "error creating user ${USER_NAME}: ${creation_result}" - READ_LIST_SUCCESS=1 - break - fi - # On a success, the user was created so output that - else - echo "Created user ${USER_NAME}..." - USERS_LIST=$(new_users_list "${USERS_LIST}" "${USER_NAME}") - fi - done < $USERS_FILE - - if [[ -n "${USERS_LIST}" && ${READ_LIST_SUCCESS} ]]; then - echo "Setting superusers configurations with users [${USERS_LIST}]" - superuser_result=$(rpk cluster config set superusers [${USERS_LIST}] 2>&1) && superuser_result_exit_code=$? || superuser_result_exit_code=$? - if [[ $superuser_result_exit_code -ne 0 ]]; then - echo "Setting superusers configurations failed: ${superuser_result}" - else - echo "Completed setting superusers configurations" - fi - fi - } - - # first time processing - process_users $USERS_DIR - - # subsequent changes detected here - # watching delete_self as documented in https://ahmet.im/blog/kubernetes-inotify/ - USERS_FILE=$(find ${USERS_DIR}/* -print) - while RES=$(inotifywait -q -e delete_self ${USERS_FILE}); do - process_users $USERS_DIR - done - done - {{- else }} - echo "Nothing to do. Sleeping..." - sleep infinity - {{- end }} -{{- end }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ (include "redpanda.fullname" .) | trunc 51 }}-configurator - namespace: {{ .Release.Namespace | quote }} - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} -type: Opaque -stringData: - configurator.sh: |- - set -xe - SERVICE_NAME=$1 - KUBERNETES_NODE_NAME=$2 - POD_ORDINAL=${SERVICE_NAME##*-} - BROKER_INDEX=`expr $POD_ORDINAL + 1` - - CONFIG=/etc/redpanda/redpanda.yaml - - # Setup config files - cp /tmp/base-config/redpanda.yaml "${CONFIG}" - cp /tmp/base-config/bootstrap.yaml /etc/redpanda/.bootstrap.yaml - - {{- if not (include "redpanda-atleast-22-3-0" . | fromJson).bool }} - # Configure bootstrap - ## Not used for Redpanda v22.3.0+ - rpk --config "${CONFIG}" redpanda config set redpanda.node_id "${POD_ORDINAL}" - if [ "${POD_ORDINAL}" = "0" ]; then - rpk --config "${CONFIG}" redpanda config set redpanda.seed_servers '[]' --format yaml - fi - {{- end }} - -{{- range $listenerName := (list "kafka" "http") }} - {{- $listenerAdvertisedName := $listenerName }} - {{- $redpandaConfigPart := "redpanda" }} - {{- if eq $listenerAdvertisedName "http" }} - {{- $listenerAdvertisedName = "pandaproxy" }} - {{- $redpandaConfigPart = "pandaproxy" }} - {{- end }} - {{- $listenerVals := get $values.listeners $listenerName }} - - LISTENER={{ quote (toJson (dict "name" "internal" "address" $internalAdvertiseAddress "port" $listenerVals.port))}} - rpk redpanda config --config "$CONFIG" set {{ $redpandaConfigPart }}.advertised_{{ $listenerAdvertisedName }}_api[0] "$LISTENER" - - {{- if $listenerVals.external }} - {{- $externalCounter := 1 }} - {{- range $externalName, $externalVals := $listenerVals.external }} - - ADVERTISED_{{ upper $listenerName }}_ADDRESSES=() - {{- range $replicaIndex := until ($values.statefulset.replicas | int) }} - - {{- $tmplVals := dict "listenerVals" $listenerVals "externalVals" $externalVals "externalName" $externalName "externalAdvertiseAddress" $externalAdvertiseAddress "values" $values "replicaIndex" $replicaIndex }} - {{- $port := int (include "advertised-port" $tmplVals) }} - {{- $host := tpl (include "advertised-host" (mustMerge $tmplVals (dict "port" $port)) ) $ }} - - PREFIX_TEMPLATE={{ (include "advertised-address-template" (dict "externalVals" $values.external "externalListener" $externalVals)) }} - ADVERTISED_{{ upper $listenerName }}_ADDRESSES+=({{ quote ($host) }}) - {{- end }} - - rpk redpanda config --config "$CONFIG" set {{ $redpandaConfigPart }}.advertised_{{ $listenerAdvertisedName }}_api[{{ $externalCounter }}] "${ADVERTISED_{{ upper $listenerName }}_ADDRESSES[$POD_ORDINAL]}" - - {{- $externalCounter = add $externalCounter 1 }} - {{- end }} - {{- end }} -{{- end }} - - {{- if (include "redpanda-atleast-22-3-0" . | fromJson).bool }} - {{- if .Values.rackAwareness.enabled }} - - # Configure Rack Awareness - set +x - RACK=$(curl --silent --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt --fail -H 'Authorization: Bearer '$(cat /run/secrets/kubernetes.io/serviceaccount/token) "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/api/v1/nodes/${KUBERNETES_NODE_NAME}?pretty=true" | grep {{ .Values.rackAwareness.nodeAnnotation | quote | squote }} | grep -v '\"key\":' | sed 's/.*": "\([^"]\+\).*/\1/') - set -x - rpk --config "$CONFIG" redpanda config set redpanda.rack "${RACK}" - {{- end }} - {{- end }} -{{- if .Values.statefulset.initContainers.fsValidator.enabled}} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ (include "redpanda.fullname" .) | trunc 49 }}-fs-validator - namespace: {{ .Release.Namespace | quote }} - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} -type: Opaque -stringData: - fsValidator.sh: |- - set -e - EXPECTED_FS_TYPE=$1 - - DATA_DIR="/var/lib/redpanda/data" - TEST_FILE="testfile" - - echo "checking data directory exist..." - if [ ! -d "${DATA_DIR}" ]; then - echo "data directory does not exists, exiting" - exit 1 - fi - - echo "checking filesystem type..." - FS_TYPE=$(df -T $DATA_DIR | tail -n +2 | awk '{print $2}') - - if [ "${FS_TYPE}" != "${EXPECTED_FS_TYPE}" ]; then - echo "file system found to be ${FS_TYPE} when expected ${EXPECTED_FS_TYPE}" - exit 1 - fi - - echo "checking if able to create a test file..." - - touch ${DATA_DIR}/${TEST_FILE} - result=$(touch ${DATA_DIR}/${TEST_FILE} 2> /dev/null; echo $?) - if [ "${result}" != "0" ]; then - echo "could not write testfile, may not have write permission" - exit 1 - fi - - echo "checking if able to delete a test file..." - - result=$(rm ${DATA_DIR}/${TEST_FILE} 2> /dev/null; echo $?) - if [ "${result}" != "0" ]; then - echo "could not delete testfile" - exit 1 - fi - - echo "passed" - -{{- end }} +{{ toYaml $secret }} +{{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/templates/service.internal.go.tpl b/charts/redpanda/redpanda/templates/service.internal.go.tpl new file mode 100644 index 000000000..8bdf03a58 --- /dev/null +++ b/charts/redpanda/redpanda/templates/service.internal.go.tpl @@ -0,0 +1,34 @@ +{{- /* Generated from "service_internal.go" */ -}} + +{{- define "redpanda.MonitoringEnabledLabel" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- (dict "r" (dict "monitoring.redpanda.com/enabled" (printf "%t" $values.monitoring.enabled) )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ServiceInternal" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- $ports := (list ) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "admin" "protocol" "TCP" "port" ($values.listeners.admin.port | int) "targetPort" ($values.listeners.admin.port | int) )))) -}} +{{- if $values.listeners.http.enabled -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "http" "protocol" "TCP" "port" ($values.listeners.http.port | int) "targetPort" ($values.listeners.http.port | int) )))) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "kafka" "protocol" "TCP" "port" ($values.listeners.kafka.port | int) "targetPort" ($values.listeners.kafka.port | int) )))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "rpc" "protocol" "TCP" "port" ($values.listeners.rpc.port | int) "targetPort" ($values.listeners.rpc.port | int) )))) -}} +{{- if $values.listeners.schemaRegistry.enabled -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "schemaregistry" "protocol" "TCP" "port" ($values.listeners.schemaRegistry.port | int) "targetPort" ($values.listeners.schemaRegistry.port | int) )))) -}} +{{- end -}} +{{- $annotations := (dict ) -}} +{{- if (ne $values.service (coalesce nil)) -}} +{{- $annotations = $values.service.internal.annotations -}} +{{- end -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.MonitoringEnabledLabel" (dict "a" (list $dot) ))) "r")) "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "type" "ClusterIP" "publishNotReadyAddresses" true "clusterIP" "None" "selector" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") "ports" $ports )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/templates/service.internal.yaml b/charts/redpanda/redpanda/templates/service.internal.yaml index 32a7cccc5..a3bad5fe0 100644 --- a/charts/redpanda/redpanda/templates/service.internal.yaml +++ b/charts/redpanda/redpanda/templates/service.internal.yaml @@ -15,33 +15,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} --- -# This service is only used to create the DNS enteries for each pod in -# the stateful set and allow the serviceMonitor to target the pods. -# This service should not be used by any client application -apiVersion: v1 -kind: Service -metadata: - name: {{ include "redpanda.servicename" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - monitoring.redpanda.com/enabled: {{ .Values.monitoring.enabled | quote }} -{{- with include "full.labels" . }} - {{- . | nindent 4 }} -{{- end }} -{{- with dig "service" "internal" "annotations" dict .Values.AsMap }} - annotations: {{ toYaml . | nindent 4 }} -{{- end }} -spec: - type: ClusterIP - publishNotReadyAddresses: true - clusterIP: None - selector: {{ (include "statefulset-pod-labels-selector" .) | nindent 4 }} - ports: - {{- range $name, $listener := .Values.listeners }} - {{- if dig "enabled" true $listener}} - - name: {{ lower $name }} - protocol: TCP - port: {{ $listener.port }} - targetPort: {{ $listener.port }} - {{- end }} - {{- end }} +{{- $svc := (get ((include "redpanda.ServiceInternal" (dict "a" (list .))) | fromJson) "r") }} +{{- if ne $svc nil -}} +{{toYaml $svc}} +{{- end -}} diff --git a/charts/redpanda/redpanda/templates/service.loadbalancer.go.tpl b/charts/redpanda/redpanda/templates/service.loadbalancer.go.tpl new file mode 100644 index 000000000..31115411c --- /dev/null +++ b/charts/redpanda/redpanda/templates/service.loadbalancer.go.tpl @@ -0,0 +1,76 @@ +{{- /* Generated from "service.loadbalancer.go" */ -}} + +{{- define "redpanda.LoadBalancerServices" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.external.enabled) (not $values.external.service.enabled)) -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne $values.external.type "LoadBalancer") -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $externalDNS := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.externalDns (mustMergeOverwrite (dict "enabled" false ) (dict ))) ))) "r") -}} +{{- $labels := (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (set $labels "repdanda.com/type" "loadbalancer") -}} +{{- $selector := (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") -}} +{{- $services := (coalesce nil) -}} +{{- $replicas := ($values.statefulset.replicas | int) -}} +{{- range $_, $i := untilStep ((0 | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $podname := (printf "%s-%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i) -}} +{{- $annotations := (dict ) -}} +{{- range $k, $v := $values.external.annotations -}} +{{- $_ := (set $annotations $k $v) -}} +{{- end -}} +{{- if $externalDNS.enabled -}} +{{- $prefix := $podname -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) $i) -}} +{{- $prefix = (index $values.external.addresses $i) -}} +{{- end -}} +{{- $address := (printf "%s.%s" $prefix (tpl $values.external.domain $dot)) -}} +{{- $_ := (set $annotations "external-dns.alpha.kubernetes.io/hostname" $address) -}} +{{- end -}} +{{- $podSelector := (dict ) -}} +{{- range $k, $v := $selector -}} +{{- $_ := (set $podSelector $k $v) -}} +{{- end -}} +{{- $_ := (set $podSelector "statefulset.kubernetes.io/pod-name" $podname) -}} +{{- $ports := (coalesce nil) -}} +{{- range $name, $listener := $values.listeners.admin.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($values.listeners.admin.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "admin-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.kafka.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "kafka-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.http.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "http-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.schemaRegistry.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "schema-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- $svc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "lb-%s" $podname) "namespace" $dot.Release.Namespace "labels" $labels "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "externalTrafficPolicy" "Local" "loadBalancerSourceRanges" $values.external.sourceRanges "ports" $ports "publishNotReadyAddresses" true "selector" $podSelector "sessionAffinity" "None" "type" "LoadBalancer" )) )) -}} +{{- $services = (concat (default (list ) $services) (list $svc)) -}} +{{- end -}} +{{- (dict "r" $services) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/templates/service.loadbalancer.yaml b/charts/redpanda/redpanda/templates/service.loadbalancer.yaml index bea1dc35b..134a6275b 100644 --- a/charts/redpanda/redpanda/templates/service.loadbalancer.yaml +++ b/charts/redpanda/redpanda/templates/service.loadbalancer.yaml @@ -14,83 +14,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and (include "external-loadbalancer-enabled" . | fromJson).bool (dig "service" "enabled" true .Values.external)}} - {{- $values := .Values }} - {{- $root := . }} - {{- $addresses := dig "addresses" list $values.external }} - {{- range $replicaIndex := untilStep 0 ($values.statefulset.replicas|int) 1 }} - {{- $podName := printf "%s-%d" (include "redpanda.fullname" $root) $replicaIndex }} +{{- $docs := (get ((include "redpanda.LoadBalancerServices" (dict "a" (list .))) | fromJson) "r") }} +{{- range $_, $doc := $docs }} --- -apiVersion: v1 -kind: Service -metadata: - name: lb-{{ $podName }} - namespace: {{ $root.Release.Namespace }} - labels: - {{- with include "full.labels" $root }} - {{- . | nindent 4 }} - {{- end }} - repdanda.com/type: "loadbalancer" - {{- if (or $values.external.annotations (dig "externalDns" "enabled" false $values.external) ) }} - annotations: - {{- with $values.external.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- if (dig "externalDns" "enabled" false $values.external) }} - {{- $address := printf "%s.%s" $podName (tpl $values.external.domain $) }} - {{- if ge (len $addresses) (add $replicaIndex 1) }} - {{- $address = printf "%s.%s" (default $podName (index $addresses $replicaIndex)) (tpl $values.external.domain $) }} - {{- end }} - {{- printf "external-dns.alpha.kubernetes.io/hostname: %s" $address | nindent 4}} - {{- end }} - {{- end }} -spec: - type: LoadBalancer - publishNotReadyAddresses: true - {{- with $root.Values.external.sourceRanges }} - loadBalancerSourceRanges: - {{- toYaml $values.external.sourceRanges | nindent 4}} - {{- end }} - externalTrafficPolicy: Local - sessionAffinity: None - ports: - {{- range $name, $listener := $values.listeners.admin.external }} - {{- $enabled := dig "enabled" $values.external.enabled $listener }} - {{- if $enabled }} - - name: admin-{{ $name }} - protocol: TCP - targetPort: {{ $values.listeners.admin.port }} - port: {{ dig "nodePort" (first (dig "advertisedPorts" (list $values.listeners.admin.port) $listener)) $listener }} - {{- end }} - {{- end }} - {{- range $name, $listener := $values.listeners.kafka.external }} - {{- $enabled := dig "enabled" $values.external.enabled $listener }} - {{- if $enabled }} - - name: kafka-{{ $name }} - protocol: TCP - targetPort: {{ $listener.port }} - port: {{ dig "nodePort" (first (dig "advertisedPorts" (list $listener.port) $listener)) $listener }} - {{- end }} - {{- end }} - {{- range $name, $listener := $values.listeners.http.external }} - {{- $enabled := dig "enabled" $values.external.enabled $listener }} - {{- if $enabled }} - - name: http-{{ $name }} - protocol: TCP - targetPort: {{ $listener.port }} - port: {{ dig "nodePort" (first (dig "advertisedPorts" (list $listener.port) $listener)) $listener }} - {{- end }} - {{- end }} - {{- range $name, $listener := $values.listeners.schemaRegistry.external }} - {{- $enabled := dig "enabled" $values.external.enabled $listener }} - {{- if $enabled }} - - name: schema-{{ $name }} - protocol: TCP - targetPort: {{ $listener.port }} - port: {{ dig "nodePort" (first (dig "advertisedPorts" (list $listener.port) $listener)) $listener }} - {{- end }} - {{- end }} - selector: {{ (include "statefulset-pod-labels-selector" $root ) | nindent 4 }} - statefulset.kubernetes.io/pod-name: {{ $podName }} - {{- end }} +{{ toYaml $doc }} {{- end }} diff --git a/charts/redpanda/redpanda/templates/service.nodeport.go.tpl b/charts/redpanda/redpanda/templates/service.nodeport.go.tpl index 9e983ea7e..868095b06 100644 --- a/charts/redpanda/redpanda/templates/service.nodeport.go.tpl +++ b/charts/redpanda/redpanda/templates/service.nodeport.go.tpl @@ -4,54 +4,54 @@ {{- $dot := (index .a 0) -}} {{- range $_ := (list 1) -}} {{- $values := $dot.Values.AsMap -}} -{{- if (or (not $values.external.enabled) (ne $values.external.type "NodePort")) -}} +{{- if (or (not $values.external.enabled) (not $values.external.service.enabled)) -}} {{- (dict "r" (coalesce nil)) | toJson -}} {{- break -}} {{- end -}} -{{- if (or (eq $values.external.service (coalesce nil)) (not $values.external.service.enabled)) -}} +{{- if (ne $values.external.type "NodePort") -}} {{- (dict "r" (coalesce nil)) | toJson -}} {{- break -}} {{- end -}} -{{- $ports := (list ) -}} +{{- $ports := (coalesce nil) -}} {{- range $name, $listener := $values.listeners.admin.external -}} -{{- if (and (ne $listener.enabled (coalesce nil)) (eq $listener.enabled false)) -}} +{{- if (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} {{- continue -}} {{- end -}} -{{- $nodePort := $listener.port -}} -{{- if (gt (int (get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r")) 0) -}} -{{- $nodePort = (index $listener.advertisedPorts 0) -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} {{- end -}} -{{- $ports = (mustAppend $ports (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "admin-%s" $name) "protocol" "TCP" "port" $listener.port "nodePort" $nodePort ))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "admin-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} {{- end -}} {{- range $name, $listener := $values.listeners.kafka.external -}} -{{- if (and (ne $listener.enabled (coalesce nil)) (eq $listener.enabled false)) -}} +{{- if (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} {{- continue -}} {{- end -}} -{{- $nodePort := $listener.port -}} -{{- if (gt (int (get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r")) 0) -}} -{{- $nodePort = (index $listener.advertisedPorts 0) -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} {{- end -}} -{{- $ports = (mustAppend $ports (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "kafka-%s" $name) "protocol" "TCP" "port" $listener.port "nodePort" $nodePort ))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "kafka-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} {{- end -}} {{- range $name, $listener := $values.listeners.http.external -}} -{{- if (and (ne $listener.enabled (coalesce nil)) (eq $listener.enabled false)) -}} +{{- if (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} {{- continue -}} {{- end -}} -{{- $nodePort := $listener.port -}} -{{- if (gt (int (get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r")) 0) -}} -{{- $nodePort = (index $listener.advertisedPorts 0) -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} {{- end -}} -{{- $ports = (mustAppend $ports (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "http-%s" $name) "protocol" "TCP" "port" $listener.port "nodePort" $nodePort ))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "http-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} {{- end -}} {{- range $name, $listener := $values.listeners.schemaRegistry.external -}} -{{- if (and (ne $listener.enabled (coalesce nil)) (eq $listener.enabled false)) -}} +{{- if (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} {{- continue -}} {{- end -}} -{{- $nodePort := $listener.port -}} -{{- if (gt (int (get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r")) 0) -}} -{{- $nodePort = (index $listener.advertisedPorts 0) -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} {{- end -}} -{{- $ports = (mustAppend $ports (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "schema-%s" $name) "protocol" "TCP" "port" $listener.port "nodePort" $nodePort ))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "schema-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} {{- end -}} {{- $annotations := $values.external.annotations -}} {{- if (eq $annotations (coalesce nil)) -}} diff --git a/charts/redpanda/redpanda/templates/serviceaccount.go.tpl b/charts/redpanda/redpanda/templates/serviceaccount.go.tpl new file mode 100644 index 000000000..b519be039 --- /dev/null +++ b/charts/redpanda/redpanda/templates/serviceaccount.go.tpl @@ -0,0 +1,15 @@ +{{- /* Generated from "serviceaccount.go" */ -}} + +{{- define "redpanda.ServiceAccount" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.serviceAccount.create) -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ServiceAccount" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/templates/serviceaccount.yaml b/charts/redpanda/redpanda/templates/serviceaccount.yaml index 33959964c..007367e9a 100644 --- a/charts/redpanda/redpanda/templates/serviceaccount.yaml +++ b/charts/redpanda/redpanda/templates/serviceaccount.yaml @@ -15,18 +15,8 @@ See the License for the specific language governing permissions and limitations under the License. */}} --- -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "redpanda.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} - labels: -{{- with include "full.labels" . }} - {{- . | nindent 4 }} -{{- end }} -{{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} -{{- end }} -{{- end }} +{{- $sa := (get ((include "redpanda.ServiceAccount" (dict "a" (list .))) | fromJson) "r") }} +{{- if ne $sa nil -}} +--- +{{toYaml $sa}} +{{- end -}} diff --git a/charts/redpanda/redpanda/templates/statefulset.yaml b/charts/redpanda/redpanda/templates/statefulset.yaml index fd9ac5551..2882fefa5 100644 --- a/charts/redpanda/redpanda/templates/statefulset.yaml +++ b/charts/redpanda/redpanda/templates/statefulset.yaml @@ -261,18 +261,10 @@ spec: {{- end }} {{- end }} securityContext: {{ include "container-security-context" . | nindent 12 }} - volumeMounts: {{ include "common-mounts" . | nindent 12 }} + volumeMounts: {{ (get ((include "redpanda.StatefulSetVolumeMounts" (dict "a" (list .))) | fromJson) "r") | toYaml | nindent 12 }} {{- if dig "extraVolumeMounts" false .Values.statefulset -}} {{ tpl .Values.statefulset.extraVolumeMounts . | nindent 12 }} {{- end }} - - name: config - mountPath: /etc/redpanda - - name: {{ template "redpanda.fullname" . }} - mountPath: /tmp/base-config - - name: lifecycle-scripts - mountPath: /var/lifecycle - - name: datadir - mountPath: /var/lib/redpanda/data {{- if and (include "storage-tiered-config" .|fromJson).cloud_storage_enabled (ne (include "storage-tiered-mountType" .) "none") }} - name: {{ default "tiered-storage-dir" .Values.storage.persistentVolume.nameOverwrite }} mountPath: {{ include "tieredStorage.cacheDirectory" . }} @@ -330,14 +322,10 @@ spec: securityContext: {{- toYaml .Values.statefulset.sideCars.controllers.securityContext | nindent 12 }} {{- end }} {{- end }} - volumes: {{ include "common-volumes" . | nindent 8 }} + volumes: {{ (get ((include "redpanda.StatefulSetVolumes" (dict "a" (list .))) | fromJson) "r") | toYaml | nindent 8 }} {{- if dig "extraVolumes" false .Values.statefulset -}} {{ tpl .Values.statefulset.extraVolumes . | nindent 8 }} {{- end }} - - name: lifecycle-scripts - secret: - secretName: {{ (include "redpanda.fullname" . | trunc 50 ) }}-sts-lifecycle - defaultMode: 0o775 - name: datadir {{- if .Values.storage.persistentVolume.enabled }} persistentVolumeClaim: @@ -361,23 +349,6 @@ spec: {{- end }} {{- end }} {{- end }} - - name: {{ template "redpanda.fullname" . }} - configMap: - name: {{ template "redpanda.fullname" . }} - - name: config - emptyDir: {} - - name: {{ (include "redpanda.fullname" .) | trunc 51 }}-configurator - secret: - secretName: {{ (include "redpanda.fullname" .) | trunc 51 }}-configurator - defaultMode: 0o775 - - name: {{ template "redpanda.fullname" . }}-config-watcher - secret: - secretName: {{ template "redpanda.fullname" . }}-config-watcher - defaultMode: 0o775 - - name: {{ (include "redpanda.fullname" .) | trunc 49 }}-fs-validator - secret: - secretName: {{ (include "redpanda.fullname" .) | trunc 49 }}-fs-validator - defaultMode: 0o775 {{- if semverCompare ">=1.16-0" .Capabilities.KubeVersion.GitVersion }} topologySpreadConstraints: {{- range $v := .Values.statefulset.topologySpreadConstraints }} diff --git a/charts/redpanda/redpanda/templates/values.go.tpl b/charts/redpanda/redpanda/templates/values.go.tpl new file mode 100644 index 000000000..c254e267e --- /dev/null +++ b/charts/redpanda/redpanda/templates/values.go.tpl @@ -0,0 +1,802 @@ +{{- /* Generated from "values.go" */ -}} + +{{- define "redpanda.AuditLogging.Translate" -}} +{{- $a := (index .a 0) -}} +{{- $dot := (index .a 1) -}} +{{- $isSASLEnabled := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $result := (dict ) -}} +{{- if (not (get (fromJson (include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list $dot) ))) "r")) -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- $enabled := (and $a.enabled $isSASLEnabled) -}} +{{- $_ := (set $result "audit_enabled" $enabled) -}} +{{- if (not $enabled) -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne (($a.clientMaxBufferSize | int) | int) (16777216 | int)) -}} +{{- $_ := (set $result "audit_client_max_buffer_size" ($a.clientMaxBufferSize | int)) -}} +{{- end -}} +{{- if (ne (($a.queueDrainIntervalMs | int) | int) (500 | int)) -}} +{{- $_ := (set $result "audit_queue_drain_interval_ms" ($a.queueDrainIntervalMs | int)) -}} +{{- end -}} +{{- if (ne (($a.queueMaxBufferSizePerShard | int) | int) (1048576 | int)) -}} +{{- $_ := (set $result "audit_queue_max_buffer_size_per_shard" ($a.queueMaxBufferSizePerShard | int)) -}} +{{- end -}} +{{- if (ne (($a.partitions | int) | int) (12 | int)) -}} +{{- $_ := (set $result "audit_log_num_partitions" ($a.partitions | int)) -}} +{{- end -}} +{{- if (ne ($a.replicationFactor | int) (0 | int)) -}} +{{- $_ := (set $result "audit_log_replication_factor" ($a.replicationFactor | int)) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.enabledEventTypes) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $result "audit_enabled_event_types" $a.enabledEventTypes) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.excludedTopics) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $result "audit_excluded_topics" $a.excludedTopics) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.excludedPrincipals) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $result "audit_excluded_principals" $a.excludedPrincipals) -}} +{{- end -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Auth.IsSASLEnabled" -}} +{{- $a := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- if (eq $a.sasl (coalesce nil)) -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- (dict "r" $a.sasl.enabled) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Auth.Translate" -}} +{{- $a := (index .a 0) -}} +{{- $isSASLEnabled := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- if (not $isSASLEnabled) -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $a.sasl.users) ))) "r") | int) (0 | int)) -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $users := (list ) -}} +{{- range $_, $u := $a.sasl.users -}} +{{- $users = (concat (default (list ) $users) (list $u.name)) -}} +{{- end -}} +{{- (dict "r" (dict "superusers" $users )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Logging.Translate" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $result := (dict ) -}} +{{- $clusterID_1 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.usageStats.clusterId "") ))) "r") -}} +{{- if (ne $clusterID_1 "") -}} +{{- $_ := (set $result "cluster_id" $clusterID_1) -}} +{{- end -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaResources.GetOverProvisionValue" -}} +{{- $rr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- if (lt ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $rr.cpu.cores) ))) "r") | int64) (1000 | int64)) -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- (dict "r" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $rr.cpu.overprovisioned false) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.IsTieredStorageEnabled" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $conf := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $s) ))) "r") -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $conf "cloud_storage_enabled" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_3.T2 -}} +{{- $b := $tmp_tuple_3.T1 -}} +{{- (dict "r" (and $ok (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" $b) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.GetTieredStorageConfig" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $s.tieredConfig) ))) "r") | int) (0 | int)) -}} +{{- (dict "r" $s.tieredConfig) | toJson -}} +{{- break -}} +{{- end -}} +{{- (dict "r" $s.tiered.config) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.Translate" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $result := (dict ) -}} +{{- if (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $s) ))) "r")) -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tieredStorageConfig := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $s) ))) "r") -}} +{{- range $k, $v := $tieredStorageConfig -}} +{{- if (or (eq $v (coalesce nil)) (empty $v)) -}} +{{- continue -}} +{{- end -}} +{{- if (and (eq $k "cloud_storage_cache_size") (ne $v (coalesce nil))) -}} +{{- $_ := (set $result $k (printf "%d" ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $v) ))) "r") | int64))) -}} +{{- continue -}} +{{- end -}} +{{- $tmp_tuple_5 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" $v "") ))) "r")) ))) "r") -}} +{{- $ok_3 := $tmp_tuple_5.T2 -}} +{{- $str_2 := $tmp_tuple_5.T1 -}} +{{- $tmp_tuple_6 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $v false) ))) "r")) ))) "r") -}} +{{- $ok_5 := $tmp_tuple_6.T2 -}} +{{- $b_4 := $tmp_tuple_6.T1 -}} +{{- $tmp_tuple_7 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asnumeric" (dict "a" (list $v) ))) "r")) ))) "r") -}} +{{- $isFloat_7 := $tmp_tuple_7.T2 -}} +{{- $f_6 := ($tmp_tuple_7.T1 | float64) -}} +{{- if $ok_3 -}} +{{- $_ := (set $result $k $str_2) -}} +{{- else -}}{{- if $ok_5 -}} +{{- $_ := (set $result $k $b_4) -}} +{{- else -}}{{- if $isFloat_7 -}} +{{- $_ := (set $result $k ($f_6 | int)) -}} +{{- else -}} +{{- $_ := (set $result $k (mustToJson $v)) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.StorageMinFreeBytes" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- if (and (ne $s.persistentVolume (coalesce nil)) (not $s.persistentVolume.enabled)) -}} +{{- (dict "r" (5368709120 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $minimumFreeBytes := ((mulf (((get (fromJson (include "_shims.resource_Value" (dict "a" (list $s.persistentVolume.size) ))) "r") | int64) | float64) 0.05) | float64) -}} +{{- (dict "r" (min (5368709120 | int) ($minimumFreeBytes | int64))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Tuning.Translate" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $result := (dict ) -}} +{{- $s := (toJson $t) -}} +{{- $tune := (fromJson $s) -}} +{{- $tmp_tuple_8 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $tune (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_8.T2 -}} +{{- $m := $tmp_tuple_8.T1 -}} +{{- if (not $ok) -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- range $k, $v := $m -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.CreateSeedServers" -}} +{{- $l := (index .a 0) -}} +{{- $replicas := (index .a 1) -}} +{{- $fullname := (index .a 2) -}} +{{- $internalDomain := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $result := (coalesce nil) -}} +{{- range $_, $i := untilStep ((0 | int)|int) ($replicas|int) (1|int) -}} +{{- $result = (concat (default (list ) $result) (list (dict "host" (dict "address" (printf "%s-%d.%s" $fullname $i $internalDomain) "port" ($l.rpc.port | int) ) ))) -}} +{{- end -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.AdminList" -}} +{{- $l := (index .a 0) -}} +{{- $replicas := (index .a 1) -}} +{{- $fullname := (index .a 2) -}} +{{- $internalDomain := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $result := (coalesce nil) -}} +{{- range $_, $i := untilStep ((0 | int)|int) ($replicas|int) (1|int) -}} +{{- $result = (concat (default (list ) $result) (list (printf "%s-%d.%s:%d" $fullname $i $internalDomain (($l.admin.port | int) | int)))) -}} +{{- end -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.TrustStoreVolume" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $sources := (coalesce nil) -}} +{{- range $_, $ts := (get (fromJson (include "redpanda.Listeners.TrustStores" (dict "a" (list $l $tls) ))) "r") -}} +{{- $sources = (concat (default (list ) $sources) (list (get (fromJson (include "redpanda.TrustStore.VolumeProjection" (dict "a" (list $ts) ))) "r"))) -}} +{{- end -}} +{{- if (lt ((get (fromJson (include "_shims.len" (dict "a" (list $sources) ))) "r") | int) (1 | int)) -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "projected" (mustMergeOverwrite (dict "sources" (coalesce nil) ) (dict "sources" $sources )) )) (dict "name" "truststores" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $tss := (get (fromJson (include "redpanda.KafkaListeners.TrustStores" (dict "a" (list $l.kafka $tls) ))) "r") -}} +{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.AdminListeners.TrustStores" (dict "a" (list $l.admin $tls) ))) "r"))) -}} +{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.HTTPListeners.TrustStores" (dict "a" (list $l.http $tls) ))) "r"))) -}} +{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.SchemaRegistryListeners.TrustStores" (dict "a" (list $l.schemaRegistry $tls) ))) "r"))) -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Config.CreateRPKConfiguration" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c.rpk -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCertMap.MustGet" -}} +{{- $m := (index .a 0) -}} +{{- $name := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $tmp_tuple_11 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $m $name (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_11.T2 -}} +{{- $cert := $tmp_tuple_11.T1 -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "Certificate %q referenced, but not found in the tls.certs map" $name)) -}} +{{- end -}} +{{- (dict "r" $cert) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TrustStore.TrustStoreFilePath" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- (dict "r" (printf "%s/%s" "/etc/truststores" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TrustStore.RelativePath" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- if (ne $t.configMapKeyRef (coalesce nil)) -}} +{{- (dict "r" (printf "configmaps/%s-%s" $t.configMapKeyRef.name $t.configMapKeyRef.key)) | toJson -}} +{{- break -}} +{{- end -}} +{{- (dict "r" (printf "secrets/%s-%s" $t.secretKeyRef.name $t.secretKeyRef.key)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TrustStore.VolumeProjection" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- if (ne $t.configMapKeyRef (coalesce nil)) -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $t.configMapKeyRef.name )) (dict "items" (list (mustMergeOverwrite (dict "key" "" "path" "" ) (dict "key" $t.configMapKeyRef.key "path" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r") ))) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $t.secretKeyRef.name )) (dict "items" (list (mustMergeOverwrite (dict "key" "" "path" "" ) (dict "key" $t.secretKeyRef.key "path" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r") ))) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalTLS.IsEnabled" -}} +{{- $t := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.enabled $tls.enabled) ))) "r") (ne $t.cert ""))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalTLS.TrustStoreFilePath" -}} +{{- $t := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- if (ne $t.trustStore (coalesce nil)) -}} +{{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert) ))) "r").caEnabled -}} +{{- (dict "r" (printf "/etc/tls/certs/%s/ca.crt" $t.cert)) | toJson -}} +{{- break -}} +{{- end -}} +{{- (dict "r" "/etc/ssl/certs/ca-certificates.crt") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.GetCert" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- $tls := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- (dict "r" (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r")) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.GetCertName" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- (dict "r" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.cert $i.cert) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.TrustStoreFilePath" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- $tls := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- if (ne $t.trustStore (coalesce nil)) -}} +{{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.ExternalTLS.GetCert" (dict "a" (list $t $i $tls) ))) "r").caEnabled -}} +{{- (dict "r" (printf "/etc/tls/certs/%s/ca.crt" (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- (dict "r" "/etc/ssl/certs/ca-certificates.crt") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.IsEnabled" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- $tls := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- if (eq $t (coalesce nil)) -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- (dict "r" (and (ne (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r") "") (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.enabled (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $i $tls) ))) "r")) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.Listeners" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $admin := (list (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r")) -}} +{{- range $k, $lis := $l.external -}} +{{- if (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $admin = (concat (default (list ) $admin) (list (dict "name" $k "port" ($lis.port | int) "address" "0.0.0.0" ))) -}} +{{- end -}} +{{- (dict "r" $admin) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $admin := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $admin = (concat (default (list ) $admin) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $admin = (concat (default (list ) $admin) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- (dict "r" $admin) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $tss := (list ) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne $l.tls.trustStore (coalesce nil))) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $lis := $l.external -}} +{{- if (or (or (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq $lis.tls.trustStore (coalesce nil))) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPListeners.Listeners" -}} +{{- $l := (index .a 0) -}} +{{- $saslEnabled := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r") -}} +{{- if $saslEnabled -}} +{{- $_ := (set $internal "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_8 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_8 "") -}} +{{- $_ := (set $internal "authentication_method" $am_8) -}} +{{- end -}} +{{- $result := (list $internal) -}} +{{- range $k, $l := $l.external -}} +{{- if (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}} +{{- if $saslEnabled -}} +{{- $_ := (set $listener "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_9 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_9 "") -}} +{{- $_ := (set $listener "authentication_method" $am_9) -}} +{{- end -}} +{{- $result = (concat (default (list ) $result) (list $listener)) -}} +{{- end -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $pp := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $pp = (concat (default (list ) $pp) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $pp = (concat (default (list ) $pp) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- (dict "r" $pp) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $tss := (coalesce nil) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne $l.tls.trustStore (coalesce nil))) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $lis := $l.external -}} +{{- if (or (or (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq $lis.tls.trustStore (coalesce nil))) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.Listeners" -}} +{{- $l := (index .a 0) -}} +{{- $auth := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r") -}} +{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $auth) ))) "r") -}} +{{- $_ := (set $internal "authentication_method" "sasl") -}} +{{- end -}} +{{- $am_10 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_10 "") -}} +{{- $_ := (set $internal "authentication_method" $am_10) -}} +{{- end -}} +{{- $kafka := (list $internal) -}} +{{- range $k, $l := $l.external -}} +{{- if (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}} +{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $auth) ))) "r") -}} +{{- $_ := (set $listener "authentication_method" "sasl") -}} +{{- end -}} +{{- $am_11 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_11 "") -}} +{{- $_ := (set $listener "authentication_method" $am_11) -}} +{{- end -}} +{{- $kafka = (concat (default (list ) $kafka) (list $listener)) -}} +{{- end -}} +{{- (dict "r" $kafka) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $kafka := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $kafka = (concat (default (list ) $kafka) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $kafka = (concat (default (list ) $kafka) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- (dict "r" $kafka) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $tss := (coalesce nil) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne $l.tls.trustStore (coalesce nil))) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $lis := $l.external -}} +{{- if (or (or (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq $lis.tls.trustStore (coalesce nil))) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.Listeners" -}} +{{- $sr := (index .a 0) -}} +{{- $saslEnabled := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($sr.port | int)) ))) "r") -}} +{{- if $saslEnabled -}} +{{- $_ := (set $internal "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_12 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $sr.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_12 "") -}} +{{- $_ := (set $internal "authentication_method" $am_12) -}} +{{- end -}} +{{- $result := (list $internal) -}} +{{- range $k, $l := $sr.external -}} +{{- if (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}} +{{- if $saslEnabled -}} +{{- $_ := (set $listener "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_13 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_13 "") -}} +{{- $_ := (set $listener "authentication_method" $am_13) -}} +{{- end -}} +{{- $result = (concat (default (list ) $result) (list $listener)) -}} +{{- end -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $listeners := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $listeners = (concat (default (list ) $listeners) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $listeners = (concat (default (list ) $listeners) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- (dict "r" $listeners) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $tss := (coalesce nil) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne $l.tls.trustStore (coalesce nil))) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $lis := $l.external -}} +{{- if (or (or (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq $lis.tls.trustStore (coalesce nil))) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TunableConfig.Translate" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- if (eq $c (coalesce nil)) -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c -}} +{{- if (not (empty $v)) -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- end -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.NodeConfig.Translate" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c -}} +{{- if (not (empty $v)) -}} +{{- $_ := (set $result $k (toYaml $v)) -}} +{{- end -}} +{{- end -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ClusterConfig.Translate" -}} +{{- $c := (index .a 0) -}} +{{- $replicas := (index .a 1) -}} +{{- $skipDefaultTopic := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c -}} +{{- if (and (eq $k "default_topic_replications") (not $skipDefaultTopic)) -}} +{{- $r := ($replicas | int) -}} +{{- $input := ($r | int) -}} +{{- $tmp_tuple_14 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $v) ))) "r")) ))) "r") -}} +{{- $ok_15 := $tmp_tuple_14.T2 -}} +{{- $num_14 := ($tmp_tuple_14.T1 | int) -}} +{{- if $ok_15 -}} +{{- $input = $num_14 -}} +{{- end -}} +{{- $tmp_tuple_15 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asnumeric" (dict "a" (list $v) ))) "r")) ))) "r") -}} +{{- $ok_17 := $tmp_tuple_15.T2 -}} +{{- $f_16 := ($tmp_tuple_15.T1 | float64) -}} +{{- if $ok_17 -}} +{{- $input = ($f_16 | int) -}} +{{- end -}} +{{- $_ := (set $result $k (min ($input | int64) (((sub ((add $r (((mod $r (2 | int)) | int))) | int) (1 | int)) | int) | int64))) -}} +{{- continue -}} +{{- end -}} +{{- $tmp_tuple_16 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $v false) ))) "r")) ))) "r") -}} +{{- $ok_19 := $tmp_tuple_16.T2 -}} +{{- $b_18 := $tmp_tuple_16.T1 -}} +{{- if $ok_19 -}} +{{- $_ := (set $result $k $b_18) -}} +{{- continue -}} +{{- end -}} +{{- if (not (empty $v)) -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- end -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretRef.IsValid" -}} +{{- $sr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- (dict "r" (and (and (ne $sr (coalesce nil)) (not (empty $sr.key))) (not (empty $sr.name)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TieredStorageCredentials.IsAccessKeyReferenceValid" -}} +{{- $tsc := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- (dict "r" (and (and (ne $tsc.accessKey (coalesce nil)) (ne $tsc.accessKey.name "")) (ne $tsc.accessKey.key ""))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TieredStorageCredentials.IsSecretKeyReferenceValid" -}} +{{- $tsc := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- (dict "r" (and (and (ne $tsc.secretKey (coalesce nil)) (ne $tsc.secretKey.name "")) (ne $tsc.secretKey.key ""))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/values.schema.json b/charts/redpanda/redpanda/values.schema.json index b1e8405a2..6991cc9af 100644 --- a/charts/redpanda/redpanda/values.schema.json +++ b/charts/redpanda/redpanda/values.schema.json @@ -301,6 +301,9 @@ "type": "boolean" } }, + "required": [ + "enabled" + ], "type": "object" }, "sourceRanges": { @@ -348,6 +351,17 @@ ], "type": "object" }, + "imagePullSecrets": { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, "license_key": { "deprecated": true, "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\\.(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$|^$", @@ -384,8 +398,58 @@ "enabled": { "type": "boolean" }, + "nodePort": { + "type": "integer" + }, "port": { "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" } }, "required": [ @@ -409,6 +473,39 @@ }, "requireClientAuth": { "type": "boolean" + }, + "trustStore": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" } }, "required": [ @@ -472,6 +569,9 @@ "enabled": { "type": "boolean" }, + "nodePort": { + "type": "integer" + }, "port": { "type": "integer" }, @@ -488,6 +588,39 @@ }, "requireClientAuth": { "type": "boolean" + }, + "trustStore": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" } }, "type": "object" @@ -518,6 +651,39 @@ }, "requireClientAuth": { "type": "boolean" + }, + "trustStore": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" } }, "required": [ @@ -582,6 +748,9 @@ "enabled": { "type": "boolean" }, + "nodePort": { + "type": "integer" + }, "port": { "type": "integer" }, @@ -598,6 +767,39 @@ }, "requireClientAuth": { "type": "boolean" + }, + "trustStore": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" } }, "type": "object" @@ -624,6 +826,39 @@ }, "requireClientAuth": { "type": "boolean" + }, + "trustStore": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" } }, "required": [ @@ -654,6 +889,39 @@ }, "requireClientAuth": { "type": "boolean" + }, + "trustStore": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" } }, "required": [ @@ -717,6 +985,9 @@ "enabled": { "type": "boolean" }, + "nodePort": { + "type": "integer" + }, "port": { "type": "integer" }, @@ -730,6 +1001,39 @@ }, "requireClientAuth": { "type": "boolean" + }, + "trustStore": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" } }, "type": "object" @@ -757,6 +1061,39 @@ }, "requireClientAuth": { "type": "boolean" + }, + "trustStore": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" } }, "required": [ @@ -792,6 +1129,9 @@ }, "usageStats": { "properties": { + "clusterId": { + "type": "string" + }, "enabled": { "type": "boolean" } @@ -946,41 +1286,145 @@ "affinity": { "type": "object" }, + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, "resources": { "properties": { - "limits": { - "properties": { - "cpu": { - "oneOf": [ - { - "type": "integer" - }, - { - "type": "string" - } - ] + "claims": { + "items": { + "properties": { + "name": { + "type": "string" + } }, - "memory": { - "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "object" + }, + "type": "array" + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { "type": "string" } }, "type": "object" }, - "requests": { + "seccompProfile": { "properties": { - "cpu": { - "oneOf": [ - { - "type": "integer" - }, - { - "type": "string" - } - ] + "localhostProfile": { + "type": "string" }, - "memory": { - "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { "type": "string" } }, @@ -1019,41 +1463,42 @@ }, "resources": { "properties": { - "limits": { - "properties": { - "cpu": { - "oneOf": [ - { - "type": "integer" - }, - { - "type": "string" - } - ] + "claims": { + "items": { + "properties": { + "name": { + "type": "string" + } }, - "memory": { - "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", - "type": "string" - } + "type": "object" + }, + "type": "array" + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] }, "type": "object" }, "requests": { - "properties": { - "cpu": { - "oneOf": [ - { - "type": "integer" - }, - { - "type": "string" - } - ] - }, - "memory": { - "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", - "type": "string" - } + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] }, "type": "object" } @@ -1106,6 +1551,7 @@ "type": "integer" }, { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", "type": "string" } ] @@ -1124,12 +1570,26 @@ "container": { "properties": { "max": { - "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", - "type": "string" + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] }, "min": { - "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", - "type": "string" + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] } }, "required": [ @@ -1148,10 +1608,10 @@ "type": "integer" }, { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", "type": "string" } - ], - "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$" + ] }, "reserveMemory": { "oneOf": [ @@ -1159,10 +1619,10 @@ "type": "integer" }, { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", "type": "string" } - ], - "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$" + ] } }, "type": "object" @@ -1473,12 +1933,15 @@ "type": "string" }, "divisor": { - "properties": { - "Format": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", "type": "string" } - }, - "type": "object" + ] }, "resource": { "type": "string" @@ -1913,8 +2376,15 @@ "type": "object" }, "size": { - "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", - "type": "string" + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] }, "storageClass": { "type": "string" @@ -1963,6 +2433,7 @@ "type": "integer" }, { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", "type": "string" } ] @@ -2161,6 +2632,7 @@ "type": "integer" }, { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", "type": "string" } ] diff --git a/charts/speedscale/speedscale-operator/Chart.yaml b/charts/speedscale/speedscale-operator/Chart.yaml index 6f8400bef..d750774ea 100644 --- a/charts/speedscale/speedscale-operator/Chart.yaml +++ b/charts/speedscale/speedscale-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.17.0-0' catalog.cattle.io/release-name: speedscale-operator apiVersion: v1 -appVersion: 2.2.29 +appVersion: 2.2.74 description: Stress test your APIs with real world scenarios. Collect and replay traffic without scripting. home: https://speedscale.com @@ -24,4 +24,4 @@ maintainers: - email: support@speedscale.com name: Speedscale Support name: speedscale-operator -version: 2.2.29 +version: 2.2.74 diff --git a/charts/speedscale/speedscale-operator/values.yaml b/charts/speedscale/speedscale-operator/values.yaml index 307813c56..3b9be2cd3 100644 --- a/charts/speedscale/speedscale-operator/values.yaml +++ b/charts/speedscale/speedscale-operator/values.yaml @@ -20,7 +20,7 @@ clusterName: "my-cluster" # Speedscale components image settings. image: registry: gcr.io/speedscale - tag: v2.2.29 + tag: v2.2.74 pullPolicy: Always # Log level for Speedscale components. diff --git a/charts/stackstate/stackstate-k8s-agent/Chart.yaml b/charts/stackstate/stackstate-k8s-agent/Chart.yaml index 4d57569a6..faac5d09a 100644 --- a/charts/stackstate/stackstate-k8s-agent/Chart.yaml +++ b/charts/stackstate/stackstate-k8s-agent/Chart.yaml @@ -21,4 +21,4 @@ maintainers: - email: ops@stackstate.com name: Stackstate name: stackstate-k8s-agent -version: 1.0.87 +version: 1.0.88 diff --git a/charts/stackstate/stackstate-k8s-agent/README.md b/charts/stackstate/stackstate-k8s-agent/README.md index a508d8c47..9baccc001 100644 --- a/charts/stackstate/stackstate-k8s-agent/README.md +++ b/charts/stackstate/stackstate-k8s-agent/README.md @@ -2,7 +2,7 @@ Helm chart for the StackState Agent. -Current chart version is `1.0.87` +Current chart version is `1.0.88` **Homepage:** @@ -61,7 +61,7 @@ stackstate/stackstate-k8s-agent | checksAgent.enabled | bool | `true` | Enable / disable runnning cluster checks in a separately deployed pod | | checksAgent.image.pullPolicy | string | `"IfNotPresent"` | Default container image pull policy. | | checksAgent.image.repository | string | `"stackstate/stackstate-k8s-agent"` | Base container image repository. | -| checksAgent.image.tag | string | `"4f42573a"` | Default container image tag. | +| checksAgent.image.tag | string | `"6e5ef78f"` | Default container image tag. | | checksAgent.livenessProbe.enabled | bool | `true` | Enable use of livenessProbe check. | | checksAgent.livenessProbe.failureThreshold | int | `3` | `failureThreshold` for the liveness probe. | | checksAgent.livenessProbe.initialDelaySeconds | int | `15` | `initialDelaySeconds` for the liveness probe. | @@ -126,7 +126,7 @@ stackstate/stackstate-k8s-agent | clusterAgent.enabled | bool | `true` | Enable / disable the cluster agent. | | clusterAgent.image.pullPolicy | string | `"IfNotPresent"` | Default container image pull policy. | | clusterAgent.image.repository | string | `"stackstate/stackstate-k8s-cluster-agent"` | Base container image repository. | -| clusterAgent.image.tag | string | `"4f42573a"` | Default container image tag. | +| clusterAgent.image.tag | string | `"6e5ef78f"` | Default container image tag. | | clusterAgent.livenessProbe.enabled | bool | `true` | Enable use of livenessProbe check. | | clusterAgent.livenessProbe.failureThreshold | int | `3` | `failureThreshold` for the liveness probe. | | clusterAgent.livenessProbe.initialDelaySeconds | int | `15` | `initialDelaySeconds` for the liveness probe. | @@ -190,7 +190,7 @@ stackstate/stackstate-k8s-agent | nodeAgent.containers.agent.env | object | `{}` | Additional environment variables for the agent container | | nodeAgent.containers.agent.image.pullPolicy | string | `"IfNotPresent"` | Default container image pull policy. | | nodeAgent.containers.agent.image.repository | string | `"stackstate/stackstate-k8s-agent"` | Base container image repository. | -| nodeAgent.containers.agent.image.tag | string | `"4f42573a"` | Default container image tag. | +| nodeAgent.containers.agent.image.tag | string | `"6e5ef78f"` | Default container image tag. | | nodeAgent.containers.agent.livenessProbe.enabled | bool | `true` | Enable use of livenessProbe check. | | nodeAgent.containers.agent.livenessProbe.failureThreshold | int | `3` | `failureThreshold` for the liveness probe. | | nodeAgent.containers.agent.livenessProbe.initialDelaySeconds | int | `15` | `initialDelaySeconds` for the liveness probe. | @@ -214,7 +214,7 @@ stackstate/stackstate-k8s-agent | nodeAgent.containers.processAgent.image.pullPolicy | string | `"IfNotPresent"` | Process-agent container image pull policy. | | nodeAgent.containers.processAgent.image.registry | string | `nil` | | | nodeAgent.containers.processAgent.image.repository | string | `"stackstate/stackstate-k8s-process-agent"` | Process-agent container image repository. | -| nodeAgent.containers.processAgent.image.tag | string | `"ae5d42d2"` | Default process-agent container image tag. | +| nodeAgent.containers.processAgent.image.tag | string | `"22891642"` | Default process-agent container image tag. | | nodeAgent.containers.processAgent.logLevel | string | `nil` | Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off # If not set, fall back to the value of agent.logLevel. | | nodeAgent.containers.processAgent.procVolumeReadOnly | bool | `true` | Configure whether /host/proc is read only for the process agent container | | nodeAgent.containers.processAgent.resources.limits.cpu | string | `"125m"` | Memory resource limits. | diff --git a/charts/stackstate/stackstate-k8s-agent/values.yaml b/charts/stackstate/stackstate-k8s-agent/values.yaml index d5cde44e5..f71ba2e33 100644 --- a/charts/stackstate/stackstate-k8s-agent/values.yaml +++ b/charts/stackstate/stackstate-k8s-agent/values.yaml @@ -109,7 +109,7 @@ nodeAgent: # nodeAgent.containers.agent.image.repository -- Base container image repository. repository: stackstate/stackstate-k8s-agent # nodeAgent.containers.agent.image.tag -- Default container image tag. - tag: "4f42573a" + tag: "6e5ef78f" # nodeAgent.containers.agent.image.pullPolicy -- Default container image pull policy. pullPolicy: IfNotPresent processAgent: @@ -168,7 +168,7 @@ nodeAgent: # nodeAgent.containers.processAgent.image.repository -- Process-agent container image repository. repository: stackstate/stackstate-k8s-process-agent # nodeAgent.containers.processAgent.image.tag -- Default process-agent container image tag. - tag: "ae5d42d2" + tag: "22891642" # nodeAgent.containers.processAgent.image.pullPolicy -- Process-agent container image pull policy. pullPolicy: IfNotPresent # nodeAgent.containers.processAgent.env -- Additional environment variables for the process-agent container @@ -357,7 +357,7 @@ clusterAgent: # clusterAgent.image.repository -- Base container image repository. repository: stackstate/stackstate-k8s-cluster-agent # clusterAgent.image.tag -- Default container image tag. - tag: "4f42573a" + tag: "6e5ef78f" # clusterAgent.image.pullPolicy -- Default container image pull policy. pullPolicy: IfNotPresent @@ -512,7 +512,7 @@ checksAgent: # checksAgent.image.repository -- Base container image repository. repository: stackstate/stackstate-k8s-agent # checksAgent.image.tag -- Default container image tag. - tag: "4f42573a" + tag: "6e5ef78f" # checksAgent.image.pullPolicy -- Default container image pull policy. pullPolicy: IfNotPresent diff --git a/charts/weka/csi-wekafsplugin/CHANGELOG.md b/charts/weka/csi-wekafsplugin/CHANGELOG.md index 99002c8d8..55e557fe9 100644 --- a/charts/weka/csi-wekafsplugin/CHANGELOG.md +++ b/charts/weka/csi-wekafsplugin/CHANGELOG.md @@ -1,4 +1,30 @@ - - - - + + +## What's Changed +### New Features +* feat(CSI-211): support new API paths nodes->processes as per cluster version by @sergeyberezansky in https://github.com/weka/csi-wekafs/pull/269 +* feat(CSI-215): improve lookup for frontend containers to include protocols by @sergeyberezansky in https://github.com/weka/csi-wekafs/pull/269 +* feat(CSI-209): automatically update API endpoints on re-login by @sergeyberezansky in https://github.com/weka/csi-wekafs/pull/269 +* feat(CSI-221): support configurable fsGroupPolicy by @sergeyberezansky in https://github.com/weka/csi-wekafs/pull/269 +* feat(CSI-219): add securityContextConstraints for CSI on OCP by @sergeyberezansky in https://github.com/weka/csi-wekafs/pull/269 +* feat(CSI-220): automatically determine selinux for OCP nodes by @sergeyberezansky in https://github.com/weka/csi-wekafs/pull/269 + +### Bug Fixes +* fix(CSI-217): Containers are filtered by status but not by state by @sergeyberezansky in https://github.com/weka/csi-wekafs/pull/269 +* fix(CSI-223): mount still attempted when local container name is missing by @sergeyberezansky in https://github.com/weka/csi-wekafs/pull/269 + +### Miscellaneous +* chore(deps): update azure/setup-helm action to v4 by @renovate in https://github.com/weka/csi-wekafs/pull/243 +* chore(deps): update helm/kind-action action to v1.10.0 by @renovate in https://github.com/weka/csi-wekafs/pull/240 +* chore(deps): update actions/checkout digest to 692973e by @renovate in https://github.com/weka/csi-wekafs/pull/256 +* fix(deps): update module github.com/google/uuid to v1.6.0 by @renovate in https://github.com/weka/csi-wekafs/pull/221 +* fix(deps): update golang.org/x/exp digest to 7f521ea by @renovate in https://github.com/weka/csi-wekafs/pull/257 +* fix(deps): update module google.golang.org/grpc to v1.64.0 by @renovate in https://github.com/weka/csi-wekafs/pull/224 +* fix(deps): update module github.com/rs/zerolog to v1.33.0 by @renovate in https://github.com/weka/csi-wekafs/pull/235 +* chore(deps): update docker/build-push-action action to v6 by @renovate in https://github.com/weka/csi-wekafs/pull/264 +* fix(deps): update module google.golang.org/protobuf to v1.34.2 by @renovate in https://github.com/weka/csi-wekafs/pull/263 +* chore(deps): update softprops/action-gh-release action to v2 by @renovate in https://github.com/weka/csi-wekafs/pull/265 +* fix(deps): update module github.com/hashicorp/go-version to v1.7.0 by @renovate in https://github.com/weka/csi-wekafs/pull/260 +* chore(deps): update dependency go to v1.22.4 by @renovate in https://github.com/weka/csi-wekafs/pull/259 + + diff --git a/charts/weka/csi-wekafsplugin/Chart.yaml b/charts/weka/csi-wekafsplugin/Chart.yaml index 98c2c9981..d370cd414 100644 --- a/charts/weka/csi-wekafsplugin/Chart.yaml +++ b/charts/weka/csi-wekafsplugin/Chart.yaml @@ -10,7 +10,7 @@ annotations: catalog.cattle.io/display-name: WekaFS CSI Driver catalog.cattle.io/release-name: csi-wekafsplugin apiVersion: v2 -appVersion: v2.3.4 +appVersion: v2.4.0 description: Helm chart for Deployment of WekaIO Container Storage Interface (CSI) plugin for WekaFS - the world fastest filesystem home: https://github.com/weka/csi-wekafs @@ -25,6 +25,6 @@ maintainers: url: https://weka.io name: csi-wekafsplugin sources: -- https://github.com/weka/csi-wekafs/tree/v2.3.4 +- https://github.com/weka/csi-wekafs/tree/v2.4.0 type: application -version: 2.3.4 +version: 2.4.0 diff --git a/charts/weka/csi-wekafsplugin/README.md b/charts/weka/csi-wekafsplugin/README.md index e73ee2ec3..c679ad494 100644 --- a/charts/weka/csi-wekafsplugin/README.md +++ b/charts/weka/csi-wekafsplugin/README.md @@ -3,7 +3,7 @@ Helm chart for Deployment of WekaIO Container Storage Interface (CSI) plugin for [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/csi-wekafs)](https://artifacthub.io/packages/search?repo=csi-wekafs) -![Version: 2.3.4](https://img.shields.io/badge/Version-2.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.3.4](https://img.shields.io/badge/AppVersion-v2.3.4-informational?style=flat-square) +![Version: 2.4.0](https://img.shields.io/badge/Version-2.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.4.0](https://img.shields.io/badge/AppVersion-v2.4.0-informational?style=flat-square) ## Homepage https://github.com/weka/csi-wekafs @@ -52,19 +52,21 @@ helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafs |-----|------|---------|-------------| | dynamicProvisionPath | string | `"csi-volumes"` | Directory in root of file system where dynamic volumes are provisioned | | csiDriverName | string | `"csi.weka.io"` | Name of the driver (and provisioner) | -| csiDriverVersion | string | `"2.3.4"` | CSI driver version | +| csiDriverVersion | string | `"2.4.0"` | CSI driver version | | images.livenessprobesidecar | string | `"registry.k8s.io/sig-storage/livenessprobe:v2.12.0"` | CSI liveness probe sidecar image URL | | images.attachersidecar | string | `"registry.k8s.io/sig-storage/csi-attacher:v4.5.0"` | CSI attacher sidecar image URL | | images.provisionersidecar | string | `"registry.k8s.io/sig-storage/csi-provisioner:v4.0.0"` | CSI provisioner sidecar image URL | | images.registrarsidecar | string | `"registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0"` | CSI registrar sidercar | | images.resizersidecar | string | `"registry.k8s.io/sig-storage/csi-resizer:v1.9.3"` | CSI resizer sidecar image URL | | images.snapshottersidecar | string | `"registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3"` | CSI snapshotter sidecar image URL | +| images.nodeinfo | string | `"quay.io/weka.io/kubectl-sidecar:v1.29.2-1"` | CSI nodeinfo sidecar image URL, used for reading node metadata | | images.csidriver | string | `"quay.io/weka.io/csi-wekafs"` | CSI driver main image URL | -| images.csidriverTag | string | `"2.3.4"` | CSI driver tag | +| images.csidriverTag | string | `"2.4.0"` | CSI driver tag | | globalPluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for all CSI driver components | | controllerPluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for CSI controller component only (by default same as global) | | nodePluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for CSI node component only (by default same as global) | | nodeSelector | object | `{}` | Optional nodeSelector for CSI plugin deployment on certain Kubernetes nodes only | +| machineConfigLabels | list | `["worker","master"]` | Optional setting for OCP platform only, which machineconfig pools to apply the Weka SELinux policy on NOTE: by default, the policy will be installed both on workers and control plane nodes | | controller.replicas | int | `2` | Controller number of replicas | | controller.maxConcurrentRequests | int | `5` | Maximum concurrent requests from sidecars (global) | | controller.concurrency | object | `{"createSnapshot":5,"createVolume":5,"deleteSnapshot":5,"deleteVolume":1,"expandVolume":5}` | maximum concurrent operations per operation type | @@ -79,7 +81,7 @@ helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafs | useJsonLogging | bool | `false` | Use JSON structured logging instead of human-readable logging format (for exporting logs to structured log parser) | | legacyVolumeSecretName | string | `""` | for migration of pre-CSI 0.7.0 volumes only, default API secret. Must reside in same namespace as the plugin | | priorityClassName | string | `""` | Optional CSI Plugin priorityClassName | -| selinuxSupport | string | `"off"` | Support SELinux labeling for Persistent Volumes, may be either `off`, `mixed`, `enforced` (default off) In `enforced` mode, CSI node components will only start on nodes having a label `selinuxNodeLabel` below In `mixed` mode, separate CSI node components will be installed on SELinux-enabled and regular hosts In `off` mode, only non-SELinux-enabled node components will be run on hosts without label. WARNING: if SELinux is not enabled, volume provisioning and publishing might fail! | +| selinuxSupport | string | `"off"` | Support SELinux labeling for Persistent Volumes, may be either `off`, `mixed`, `enforced` (default off) In `enforced` mode, CSI node components will only start on nodes having a label `selinuxNodeLabel` below In `mixed` mode, separate CSI node components will be installed on SELinux-enabled and regular hosts In `off` mode, only non-SELinux-enabled node components will be run on hosts without label. WARNING: if SELinux is not enabled, volume provisioning and publishing might fail! NOTE: SELinux support is enabled automatically on clusters recognized as RedHat OpenShift Container Platform | | selinuxNodeLabel | string | `"csi.weka.io/selinux_enabled"` | This label must be set to `"true"` on SELinux-enabled Kubernetes nodes, e.g., to run the node server in secure mode on SELinux-enabled node, the node must have label `csi.weka.io/selinux_enabled="true"` | | kubeletPath | string | `"/var/lib/kubelet"` | kubelet path, in cases Kubernetes is installed not in default folder | | metrics.enabled | bool | `true` | Enable Prometheus Metrics | @@ -87,6 +89,7 @@ helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafs | metrics.provisionerPort | int | `9091` | Provisioner metrics port | | metrics.resizerPort | int | `9092` | Resizer metrics port | | metrics.snapshotterPort | int | `9093` | Snapshotter metrics port | +| pluginConfig.fsGroupPolicy | string | `"File"` | WARNING: Changing this value might require uninstall and re-install of the plugin | | pluginConfig.allowInsecureHttps | bool | `false` | Allow insecure HTTPS (skip TLS certificate verification) | | pluginConfig.objectNaming.volumePrefix | string | `"csivol-"` | Prefix that will be added to names of Weka cluster filesystems / snapshots assocciated with CSI volume, must not exceed 7 symbols. | | pluginConfig.objectNaming.snapshotPrefix | string | `"csisnp-"` | Prefix that will be added to names of Weka cluster snapshots assocciated with CSI snapshot, must not exceed 7 symbols. | @@ -98,4 +101,4 @@ helm install csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafs | pluginConfig.mutuallyExclusiveMountOptions[0] | string | `"readcache,writecache,coherent,forcedirect"` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/charts/weka/csi-wekafsplugin/templates/controllerserver-security-context-constraint.yaml b/charts/weka/csi-wekafsplugin/templates/controllerserver-security-context-constraint.yaml new file mode 100644 index 000000000..3c9592056 --- /dev/null +++ b/charts/weka/csi-wekafsplugin/templates/controllerserver-security-context-constraint.yaml @@ -0,0 +1,24 @@ +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }} +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: {{ .Release.Name }}-controller-scc + +allowPrivilegedContainer: true +allowHostDirVolumePlugin: true +allowedVolumeTypes: + - hostPath + - secret +readOnlyRootFilesystem: false + +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +users: + - system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-controller +{{- end }} diff --git a/charts/weka/csi-wekafsplugin/templates/driver.yaml b/charts/weka/csi-wekafsplugin/templates/driver.yaml index e245b0bb3..08e75b85a 100644 --- a/charts/weka/csi-wekafsplugin/templates/driver.yaml +++ b/charts/weka/csi-wekafsplugin/templates/driver.yaml @@ -12,5 +12,5 @@ spec: volumeLifecycleModes: - Persistent {{- if semverCompare ">=1.19.0" .Capabilities.KubeVersion.Version }} - fsGroupPolicy: File + fsGroupPolicy: {{ .Values.pluginConfig.fsGroupPolicy | default "File" }} {{- end }} diff --git a/charts/weka/csi-wekafsplugin/templates/nodeserver-daemonset-selinux.yaml b/charts/weka/csi-wekafsplugin/templates/nodeserver-daemonset-selinux.yaml deleted file mode 100644 index 955cab38b..000000000 --- a/charts/weka/csi-wekafsplugin/templates/nodeserver-daemonset-selinux.yaml +++ /dev/null @@ -1,215 +0,0 @@ -{{- if or (eq (.Values.selinuxSupport | default "off") "enforced") (eq (.Values.selinuxSupport | toString) "mixed") }} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: {{ .Release.Name }}-node-selinux - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - app: {{ .Release.Name }}-node - template: - metadata: - labels: - app: {{ .Release.Name }}-node - component: {{ .Release.Name }}-node-selinux - release: {{ .Release.Name }} - {{- if .Values.metrics.enabled }} - annotations: - prometheus.io/scrape: 'true' - prometheus.io/path: '/metrics' - prometheus.io/port: '{{ .Values.metrics.port | default 9090 }}' - {{- end }} - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: {{ .Values.selinuxNodeLabel }} - operator: In - values: - - "true" - {{- if .Values.nodeSelector }} - nodeSelector: - {{- toYaml .Values.nodeSelector | nindent 8}} - {{- end }} - serviceAccountName: {{ .Release.Name }}-node - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} - hostNetwork: true - containers: - - name: wekafs - securityContext: - privileged: true - image: {{ .Values.images.csidriver }}:v{{ .Values.images.csidriverTag }} - imagePullPolicy: Always - args: - - "--v={{ .Values.logLevel | default 5 }}" - - "--drivername=$(CSI_DRIVER_NAME)" - - "--endpoint=$(CSI_ENDPOINT)" - - "--nodeid=$(KUBE_NODE_NAME)" - - "--dynamic-path=$(CSI_DYNAMIC_PATH)" - - "--csimode=$(X_CSI_MODE)" - - "--newvolumeprefix={{ .Values.pluginConfig.objectNaming.volumePrefix | default "csivol-" | trunc 7 }}" - - "--newsnapshotprefix={{ .Values.pluginConfig.objectNaming.snapshotPrefix | default "csisnp-" | trunc 7 }}" - - "--seedsnapshotprefix={{ .Values.pluginConfig.objectNaming.seedSnapshotPrefix | default "csisnp-seed-" | trunc 12 }}" - - "--selinux-support" - {{- if .Values.tracingUrl }} - - "--tracingurl={{ .Values.tracingUrl }}" - {{- end }} - {{- if .Values.metrics.enabled }} - - "--enablemetrics" - - "--metricsport={{ .Values.metrics.port | default 9090 }}" - {{- end }} - {{- if .Values.pluginConfig.allowInsecureHttps }} - - "--allowinsecurehttps" - {{- end }} - {{- if .Values.useJsonLogging }} - - "--usejsonlogging" - {{- end }} - {{- if .Values.pluginConfig.mutuallyExclusiveMountOptions }} - {{- range .Values.pluginConfig.mutuallyExclusiveMountOptions }} - - "--mutuallyexclusivemountoptions={{ . }}" - {{- end }} - {{- end }} - {{- if .Values.node.grpcRequestTimeoutSeconds }} - - "--grpcrequesttimeoutseconds={{ .Values.node.grpcRequestTimeoutSeconds | default "5" }}" - {{- end }} - {{- if .Values.node.concurrency }} - - "--concurrency.nodePublishVolume={{ .Values.node.concurrency.nodePublishVolume | default "1" }}" - - "--concurrency.nodeUnpublishVolume={{ .Values.node.concurrency.nodeUnpublishVolume | default "1" }}" - {{- end }} - ports: - - containerPort: 9898 - name: healthz - protocol: TCP - {{- if .Values.metrics.enabled }} - - containerPort: {{ .Values.metrics.port }} - name: metrics - protocol: TCP - {{- end }} - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - timeoutSeconds: 3 - periodSeconds: 2 - env: - - name: CSI_DRIVER_NAME - value: {{ required "Provide CSI Driver Name" .Values.csiDriverName }} - - name: CSI_ENDPOINT - value: unix:///csi/csi.sock - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: CSI_DYNAMIC_PATH - value: {{ required "Provide CSI Driver Dynamic Volume Creation Path" .Values.dynamicProvisionPath }} - - name: X_CSI_MODE - value: node - volumeMounts: - - mountPath: /csi - name: socket-dir - - mountPath: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/pods - mountPropagation: Bidirectional - name: mountpoint-dir - - mountPath: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/plugins - mountPropagation: Bidirectional - name: plugins-dir - - mountPath: /var/lib/csi-wekafs-data - name: csi-data-dir - - mountPath: /dev - name: dev-dir -{{- if .Values.legacyVolumeSecretName }} - - mountPath: /legacy-volume-access - name: legacy-volume-access - readOnly: true -{{- end }} - - name: liveness-probe - volumeMounts: - - mountPath: /csi - name: socket-dir - image: {{ required "Provide Liveness Probe image." .Values.images.livenessprobesidecar }} - args: - - "--v={{ .Values.logLevel | default 5 }}" - - "--csi-address=$(ADDRESS)" - - "--health-port=$(HEALTH_PORT)" - env: - - name: ADDRESS - value: unix:///csi/csi.sock - - name: HEALTH_PORT - value: "9898" - - - name: csi-registrar - image: {{ required "Provide the csi node registrar sidecar container image." .Values.images.registrarsidecar }} - args: - - "--v={{ .Values.logLevel | default 5 }}" - - "--csi-address=$(ADDRESS)" - - "--kubelet-registration-path=$(KUBELET_REGISTRATION_PATH)" - - "--timeout=60s" - - "--health-port=9809" - ports: - - containerPort: 9809 - name: healthz - livenessProbe: - httpGet: - port: healthz - path: /healthz - initialDelaySeconds: 5 - timeoutSeconds: 5 - securityContext: - privileged: true - env: - - name: ADDRESS - value: unix:///csi/csi.sock - - name: KUBELET_REGISTRATION_PATH - value: "{{ (.Values.kubeletPath | default "/var/lib/kubelet") | toString }}/plugins/csi-wekafs-node/csi.sock" - - volumeMounts: - - mountPath: /csi - name: socket-dir - - mountPath: /registration - name: registration-dir - - mountPath: /var/lib/csi-wekafs-data - name: csi-data-dir - {{- with .Values.nodePluginTolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - hostPath: - path: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/pods - type: DirectoryOrCreate - name: mountpoint-dir - - hostPath: - path: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/plugins_registry - type: Directory - name: registration-dir - - hostPath: - path: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/plugins - type: Directory - name: plugins-dir - - hostPath: - path: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/plugins/csi-wekafs-node - type: DirectoryOrCreate - name: socket-dir - - hostPath: - # 'path' is where PV data is persisted on host. - # using /tmp is also possible while the PVs will not available after plugin container recreation or host reboot - path: /var/lib/csi-wekafs-data/ - type: DirectoryOrCreate - name: csi-data-dir - - hostPath: - path: /dev - type: Directory - name: dev-dir -{{- if .Values.legacyVolumeSecretName }} - - name: legacy-volume-access - secret: - secretName: {{ .Values.legacyVolumeSecretName }} -{{- end }} -{{- end }} diff --git a/charts/weka/csi-wekafsplugin/templates/nodeserver-daemonset.yaml b/charts/weka/csi-wekafsplugin/templates/nodeserver-daemonset.yaml index b3e701f2d..81599a595 100644 --- a/charts/weka/csi-wekafsplugin/templates/nodeserver-daemonset.yaml +++ b/charts/weka/csi-wekafsplugin/templates/nodeserver-daemonset.yaml @@ -1,4 +1,3 @@ -{{- if or (eq (.Values.selinuxSupport | default "off") "off") (eq (.Values.selinuxSupport | toString) "mixed") }} kind: DaemonSet apiVersion: apps/v1 metadata: @@ -21,23 +20,45 @@ spec: prometheus.io/port: '{{ .Values.metrics.port | default 9090 }}' {{- end }} spec: + {{- if (eq .Values.selinuxSupport "mixed")}} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - - key: {{ .Values.selinuxNodeLabel }} - operator: NotIn + - key: {{ .Values.selinuxNodeLabel |default "csi.weka.io/selinux_enabled" }} + operator: In values: - "true" + {{- end }} {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8}} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8}} {{- end }} serviceAccountName: {{ .Release.Name }}-node {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} - hostNetwork: true + initContainers: + - name: init + volumeMounts: + - mountPath: /etc/nodeinfo + name: nodeinfo + image: {{ .Values.images.nodeinfo }} + imagePullPolicy: IfNotPresent + securityContext: + # This doesn't need to run as root. + runAsUser: 9376 + runAsGroup: 9376 + env: + - name: NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + args: + - bash + - -c + - kubectl get node $NODENAME -o json | jq '.metadata' > /etc/nodeinfo/metadata containers: - name: wekafs securityContext: @@ -54,6 +75,9 @@ spec: - "--newvolumeprefix={{ .Values.pluginConfig.objectNaming.volumePrefix | default "csivol-" | trunc 7 }}" - "--newsnapshotprefix={{ .Values.pluginConfig.objectNaming.snapshotPrefix | default "csisnp-" | trunc 7 }}" - "--seedsnapshotprefix={{ .Values.pluginConfig.objectNaming.seedSnapshotPrefix | default "csisnp-seed-" | trunc 12 }}" + {{- if eq .Values.selinuxSupport "enforced" }} + - "--selinux-support" + {{- end }} {{- if .Values.tracingUrl }} - "--tracingurl={{ .Values.tracingUrl }}" {{- end }} @@ -68,7 +92,7 @@ spec: - "--usejsonlogging" {{- end }} {{- if .Values.pluginConfig.mutuallyExclusiveMountOptions }} - {{- range .Values.pluginConfig.mutuallyExclusiveMountOptions }} + {{- range .Values.pluginConfig.mutuallyExclusiveMountOptions }} - "--mutuallyexclusivemountoptions={{ . }}" {{- end }} {{- end }} @@ -112,21 +136,28 @@ spec: volumeMounts: - mountPath: /csi name: socket-dir - - mountPath: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/pods + - mountPath: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/pods mountPropagation: Bidirectional name: mountpoint-dir - - mountPath: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/plugins + - mountPath: {{ .Values.kubeletPath | default "/var/lib/kubelet" }}/plugins mountPropagation: Bidirectional name: plugins-dir - mountPath: /var/lib/csi-wekafs-data name: csi-data-dir - mountPath: /dev name: dev-dir + - mountPath: /etc/nodeinfo + name: nodeinfo + readOnly: true {{- if .Values.legacyVolumeSecretName }} - mountPath: /legacy-volume-access name: legacy-volume-access readOnly: true {{- end }} + {{- if or (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") (eq .Values.selinuxSupport "enforced") }} + - mountPath: /etc/selinux/config + name: selinux-config + {{- end }} - name: liveness-probe volumeMounts: - mountPath: /csi @@ -166,6 +197,7 @@ spec: value: unix:///csi/csi.sock - name: KUBELET_REGISTRATION_PATH value: "{{ (.Values.kubeletPath | default "/var/lib/kubelet") | toString }}/plugins/csi-wekafs-node/csi.sock" + volumeMounts: - mountPath: /csi name: socket-dir @@ -204,9 +236,17 @@ spec: path: /dev type: Directory name: dev-dir + # if enforced selinux or automatically detected OpenShift Container Platform, pass selinux-config + {{- if or (eq .Values.selinuxSupport "enforced") (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") }} + - hostPath: + path: /etc/selinux/config + type: File + name: selinux-config + {{- end }} + - name: nodeinfo + emptyDir: {} {{- if .Values.legacyVolumeSecretName }} - name: legacy-volume-access secret: secretName: {{ .Values.legacyVolumeSecretName }} {{- end }} -{{- end }} diff --git a/charts/weka/csi-wekafsplugin/templates/nodeserver-security-context-constraint.yaml b/charts/weka/csi-wekafsplugin/templates/nodeserver-security-context-constraint.yaml new file mode 100644 index 000000000..b0b2007dc --- /dev/null +++ b/charts/weka/csi-wekafsplugin/templates/nodeserver-security-context-constraint.yaml @@ -0,0 +1,24 @@ +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }} +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: {{ .Release.Name }}-node-scc + +allowPrivilegedContainer: true +allowHostDirVolumePlugin: true +allowedVolumeTypes: + - hostPath + - secret +readOnlyRootFilesystem: false +allowHostPorts: true +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +users: + - system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-node +{{- end }} diff --git a/charts/weka/csi-wekafsplugin/templates/selinux-policy-machineconfig.yaml b/charts/weka/csi-wekafsplugin/templates/selinux-policy-machineconfig.yaml new file mode 100644 index 000000000..958b8569b --- /dev/null +++ b/charts/weka/csi-wekafsplugin/templates/selinux-policy-machineconfig.yaml @@ -0,0 +1,38 @@ +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }} +{{ range .Values.machineConfigLabels }} +kind: MachineConfig +apiVersion: machineconfiguration.openshift.io/v1 +metadata: + name: 50-csi-wekafs-selinux-policy-{{ . }} + labels: + machineconfiguration.openshift.io/role: {{ . }} +spec: + osImageURL: '' + config: + ignition: + version: 3.2.0 + storage: + files: + - filesystem: root + path: "/etc/selinux/csi-wekafs-selinux.cil" + contents: + source: data:text/plain;charset=utf-8;base64,KHR5cGVhbGlhcyB3ZWthZnNfY3NpX3ZvbHVtZV90KQoodHlwZWFsaWFzYWN0dWFsIHdla2Fmc19jc2lfdm9sdW1lX3Qgd2VrYWZzX3QpCih0eXBlYWxpYXMgd2VrYWZzX2ZpbGVzeXN0ZW1fdCkKKHR5cGVhbGlhc2FjdHVhbCB3ZWthZnNfZmlsZXN5c3RlbV90IHdla2Fmc190KQoodHlwZSB3ZWthZnNfdCkKKHJvbGV0eXBlIG9iamVjdF9yIHdla2Fmc190KQoodHlwZWF0dHJpYnV0ZXNldCBjaWxfZ2VuX3JlcXVpcmUgdW5sYWJlbGVkX3QpCih0eXBlYXR0cmlidXRlc2V0IGNpbF9nZW5fcmVxdWlyZSBjb250YWluZXJfdmFyX2xpYl90KQoodHlwZWF0dHJpYnV0ZXNldCBjaWxfZ2VuX3JlcXVpcmUgY29udGFpbmVyX3QpCih0eXBlYXR0cmlidXRlc2V0IGNpbF9nZW5fcmVxdWlyZSBzcG9vbGZpbGUpCih0eXBlYXR0cmlidXRlc2V0IHNwb29sZmlsZSAod2VrYWZzX3QgKSkKKHR5cGVhdHRyaWJ1dGVzZXQgY2lsX2dlbl9yZXF1aXJlIGZpbGVfdHlwZSkKKHR5cGVhdHRyaWJ1dGVzZXQgZmlsZV90eXBlICh3ZWthZnNfdCApKQoodHlwZWF0dHJpYnV0ZXNldCBjaWxfZ2VuX3JlcXVpcmUgbm9uX3NlY3VyaXR5X2ZpbGVfdHlwZSkKKHR5cGVhdHRyaWJ1dGVzZXQgbm9uX3NlY3VyaXR5X2ZpbGVfdHlwZSAod2VrYWZzX3QgKSkKKHR5cGVhdHRyaWJ1dGVzZXQgY2lsX2dlbl9yZXF1aXJlIG5vbl9hdXRoX2ZpbGVfdHlwZSkKKHR5cGVhdHRyaWJ1dGVzZXQgbm9uX2F1dGhfZmlsZV90eXBlICh3ZWthZnNfdCApKQooYWxsb3cgY29udGFpbmVyX3Qgd2VrYWZzX3QgKGRpciAoYWRkX25hbWUgY3JlYXRlIGdldGF0dHIgaW9jdGwgbGluayBsb2NrIG9wZW4gcmVhZCByZW1vdmVfbmFtZSByZW5hbWUgcmVwYXJlbnQgcm1kaXIgc2VhcmNoIHNldGF0dHIgdW5saW5rIHdyaXRlKSkpCihhbGxvdyBjb250YWluZXJfdCB3ZWthZnNfdCAoZmlsZSAoY3JlYXRlIG9wZW4gZ2V0YXR0ciBzZXRhdHRyIHJlYWQgd3JpdGUgYXBwZW5kIHJlbmFtZSBsaW5rIHVubGluayBpb2N0bCBsb2NrKSkpCg== + verification: {} + mode: 0755 + systemd: + units: + - contents: | + [Unit] + Requires=systemd-udevd.target + After=NetworkManager.service + Before=sshd.service + DefaultDependencies=no + [Service] + Type=oneshot + ExecStart=/usr/sbin/semodule -i /etc/selinux/csi-wekafs-selinux.cil + [Install] + WantedBy=multi-user.target + name: csi-wekafs-selinux-policy.service + enabled: true +{{- end }} +{{- end }} diff --git a/charts/weka/csi-wekafsplugin/values.schema.json b/charts/weka/csi-wekafsplugin/values.schema.json index 80632174b..82b89fad2 100644 --- a/charts/weka/csi-wekafsplugin/values.schema.json +++ b/charts/weka/csi-wekafsplugin/values.schema.json @@ -103,6 +103,9 @@ "livenessprobesidecar": { "type": "string" }, + "nodeinfo": { + "type": "string" + }, "provisionersidecar": { "type": "string" }, @@ -126,6 +129,12 @@ "logLevel": { "type": "integer" }, + "machineConfigLabels": { + "type": "array", + "items": { + "type": "string" + } + }, "metrics": { "type": "object", "properties": { @@ -211,6 +220,9 @@ } } }, + "fsGroupPolicy": { + "type": "string" + }, "mutuallyExclusiveMountOptions": { "type": "array", "items": { diff --git a/charts/weka/csi-wekafsplugin/values.yaml b/charts/weka/csi-wekafsplugin/values.yaml index d5181b592..d8937e054 100644 --- a/charts/weka/csi-wekafsplugin/values.yaml +++ b/charts/weka/csi-wekafsplugin/values.yaml @@ -5,7 +5,7 @@ dynamicProvisionPath: "csi-volumes" # -- Name of the driver (and provisioner) csiDriverName: "csi.weka.io" # -- CSI driver version -csiDriverVersion: &csiDriverVersion 2.3.4 +csiDriverVersion: &csiDriverVersion 2.4.0 images: # -- CSI liveness probe sidecar image URL livenessprobesidecar: registry.k8s.io/sig-storage/livenessprobe:v2.12.0 @@ -19,6 +19,8 @@ images: resizersidecar: registry.k8s.io/sig-storage/csi-resizer:v1.9.3 # -- CSI snapshotter sidecar image URL snapshottersidecar: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3 + # -- CSI nodeinfo sidecar image URL, used for reading node metadata + nodeinfo: quay.io/weka.io/kubectl-sidecar:v1.29.2-1 # -- CSI driver main image URL csidriver: quay.io/weka.io/csi-wekafs # -- CSI driver tag @@ -34,6 +36,11 @@ controllerPluginTolerations: *globalPluginTolerations nodePluginTolerations: *globalPluginTolerations # -- Optional nodeSelector for CSI plugin deployment on certain Kubernetes nodes only nodeSelector: {} +# -- Optional setting for OCP platform only, which machineconfig pools to apply the Weka SELinux policy on +# NOTE: by default, the policy will be installed both on workers and control plane nodes +machineConfigLabels: + - "worker" + - "master" # Controller-specific parameters, please do not change unless explicitly guided controller: # -- Controller number of replicas @@ -78,6 +85,7 @@ priorityClassName: "" # In `mixed` mode, separate CSI node components will be installed on SELinux-enabled and regular hosts # In `off` mode, only non-SELinux-enabled node components will be run on hosts without label. # WARNING: if SELinux is not enabled, volume provisioning and publishing might fail! +# NOTE: SELinux support is enabled automatically on clusters recognized as RedHat OpenShift Container Platform selinuxSupport: "off" # -- This label must be set to `"true"` on SELinux-enabled Kubernetes nodes, # e.g., to run the node server in secure mode on SELinux-enabled node, the node must have label @@ -100,6 +108,9 @@ metrics: # @ignore tracingUrl: "" pluginConfig: + # -- CSI Driver support for fsGroupPolicy, may be either "File" or "None". Default is "File" + # -- WARNING: Changing this value might require uninstall and re-install of the plugin + fsGroupPolicy: "File" # -- Allow insecure HTTPS (skip TLS certificate verification) allowInsecureHttps: false objectNaming: diff --git a/charts/yugabyte/yugabyte/.helmignore b/charts/yugabyte/yugabyte/.helmignore new file mode 100644 index 000000000..3598c3003 --- /dev/null +++ b/charts/yugabyte/yugabyte/.helmignore @@ -0,0 +1 @@ +tests \ No newline at end of file diff --git a/charts/yugabyte/yugabyte/Chart.yaml b/charts/yugabyte/yugabyte/Chart.yaml index 2eabb7c8e..1d3220d9f 100644 --- a/charts/yugabyte/yugabyte/Chart.yaml +++ b/charts/yugabyte/yugabyte/Chart.yaml @@ -3,18 +3,20 @@ annotations: catalog.cattle.io/display-name: YugabyteDB catalog.cattle.io/kube-version: '>=1.18-0' catalog.cattle.io/release-name: yugabyte -apiVersion: v1 -appVersion: 2.14.17.0-b6 + charts.openshift.io/name: yugabyte +apiVersion: v2 +appVersion: 2.18.8.0-b42 description: YugabyteDB is the high-performance distributed SQL database for building global, internet-scale apps. home: https://www.yugabyte.com icon: https://avatars0.githubusercontent.com/u/17074854?s=200&v=4 +kubeVersion: '>=1.18-0' maintainers: -- email: ram@yugabyte.com - name: Ram Sri -- email: arnav@yugabyte.com - name: Arnav Agarwal +- email: sanketh@yugabyte.com + name: Sanketh Indarapu +- email: gjalla@yugabyte.com + name: Govardhan Reddy Jalla name: yugabyte sources: - https://github.com/yugabyte/yugabyte-db -version: 2.14.17 +version: 2.18.8 diff --git a/charts/yugabyte/yugabyte/app-readme.md b/charts/yugabyte/yugabyte/app-readme.md index 29540be6c..8878036d6 100644 --- a/charts/yugabyte/yugabyte/app-readme.md +++ b/charts/yugabyte/yugabyte/app-readme.md @@ -1 +1 @@ -This chart bootstraps an RF3 Yugabyte DB version 2.14.17.0-b6 cluster using the Helm Package Manager. +This chart bootstraps an RF3 YugabyteDB version 2.18.8.0-b42 cluster using the Helm Package Manager. diff --git a/charts/yugabyte/yugabyte/generate_kubeconfig.py b/charts/yugabyte/yugabyte/generate_kubeconfig.py index b974c0f2d..f4c2d14ab 100644 --- a/charts/yugabyte/yugabyte/generate_kubeconfig.py +++ b/charts/yugabyte/yugabyte/generate_kubeconfig.py @@ -11,84 +11,209 @@ from sys import exit import json import base64 import tempfile +import time +import os.path -def run_command(command_args, namespace=None, as_json=True): - command = ['kubectl'] +def run_command(command_args, namespace=None, as_json=True, log_command=True): + command = ["kubectl"] if namespace: - command.extend(['--namespace', namespace]) + command.extend(["--namespace", namespace]) command.extend(command_args) if as_json: - command.extend(['-o', 'json']) - return json.loads(check_output(command)) + command.extend(["-o", "json"]) + if log_command: + print("Running command: {}".format(" ".join(command))) + output = check_output(command) + if as_json: + return json.loads(output) else: - return check_output(command).decode('utf8') + return output.decode("utf8") -parser = argparse.ArgumentParser(description='Generate KubeConfig with Token') -parser.add_argument('-s', '--service_account', help='Service Account name', required=True) -parser.add_argument('-n', '--namespace', help='Kubernetes namespace', default='kube-system') -parser.add_argument('-c', '--context', help='kubectl context') +def create_sa_token_secret(directory, sa_name, namespace): + """Creates a service account token secret for sa_name in + namespace. Returns the name of the secret created. + + Ref: + https://k8s.io/docs/concepts/configuration/secret/#service-account-token-secrets + + """ + token_secret = { + "apiVersion": "v1", + "data": { + "do-not-delete-used-for-yugabyte-anywhere": "MQ==", + }, + "kind": "Secret", + "metadata": { + "annotations": { + "kubernetes.io/service-account.name": sa_name, + }, + "name": sa_name, + }, + "type": "kubernetes.io/service-account-token", + } + token_secret_file_name = os.path.join(directory, "token_secret.yaml") + with open(token_secret_file_name, "w") as token_secret_file: + json.dump(token_secret, token_secret_file) + run_command(["apply", "-f", token_secret_file_name], namespace) + return sa_name + + +def get_secret_data(secret, namespace): + """Returns the secret in JSON format if it has ca.crt and token in + it, else returns None. It retries 3 times with 1 second timeout + for the secret to be populated with this data. + + """ + secret_data = None + num_retries = 5 + timeout = 2 + while True: + secret_json = run_command(["get", "secret", secret], namespace) + if "ca.crt" in secret_json["data"] and "token" in secret_json["data"]: + secret_data = secret_json + break + + num_retries -= 1 + if num_retries == 0: + break + print( + "Secret '{}' is not populated. Sleep {}s, ({} retries left)".format( + secret, timeout, num_retries + ) + ) + time.sleep(timeout) + return secret_data + + +def get_secrets_for_sa(sa_name, namespace): + """Returns a list of all service account token secrets associated + with the given sa_name in the namespace. + + """ + secrets = run_command( + [ + "get", + "secret", + "--field-selector", + "type=kubernetes.io/service-account-token", + "-o", + 'jsonpath="{.items[?(@.metadata.annotations.kubernetes\.io/service-account\.name == "' + + sa_name + + '")].metadata.name}"', + ], + as_json=False, + ) + return secrets.strip('"').split() + + +parser = argparse.ArgumentParser(description="Generate KubeConfig with Token") +parser.add_argument("-s", "--service_account", help="Service Account name", required=True) +parser.add_argument("-n", "--namespace", help="Kubernetes namespace", default="kube-system") +parser.add_argument("-c", "--context", help="kubectl context") +parser.add_argument("-o", "--output_file", help="output file path") args = vars(parser.parse_args()) # if the context is not provided we use the current-context -context = args['context'] +context = args["context"] if context is None: - context = run_command(['config', 'current-context'], - args['namespace'], as_json=False) + context = run_command(["config", "current-context"], args["namespace"], as_json=False) -cluster_attrs = run_command(['config', 'get-contexts', context.strip(), - '--no-headers'], args['namespace'], as_json=False) +cluster_attrs = run_command( + ["config", "get-contexts", context.strip(), "--no-headers"], args["namespace"], as_json=False +) cluster_name = cluster_attrs.strip().split()[2] -endpoint = run_command(['config', 'view', '-o', - 'jsonpath="{.clusters[?(@.name =="' + - cluster_name + '")].cluster.server}"'], - args['namespace'], as_json=False) -service_account_info = run_command(['get', 'sa', args['service_account']], - args['namespace']) +endpoint = run_command( + [ + "config", + "view", + "-o", + 'jsonpath="{.clusters[?(@.name =="' + cluster_name + '")].cluster.server}"', + ], + args["namespace"], + as_json=False, +) +service_account_info = run_command(["get", "sa", args["service_account"]], args["namespace"]) + +tmpdir = tempfile.TemporaryDirectory() + +# Get the token and ca.crt from service account secret. +sa_secrets = list() + +# Get secrets specified in the service account, there can be multiple +# of them, and not all are service account token secrets. +if "secrets" in service_account_info: + sa_secrets = [secret["name"] for secret in service_account_info["secrets"]] + +# Find the existing additional service account token secrets +sa_secrets.extend(get_secrets_for_sa(args["service_account"], args["namespace"])) -# some ServiceAccounts have multiple secrets, and not all them have a -# ca.crt and a token. -sa_secrets = [secret['name'] for secret in service_account_info['secrets']] secret_data = None for secret in sa_secrets: - secret_json = run_command(['get', 'secret', secret], args['namespace']) - if 'ca.crt' not in secret_json['data'] and 'token' not in secret_json['data']: - continue - secret_data = secret_json + secret_data = get_secret_data(secret, args["namespace"]) + if secret_data is not None: + break + +# Kubernetes 1.22+ doesn't create the service account token secret by +# default, we have to create one. if secret_data is None: - exit("No usable secret found for '{}'.".format(args['service_account'])) + print("No usable secret found for '{}', creating one.".format(args["service_account"])) + token_secret = create_sa_token_secret(tmpdir.name, args["service_account"], args["namespace"]) + secret_data = get_secret_data(token_secret, args["namespace"]) + if secret_data is None: + exit( + "Failed to generate kubeconfig: No usable credentials found for '{}'.".format( + args["service_account"] + ) + ) -context_name = '{}-{}'.format(args['service_account'], cluster_name) -kube_config = '/tmp/{}.conf'.format(args['service_account']) -with tempfile.NamedTemporaryFile() as ca_crt_file: - ca_crt = base64.b64decode(secret_data['data']['ca.crt']) - ca_crt_file.write(ca_crt) - ca_crt_file.flush() - # create kubeconfig entry - set_cluster_cmd = ['config', 'set-cluster', cluster_name, - '--kubeconfig={}'.format(kube_config), - '--server={}'.format(endpoint.strip('"')), - '--embed-certs=true', - '--certificate-authority={}'.format(ca_crt_file.name)] - run_command(set_cluster_cmd, as_json=False) +context_name = "{}-{}".format(args["service_account"], cluster_name) +kube_config = args["output_file"] +if not kube_config: + kube_config = "/tmp/{}.conf".format(args["service_account"]) -user_token = base64.b64decode(secret_data['data']['token']).decode('utf-8') -set_credentials_cmd = ['config', 'set-credentials', context_name, - '--token={}'.format(user_token), - '--kubeconfig={}'.format(kube_config)] -run_command(set_credentials_cmd, as_json=False) -set_context_cmd = ['config', 'set-context', context_name, - '--cluster={}'.format(cluster_name), - '--user={}'.format(context_name), - '--kubeconfig={}'.format(kube_config)] +ca_crt_file_name = os.path.join(tmpdir.name, "ca.crt") +ca_crt_file = open(ca_crt_file_name, "wb") +ca_crt_file.write(base64.b64decode(secret_data["data"]["ca.crt"])) +ca_crt_file.close() + +# create kubeconfig entry +set_cluster_cmd = [ + "config", + "set-cluster", + cluster_name, + "--kubeconfig={}".format(kube_config), + "--server={}".format(endpoint.strip('"')), + "--embed-certs=true", + "--certificate-authority={}".format(ca_crt_file_name), +] +run_command(set_cluster_cmd, as_json=False) + +user_token = base64.b64decode(secret_data["data"]["token"]).decode("utf-8") +set_credentials_cmd = [ + "config", + "set-credentials", + context_name, + "--token={}".format(user_token), + "--kubeconfig={}".format(kube_config), +] +run_command(set_credentials_cmd, as_json=False, log_command=False) + +set_context_cmd = [ + "config", + "set-context", + context_name, + "--cluster={}".format(cluster_name), + "--user={}".format(context_name), + "--kubeconfig={}".format(kube_config), +] run_command(set_context_cmd, as_json=False) -use_context_cmd = ['config', 'use-context', context_name, - '--kubeconfig={}'.format(kube_config)] +use_context_cmd = ["config", "use-context", context_name, "--kubeconfig={}".format(kube_config)] run_command(use_context_cmd, as_json=False) print("Generated the kubeconfig file: {}".format(kube_config)) diff --git a/charts/yugabyte/yugabyte/openshift.values.yaml b/charts/yugabyte/yugabyte/openshift.values.yaml new file mode 100644 index 000000000..d2784b23e --- /dev/null +++ b/charts/yugabyte/yugabyte/openshift.values.yaml @@ -0,0 +1,4 @@ +# OCP compatible values for yugabyte + +Image: + repository: "quay.io/yugabyte/yugabyte-ubi" diff --git a/charts/yugabyte/yugabyte/questions.yaml b/charts/yugabyte/yugabyte/questions.yaml index c88fd43c0..6befa49e1 100644 --- a/charts/yugabyte/yugabyte/questions.yaml +++ b/charts/yugabyte/yugabyte/questions.yaml @@ -16,7 +16,7 @@ questions: label: YugabyteDB image repository description: "YugabyteDB image repository" - variable: Image.tag - default: "2.14.1.0-b36" + default: "2.5.1.0-b153" required: true type: string label: YugabyteDB image tag diff --git a/charts/yugabyte/yugabyte/templates/_helpers.tpl b/charts/yugabyte/yugabyte/templates/_helpers.tpl index 27697d799..7d80ece43 100644 --- a/charts/yugabyte/yugabyte/templates/_helpers.tpl +++ b/charts/yugabyte/yugabyte/templates/_helpers.tpl @@ -26,7 +26,7 @@ Generate common labels. {{- define "yugabyte.labels" }} heritage: {{ .Values.helm2Legacy | ternary "Tiller" (.Release.Service | quote) }} release: {{ .Release.Name | quote }} -chart: {{ .Values.oldNamingStyle | ternary .Chart.Name (include "yugabyte.chart" .) | quote }} +chart: {{ .Chart.Name | quote }} component: {{ .Values.Component | quote }} {{- if .Values.commonLabels}} {{ toYaml .Values.commonLabels }} @@ -56,6 +56,89 @@ release: {{ .root.Release.Name | quote }} {{- end }} {{- end }} +{{/* +Create secrets in DBNamespace from other namespaces by iterating over envSecrets. +*/}} +{{- define "yugabyte.envsecrets" -}} +{{- range $v := .secretenv }} +{{- if $v.valueFrom.secretKeyRef.namespace }} +{{- $secretObj := (lookup +"v1" +"Secret" +$v.valueFrom.secretKeyRef.namespace +$v.valueFrom.secretKeyRef.name) +| default dict }} +{{- $secretData := (get $secretObj "data") | default dict }} +{{- $secretValue := (get $secretData $v.valueFrom.secretKeyRef.key) | default "" }} +{{- if (and (not $secretValue) (not $v.valueFrom.secretKeyRef.optional)) }} +{{- required (printf "Secret or key missing for %s/%s in namespace: %s" +$v.valueFrom.secretKeyRef.name +$v.valueFrom.secretKeyRef.key +$v.valueFrom.secretKeyRef.namespace) +nil }} +{{- end }} +{{- if $secretValue }} +apiVersion: v1 +kind: Secret +metadata: + {{- $secretfullname := printf "%s-%s-%s-%s" + $.root.Release.Name + $v.valueFrom.secretKeyRef.namespace + $v.valueFrom.secretKeyRef.name + $v.valueFrom.secretKeyRef.key + }} + name: {{ printf "%s-%s-%s-%s-%s-%s" + $.root.Release.Name + ($v.valueFrom.secretKeyRef.namespace | substr 0 5) + ($v.valueFrom.secretKeyRef.name | substr 0 5) + ( $v.valueFrom.secretKeyRef.key | substr 0 5) + (sha256sum $secretfullname | substr 0 4) + ($.suffix) + | lower | replace "." "" | replace "_" "" + }} + namespace: "{{ $.root.Release.Namespace }}" + labels: + {{- include "yugabyte.labels" $.root | indent 4 }} +type: Opaque # should it be an Opaque secret? +data: + {{ $v.valueFrom.secretKeyRef.key }}: {{ $secretValue | quote }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} + +{{/* +Add env secrets to DB statefulset. +*/}} +{{- define "yugabyte.addenvsecrets" -}} +{{- range $v := .secretenv }} +- name: {{ $v.name }} + valueFrom: + secretKeyRef: + {{- if $v.valueFrom.secretKeyRef.namespace }} + {{- $secretfullname := printf "%s-%s-%s-%s" + $.root.Release.Name + $v.valueFrom.secretKeyRef.namespace + $v.valueFrom.secretKeyRef.name + $v.valueFrom.secretKeyRef.key + }} + name: {{ printf "%s-%s-%s-%s-%s-%s" + $.root.Release.Name + ($v.valueFrom.secretKeyRef.namespace | substr 0 5) + ($v.valueFrom.secretKeyRef.name | substr 0 5) + ($v.valueFrom.secretKeyRef.key | substr 0 5) + (sha256sum $secretfullname | substr 0 4) + ($.suffix) + | lower | replace "." "" | replace "_" "" + }} + {{- else }} + name: {{ $v.valueFrom.secretKeyRef.name }} + {{- end }} + key: {{ $v.valueFrom.secretKeyRef.key }} + optional: {{ $v.valueFrom.secretKeyRef.optional | default "false" }} +{{- end }} +{{- end }} {{/* Create Volume name. */}} @@ -84,18 +167,21 @@ Generate a preflight check script invocation. */}} {{- define "yugabyte.preflight_check" -}} {{- if not .Values.preflight.skipAll -}} +{{- $port := .Preflight.Port -}} +{{- range $addr := split "," .Preflight.Addr -}} if [ -f /home/yugabyte/tools/k8s_preflight.py ]; then PYTHONUNBUFFERED="true" /home/yugabyte/tools/k8s_preflight.py \ dnscheck \ - --addr="{{ .Preflight.Addr }}" \ -{{- if not .Values.preflight.skipBind }} - --port="{{ .Preflight.Port }}" + --addr="{{ $addr }}" \ +{{- if not $.Values.preflight.skipBind }} + --port="{{ $port }}" {{- else }} --skip_bind {{- end }} fi && \ -{{- end -}} -{{- end -}} +{{ end }} +{{- end }} +{{- end }} {{/* Get YugaByte fs data directories. @@ -130,12 +216,20 @@ echo "disk check at: $(date)" \ Generate server FQDN. */}} {{- define "yugabyte.server_fqdn" -}} - {{- if (and .Values.istioCompatibility.enabled .Values.multicluster.createServicePerPod) -}} + {{- if .Values.multicluster.createServicePerPod -}} {{- printf "$(HOSTNAME).$(NAMESPACE).svc.%s" .Values.domainName -}} + {{- else if (and .Values.oldNamingStyle .Values.multicluster.createServiceExports) -}} + {{ $membershipName := required "A valid membership name is required! Please set multicluster.kubernetesClusterId" .Values.multicluster.kubernetesClusterId }} + {{- printf "$(HOSTNAME).%s.%s.$(NAMESPACE).svc.clusterset.local" $membershipName .Service.name -}} {{- else if .Values.oldNamingStyle -}} {{- printf "$(HOSTNAME).%s.$(NAMESPACE).svc.%s" .Service.name .Values.domainName -}} {{- else -}} - {{- printf "$(HOSTNAME).%s-%s.$(NAMESPACE).svc.%s" (include "yugabyte.fullname" .) .Service.name .Values.domainName -}} + {{- if .Values.multicluster.createServiceExports -}} + {{ $membershipName := required "A valid membership name is required! Please set multicluster.kubernetesClusterId" .Values.multicluster.kubernetesClusterId }} + {{- printf "$(HOSTNAME).%s.%s-%s.$(NAMESPACE).svc.clusterset.local" $membershipName (include "yugabyte.fullname" .) .Service.name -}} + {{- else -}} + {{- printf "$(HOSTNAME).%s-%s.$(NAMESPACE).svc.%s" (include "yugabyte.fullname" .) .Service.name .Values.domainName -}} + {{- end -}} {{- end -}} {{- end -}} @@ -148,10 +242,25 @@ Generate server broadcast address. {{/* Generate server RPC bind address. + +In case of multi-cluster services (MCS), we set it to $(POD_IP) to +ensure YCQL uses a resolvable address. +See https://github.com/yugabyte/yugabyte-db/issues/16155 + +We use a workaround for above in case of Istio by setting it to +$(POD_IP) and localhost. Master doesn't support that combination, so +we stick to 0.0.0.0, which works for master. */}} {{- define "yugabyte.rpc_bind_address" -}} + {{- $port := index .Service.ports "tcp-rpc-port" -}} {{- if .Values.istioCompatibility.enabled -}} - 0.0.0.0:{{ index .Service.ports "tcp-rpc-port" -}} + {{- if (eq .Service.name "yb-masters") -}} + 0.0.0.0:{{ $port }} + {{- else -}} + $(POD_IP):{{ $port }},127.0.0.1:{{ $port }} + {{- end -}} + {{- else if (or .Values.multicluster.createServiceExports .Values.multicluster.createServicePerPod) -}} + $(POD_IP):{{ $port }} {{- else -}} {{- include "yugabyte.server_fqdn" . -}} {{- end -}} @@ -168,7 +277,7 @@ Generate server web interface. Generate server CQL proxy bind address. */}} {{- define "yugabyte.cql_proxy_bind_address" -}} - {{- if .Values.istioCompatibility.enabled -}} + {{- if or .Values.istioCompatibility.enabled .Values.multicluster.createServiceExports .Values.multicluster.createServicePerPod -}} 0.0.0.0:{{ index .Service.ports "tcp-yql-port" -}} {{- else -}} {{- include "yugabyte.server_fqdn" . -}} @@ -213,10 +322,10 @@ Compute the maximum number of unavailable pods based on the number of master rep Set consistent issuer name. */}} {{- define "yugabyte.tls_cm_issuer" -}} - {{- if .Values.tls.certManager.useClusterIssuer -}} - {{ .Values.tls.certManager.clusterIssuer }} - {{- else -}} + {{- if .Values.tls.certManager.bootstrapSelfsigned -}} {{ .Values.oldNamingStyle | ternary "yugabyte-selfsigned" (printf "%s-selfsigned" (include "yugabyte.fullname" .)) }} + {{- else -}} + {{ .Values.tls.certManager.useClusterIssuer | ternary .Values.tls.certManager.clusterIssuer .Values.tls.certManager.issuer}} {{- end -}} {{- end -}} @@ -256,3 +365,51 @@ Set consistent issuer name. {{- end -}} {{- end -}} {{- end -}} + +{{/* + Default nodeAffinity for multi-az deployments +*/}} +{{- define "yugabyte.multiAZNodeAffinity" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: failure-domain.beta.kubernetes.io/zone + operator: In + values: + - {{ quote .Values.AZ }} + - matchExpressions: + - key: topology.kubernetes.io/zone + operator: In + values: + - {{ quote .Values.AZ }} +{{- end -}} + +{{/* + Default podAntiAffinity for master and tserver + + This requires "appLabelArgs" to be passed in - defined in service.yaml + we have a .root and a .label in appLabelArgs +*/}} +{{- define "yugabyte.podAntiAffinity" -}} +preferredDuringSchedulingIgnoredDuringExecution: +- weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + {{- if .root.Values.oldNamingStyle }} + - key: app + operator: In + values: + - "{{ .label }}" + {{- else }} + - key: app.kubernetes.io/name + operator: In + values: + - "{{ .label }}" + - key: release + operator: In + values: + - {{ .root.Release.Name | quote }} + {{- end }} + topologyKey: kubernetes.io/hostname +{{- end -}} diff --git a/charts/yugabyte/yugabyte/templates/certificates.yaml b/charts/yugabyte/yugabyte/templates/certificates.yaml index f8dd4acb5..07fc2e5f5 100644 --- a/charts/yugabyte/yugabyte/templates/certificates.yaml +++ b/charts/yugabyte/yugabyte/templates/certificates.yaml @@ -1,7 +1,7 @@ {{- $root := . -}} --- {{- if $root.Values.tls.certManager.enabled }} -{{- if not $root.Values.tls.certManager.useClusterIssuer }} +{{- if $root.Values.tls.certManager.bootstrapSelfsigned }} --- apiVersion: cert-manager.io/v1 kind: Issuer @@ -37,13 +37,38 @@ spec: ca: secretName: {{ $root.Values.oldNamingStyle | ternary "yugabyte-ca" (printf "%s-ca" (include "yugabyte.fullname" $root)) }} --- +{{- else }} +{{/* when bootstrapSelfsigned = false, ie. when using an external CA. +Create a Secret with just the rootCA.cert value and mount into master/tserver pods. +This will be used as a fall back in case the Secret generated by cert-manager does not +have a root ca.crt. This can happen for certain certificate issuers like LetsEncrypt. +*/}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-root-ca" (include "yugabyte.fullname" $root) }} + namespace: "{{ $root.Release.Namespace }}" + labels: + {{- include "yugabyte.labels" $root | indent 4 }} +type: Opaque +data: + ca.crt: {{ $root.Values.tls.rootCA.cert }} +--- {{- end }} +{{/* +The below Certificate resource will trigger cert-manager to issue crt/key into Secrets. +These secrets are mounted into master/tserver pods. +*/}} {{- range .Values.Services }} {{- $service := . -}} {{- $appLabelArgs := dict "label" .label "root" $root -}} {{- $serviceValues := (dict "Service" $service "Values" $root.Values "Chart" $root.Chart "Release" $root.Release) -}} +{{- $replicas := (eq .name "yb-masters") | ternary $root.Values.replicas.master $root.Values.replicas.tserver -}} + +{{- if (gt (int $replicas) 0) }} --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -65,28 +90,29 @@ spec: secretName: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" $service.label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) $service.label) }} duration: {{ $root.Values.tls.certManager.certificates.duration | quote }} renewBefore: {{ $root.Values.tls.certManager.certificates.renewBefore | quote }} - commonName: yugabyte-{{ .name }} isCA: false privateKey: algorithm: {{ $root.Values.tls.certManager.certificates.algorithm | quote }} encoding: PKCS8 size: {{ $root.Values.tls.certManager.certificates.keySize }} + rotationPolicy: Always usages: - server auth - client auth # At least one of a DNS Name, URI, or IP address is required. dnsNames: - {{- $replicas := (eq .name "yb-masters") | ternary $root.Values.replicas.master $root.Values.replicas.tserver -}} {{- range $index := until ( int ( $replicas ) ) }} {{- $nodeOldStyle := printf "%s-%d.%s.%s.svc.%s" $service.label $index $service.name $root.Release.Namespace $root.Values.domainName }} {{- $nodeNewStyle := printf "%s-%s-%d.%s-%s.%s.svc.%s" (include "yugabyte.fullname" $root) $service.label $index (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace $root.Values.domainName }} {{- $node := $root.Values.oldNamingStyle | ternary $nodeOldStyle $nodeNewStyle }} - {{$node}} {{- end }} + - {{ printf "%s-%s.%s.svc.%s" (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace $root.Values.domainName }} uris: [] ipAddresses: [] --- {{- end }} +{{- end }} --- apiVersion: cert-manager.io/v1 @@ -114,6 +140,7 @@ spec: algorithm: {{ $root.Values.tls.certManager.certificates.algorithm | quote }} encoding: PKCS8 size: {{ $root.Values.tls.certManager.certificates.keySize }} + rotationPolicy: Always usages: - client auth dnsNames: [] diff --git a/charts/yugabyte/yugabyte/templates/debug_config_map.yaml b/charts/yugabyte/yugabyte/templates/debug_config_map.yaml new file mode 100644 index 000000000..a15c4fc9a --- /dev/null +++ b/charts/yugabyte/yugabyte/templates/debug_config_map.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "yugabyte.fullname" . }}-master-hooks + namespace: "{{ .Release.Namespace }}" +data: +{{- range $index := until ( int ( .Values.replicas.master ) ) }} + yb-master-{{.}}-pre_debug_hook.sh: "echo 'hello-from-pre' " + yb-master-{{.}}-post_debug_hook.sh: "echo 'hello-from-post' " +{{- end }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "yugabyte.fullname" . }}-tserver-hooks + namespace: "{{ .Release.Namespace }}" +data: +{{- range $index := until ( int ( .Values.replicas.tserver) ) }} + yb-tserver-{{.}}-pre_debug_hook.sh: "echo 'hello-from-pre' " + yb-tserver-{{.}}-post_debug_hook.sh: "echo 'hello-from-post' " +{{- end }} +--- diff --git a/charts/yugabyte/yugabyte/templates/multicluster-common-tserver-service.yaml b/charts/yugabyte/yugabyte/templates/multicluster/common-tserver-service.yaml similarity index 100% rename from charts/yugabyte/yugabyte/templates/multicluster-common-tserver-service.yaml rename to charts/yugabyte/yugabyte/templates/multicluster/common-tserver-service.yaml diff --git a/charts/yugabyte/yugabyte/templates/multicluster/mcs-service-export.yaml b/charts/yugabyte/yugabyte/templates/multicluster/mcs-service-export.yaml new file mode 100644 index 000000000..eeafcb1bb --- /dev/null +++ b/charts/yugabyte/yugabyte/templates/multicluster/mcs-service-export.yaml @@ -0,0 +1,21 @@ +{{- /* + Ref - https://cloud.google.com/kubernetes-engine/docs/how-to/multi-cluster-services#registering_a_service_for_export + https://github.com/kubernetes/enhancements/tree/master/keps/sig-multicluster/1645-multi-cluster-services-api#exporting-services +*/}} +{{- if .Values.multicluster.createServiceExports }} +apiVersion: {{ .Values.multicluster.mcsApiVersion }} +kind: ServiceExport +metadata: + name: {{ .Values.oldNamingStyle | ternary "yb-masters" (printf "%s-%s" (include "yugabyte.fullname" .) "yb-masters") | quote }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "yugabyte.labels" . | indent 4 }} +--- +apiVersion: {{ .Values.multicluster.mcsApiVersion }} +kind: ServiceExport +metadata: + name: {{ .Values.oldNamingStyle | ternary "yb-tservers" (printf "%s-%s" (include "yugabyte.fullname" .) "yb-tservers") | quote }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "yugabyte.labels" . | indent 4 }} +{{ end -}} diff --git a/charts/yugabyte/yugabyte/templates/multicluster-multiple-services.yaml b/charts/yugabyte/yugabyte/templates/multicluster/service-per-pod.yaml similarity index 82% rename from charts/yugabyte/yugabyte/templates/multicluster-multiple-services.yaml rename to charts/yugabyte/yugabyte/templates/multicluster/service-per-pod.yaml index a26b39018..15e09dce8 100644 --- a/charts/yugabyte/yugabyte/templates/multicluster-multiple-services.yaml +++ b/charts/yugabyte/yugabyte/templates/multicluster/service-per-pod.yaml @@ -11,11 +11,19 @@ metadata: labels: {{- include "yugabyte.applabel" ($appLabelArgs) | indent 4 }} {{- include "yugabyte.labels" $ | indent 4 }} + service-type: "non-endpoint" spec: ports: {{- range $label, $port := $server.ports }} + {{- if (eq $label "grpc-ybc-port") }} + {{- if $.Values.ybc.enabled }} - name: {{ $label | quote }} port: {{ $port }} + {{- end }} + {{- else }} + - name: {{ $label | quote }} + port: {{ $port }} + {{- end }} {{- end}} selector: statefulset.kubernetes.io/pod-name: {{ $podName | quote }} diff --git a/charts/yugabyte/yugabyte/templates/secrets.yaml b/charts/yugabyte/yugabyte/templates/secrets.yaml new file mode 100644 index 000000000..0bd903457 --- /dev/null +++ b/charts/yugabyte/yugabyte/templates/secrets.yaml @@ -0,0 +1,7 @@ +{{- $root := . -}} +--- # Create secrets from other namespaces for masters. +{{- $data := dict "secretenv" $.Values.master.secretEnv "root" . "suffix" "master"}} +{{- include "yugabyte.envsecrets" $data }} +--- # Create secrets from other namespaces for tservers. +{{- $data := dict "secretenv" $.Values.tserver.secretEnv "root" . "suffix" "tserver" }} +{{- include "yugabyte.envsecrets" $data }} \ No newline at end of file diff --git a/charts/yugabyte/yugabyte/templates/service.yaml b/charts/yugabyte/yugabyte/templates/service.yaml index f44ece98d..f3fc56a83 100644 --- a/charts/yugabyte/yugabyte/templates/service.yaml +++ b/charts/yugabyte/yugabyte/templates/service.yaml @@ -24,7 +24,7 @@ data: {{- end }} --- {{- end }} - +--- {{- range .Values.Services }} {{- $service := . -}} {{- $appLabelArgs := dict "label" .label "root" $root -}} @@ -46,12 +46,29 @@ data: {{- range $index := until ( int ( $replicas ) ) }} {{- $nodeOldStyle := printf "%s-%d.%s.%s.svc.%s" $service.label $index $service.name $root.Release.Namespace $root.Values.domainName }} {{- $nodeNewStyle := printf "%s-%s-%d.%s-%s.%s.svc.%s" (include "yugabyte.fullname" $root) $service.label $index (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace $root.Values.domainName }} + +{{- if $root.Values.multicluster.createServiceExports -}} + {{- $nodeOldStyle = printf "%s-%d.%s.%s.%s.svc.clusterset.local" $service.label $index $root.Values.multicluster.kubernetesClusterId $service.name $root.Release.Namespace }} + {{- $nodeNewStyle = printf "%s-%s-%d.%s.%s-%s.%s.svc.clusterset.local" (include "yugabyte.fullname" $root) $service.label $index $root.Values.multicluster.kubernetesClusterId (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace }} +{{- end -}} + +{{- if $root.Values.multicluster.createServicePerPod -}} + {{- $nodeOldStyle = printf "%s-%d.%s.svc.%s" $service.label $index $root.Release.Namespace $root.Values.domainName }} + {{- $nodeNewStyle = printf "%s-%s-%d.%s.svc.%s" (include "yugabyte.fullname" $root) $service.label $index $root.Release.Namespace $root.Values.domainName }} +{{- end -}} + {{- $node := $root.Values.oldNamingStyle | ternary $nodeOldStyle $nodeNewStyle }} {{- if $root.Values.tls.rootCA.key }} -{{- $dns1 := printf "*.*.%s" $root.Release.Namespace }} +{{- $dns1 := printf "*.%s-%s.%s" (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace }} {{- $dns2 := printf "%s.svc.%s" $dns1 $root.Values.domainName }} +{{- if $root.Values.multicluster.createServiceExports -}} + {{- $dns1 = printf "*.%s.%s-%s.%s.svc.clusterset.local" $root.Values.multicluster.kubernetesClusterId (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace }} +{{- end -}} +{{- if $root.Values.multicluster.createServicePerPod -}} + {{- $dns1 = printf "*.%s.svc.%s" $root.Release.Namespace $root.Values.domainName }} +{{- end -}} {{- $rootCA := buildCustomCert $root.Values.tls.rootCA.cert $root.Values.tls.rootCA.key -}} -{{- $server := genSignedCert $node ( default nil ) (list $dns1 $dns2 ) 3650 $rootCA }} +{{- $server := genSignedCert $node ( default nil ) (list $node $dns1 $dns2 ) 3650 $rootCA }} node.{{$node}}.crt: {{ $server.Cert | b64enc }} node.{{$node}}.key: {{ $server.Key | b64enc }} {{- else }} @@ -75,13 +92,20 @@ spec: clusterIP: None ports: {{- range $label, $port := .ports }} + {{- if (eq $label "grpc-ybc-port") }} + {{- if $root.Values.ybc.enabled }} - name: {{ $label | quote }} port: {{ $port }} + {{- end }} + {{- else }} + - name: {{ $label | quote }} + port: {{ $port }} + {{- end }} {{- end}} selector: {{- include "yugabyte.appselector" ($appLabelArgs) | indent 4 }} -{{ if $root.Values.enableLoadBalancer }} +{{- if $root.Values.enableLoadBalancer }} {{- range $endpoint := $root.Values.serviceEndpoints }} {{- if eq $service.label $endpoint.app }} --- @@ -94,11 +118,12 @@ metadata: labels: {{- include "yugabyte.applabel" ($appLabelArgs) | indent 4 }} {{- include "yugabyte.labels" $root | indent 4 }} + service-type: "endpoint" spec: - {{ if eq $root.Release.Service "Tiller" }} + {{- if eq $root.Release.Service "Tiller" }} clusterIP: - {{ else }} - {{ if $endpoint.clusterIP }} + {{- else }} + {{- if $endpoint.clusterIP }} clusterIP: {{ $endpoint.clusterIP }} {{- end }} {{- end }} @@ -116,7 +141,7 @@ spec: {{- end }} {{- end}} {{- end}} -{{ end }} +{{- end}} --- apiVersion: apps/v1 @@ -197,6 +222,9 @@ spec: labels: {{- include "yugabyte.applabel" ($appLabelArgs) | indent 8 }} {{- include "yugabyte.labels" $root | indent 8 }} + {{- if $root.Values.istioCompatibility.enabled }} + sidecar.istio.io/inject: "true" + {{- end }} {{- if eq .name "yb-masters" }} {{- with $root.Values.master.podLabels }}{{ toYaml . | nindent 8 }}{{ end }} {{- else }} @@ -214,62 +242,95 @@ spec: nodeSelector: {{ toYaml $root.Values.nodeSelector | indent 8 }} {{- end }} - terminationGracePeriodSeconds: 300 {{- if eq .name "yb-masters" }} # yb-masters + {{- with $root.Values.master.serviceAccount }} + serviceAccountName: {{ . }} + {{- end }} {{- if $root.Values.master.tolerations }} tolerations: {{- with $root.Values.master.tolerations }}{{ toYaml . | nindent 8 }}{{ end }} {{- end }} {{- else }} # yb-tservers + {{- with $root.Values.tserver.serviceAccount }} + serviceAccountName: {{ . }} + {{- end }} {{- if $root.Values.tserver.tolerations }} tolerations: {{- with $root.Values.tserver.tolerations }}{{ toYaml . | nindent 8 }}{{ end }} {{- end }} {{- end }} + terminationGracePeriodSeconds: 300 affinity: - # Set the anti-affinity selector scope to YB masters. + # Set the anti-affinity selector scope to YB masters and tservers. + {{- $nodeAffinityData := dict}} + {{- if eq .name "yb-masters" -}} + {{- $nodeAffinityData = get $root.Values.master.affinity "nodeAffinity" | default (dict) -}} + {{- else -}} + {{- $nodeAffinityData = get $root.Values.tserver.affinity "nodeAffinity" | default (dict) -}} + {{- end -}} {{ if $root.Values.AZ }} - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: failure-domain.beta.kubernetes.io/zone - operator: In - values: - - {{ $root.Values.AZ }} - - matchExpressions: - - key: topology.kubernetes.io/zone - operator: In - values: - - {{ $root.Values.AZ }} + {{- $userSelectorTerms := dig "requiredDuringSchedulingIgnoredDuringExecution" "nodeSelectorTerms" "" $nodeAffinityData | default (list) -}} + {{- $baseAffinity := include "yugabyte.multiAZNodeAffinity" $root | fromYaml -}} + {{- $requiredSchedule := (list) -}} + {{- if $userSelectorTerms -}} + {{- range $userSelectorTerms -}} + {{- $userTerm := . -}} + {{- range $baseAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms -}} + {{- $matchExpr := concat .matchExpressions $userTerm.matchExpressions | dict "matchExpressions" -}} + {{- $requiredSchedule = mustMerge $matchExpr $userTerm | append $requiredSchedule -}} + {{- end -}} + {{- end -}} + {{- else -}} + {{- $requiredSchedule = $baseAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms -}} + {{- end -}} + + {{- with $baseAffinity.requiredDuringSchedulingIgnoredDuringExecution -}} + {{- $_ := set . "nodeSelectorTerms" $requiredSchedule -}} + {{- end -}} + {{- $nodeAffinityData = mustMerge $baseAffinity $nodeAffinityData -}} + {{- end -}} + + {{- $podAntiAffinityData := dict -}} + {{- $basePodAntiAffinity := include "yugabyte.podAntiAffinity" ($appLabelArgs) | fromYaml -}} + {{- if eq .name "yb-masters" -}} + {{- with $root.Values.master.affinity -}} + {{- $userPodAntiAffinity := get . "podAntiAffinity" | default (dict) -}} + {{- if $userPodAntiAffinity -}} + {{- $preferredList := dig "preferredDuringSchedulingIgnoredDuringExecution" "" $userPodAntiAffinity | default (list) | concat $basePodAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution}} + {{- $_ := set $basePodAntiAffinity "preferredDuringSchedulingIgnoredDuringExecution" $preferredList -}} + {{- end -}} + {{- $podAntiAffinityData = mustMerge $basePodAntiAffinity $userPodAntiAffinity -}} + {{- end -}} + {{- else -}} + {{- with $root.Values.tserver.affinity -}} + {{- $userPodAntiAffinity := get . "podAntiAffinity" | default (dict) -}} + {{- if $userPodAntiAffinity -}} + {{- $preferredList := dig "preferredDuringSchedulingIgnoredDuringExecution" "" $userPodAntiAffinity | default (list) | concat $basePodAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution}} + {{- $_ := set $basePodAntiAffinity "preferredDuringSchedulingIgnoredDuringExecution" $preferredList -}} + {{- end -}} + {{- $podAntiAffinityData = mustMerge $basePodAntiAffinity $userPodAntiAffinity -}} + {{- end -}} + {{- end -}} + + {{- if eq .name "yb-masters" -}} + {{- if $nodeAffinityData -}} + {{- $_ := set $root.Values.master.affinity "nodeAffinity" $nodeAffinityData -}} + {{- end -}} + {{- $_ := set $root.Values.master.affinity "podAntiAffinity" $podAntiAffinityData -}} + {{ toYaml $root.Values.master.affinity | nindent 8 }} + {{- else -}} + {{- if $nodeAffinityData -}} + {{- $_ := set $root.Values.tserver.affinity "nodeAffinity" $nodeAffinityData -}} + {{- end -}} + {{- $_ := set $root.Values.tserver.affinity "podAntiAffinity" $podAntiAffinityData -}} + {{ toYaml $root.Values.tserver.affinity | nindent 8 }} {{ end }} - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - {{- if $root.Values.oldNamingStyle }} - - key: app - operator: In - values: - - "{{ .label }}" - {{- else }} - - key: app.kubernetes.io/name - operator: In - values: - - "{{ .label }}" - - key: release - operator: In - values: - - {{ $root.Release.Name | quote }} - {{- end }} - topologyKey: kubernetes.io/hostname - {{- if eq .name "yb-masters" }} - {{- with $root.Values.master.affinity }}{{ toYaml . | nindent 8 }}{{ end }} - {{- else }} - {{- with $root.Values.tserver.affinity }}{{ toYaml . | nindent 8 }}{{ end }} - {{- end }} + {{- with $root.Values.dnsConfig }} + dnsConfig: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $root.Values.dnsPolicy }} + dnsPolicy: {{ . | quote }} + {{- end }} containers: - name: "{{ .label }}" image: "{{ $root.Values.Image.repository }}:{{ $root.Values.Image.tag }}" @@ -321,18 +382,20 @@ spec: - name: YBDEVOPS_CORECOPY_DIR value: "/mnt/disk0/cores" {{- if eq .name "yb-masters" }} - {{- with $root.Values.master.extraEnv }}{{ toYaml . | nindent 8 }}{{ end }} - {{- with $root.Values.master.secretEnv }}{{ toYaml . | nindent 8 }}{{ end }} + {{- with $root.Values.master.extraEnv }}{{ toYaml . | nindent 8 }}{{- end }} + {{- $data := dict "secretenv" $root.Values.master.secretEnv "root" $root "suffix" "master"}} + {{- include "yugabyte.addenvsecrets" $data | nindent 8 }} {{- else }} - {{- with $root.Values.tserver.extraEnv }}{{ toYaml . | nindent 8 }}{{ end }} - {{- with $root.Values.tserver.secretEnv }}{{ toYaml . | nindent 8 }}{{ end }} + {{- with $root.Values.tserver.extraEnv }}{{ toYaml . | nindent 8 }}{{- end }} + {{- $data := dict "secretenv" $root.Values.tserver.secretEnv "root" $root "suffix" "tserver" }} + {{- include "yugabyte.addenvsecrets" $data | nindent 8 }} {{- end }} {{- if and $root.Values.tls.enabled $root.Values.tls.clientToServer (ne .name "yb-masters") }} - name: SSL_CERTFILE value: /root/.yugabytedb/root.crt {{- end }} resources: - {{ if eq .name "yb-masters" }} + {{- if eq .name "yb-masters" }} {{ toYaml $root.Values.resource.master | indent 10 }} {{ else }} {{ toYaml $root.Values.resource.tserver | indent 10 }} @@ -363,10 +426,13 @@ spec: {{- $rpcPreflight := include "yugabyte.preflight_check" (set $serviceValues "Preflight" $rpcDict) -}} {{- if $rpcPreflight -}}{{ $rpcPreflight | nindent 12 }}{{ end -}} {{- $broadcastAddr := include "yugabyte.server_broadcast_address" $serviceValues -}} - {{- $broadcastPort := index $service.ports "tcp-rpc-port" -}} - {{- $broadcastDict := dict "Addr" $broadcastAddr "Port" $broadcastPort -}} - {{- $broadcastPreflight := include "yugabyte.preflight_check" (set $serviceValues "Preflight" $broadcastDict) -}} - {{- if $broadcastPreflight -}}{{ $broadcastPreflight | nindent 12 }}{{ end -}} + {{/* skip bind check for servicePerPod multi-cluster, we cannot/don't bind to service IP */}} + {{- if not $root.Values.multicluster.createServicePerPod }} + {{- $broadcastPort := index $service.ports "tcp-rpc-port" -}} + {{- $broadcastDict := dict "Addr" $broadcastAddr "Port" $broadcastPort -}} + {{- $broadcastPreflight := include "yugabyte.preflight_check" (set $serviceValues "Preflight" $broadcastDict) -}} + {{- if $broadcastPreflight -}}{{ $broadcastPreflight | nindent 12 }}{{ end -}} + {{- end }} {{- $webserverAddr := include "yugabyte.webserver_interface" $serviceValues -}} {{- $webserverPort := index $service.ports "http-ui" -}} {{- $webserverDict := dict "Addr" $webserverAddr "Port" $webserverPort -}} @@ -377,6 +443,25 @@ spec: else k8s_parent="" fi && \ + {{- if and $root.Values.tls.enabled $root.Values.tls.certManager.enabled }} + echo "Creating ephemeral /opt/certs/yugabyte/ as symlink to persisted /mnt/disk0/certs/" && \ + mkdir -p /mnt/disk0/certs && \ + mkdir -p /opt/certs && \ + ln -s /mnt/disk0/certs /opt/certs/yugabyte && \ + if [[ ! -f /opt/certs/yugabyte/ca.crt ]]; then + echo "Fresh install of /opt/certs/yugabyte/ca.crt" + cp /home/yugabyte/cert-manager/ca.crt /opt/certs/yugabyte/ca.crt; + fi && \ + cmp -s /home/yugabyte/cert-manager/ca.crt /opt/certs/yugabyte/ca.crt;sameRootCA=$? && \ + if [[ $sameRootCA -eq 0 ]]; then + echo "Refreshing tls certs at /opt/certs/yugabyte/"; + cp /home/yugabyte/cert-manager/tls.crt /opt/certs/yugabyte/node.{{$rpcAddr}}.crt; + cp /home/yugabyte/cert-manager/tls.key /opt/certs/yugabyte/node.{{$rpcAddr}}.key; + chmod 600 /opt/certs/yugabyte/* + else + echo "WARNING: Not refreshing certificates as the root ca.crt has changed" + fi && \ + {{- end }} {{- if eq .name "yb-masters" }} exec ${k8s_parent} /home/yugabyte/bin/yb-master \ {{- if not $root.Values.storage.ephemeral }} @@ -480,10 +565,18 @@ spec: {{- end }} ports: {{- range $label, $port := .ports }} + {{- if not (eq $label "grpc-ybc-port") }} - containerPort: {{ $port }} name: {{ $label | quote }} + {{- end }} {{- end}} volumeMounts: + {{- if (eq .name "yb-tservers") }} + - name: tserver-tmp + mountPath: /tmp + {{- end }} + - name: debug-hooks-volume + mountPath: /opt/debug_hooks_config {{ if not $root.Values.storage.ephemeral }} {{- range $index := until (int ($storageInfo.count)) }} - name: {{ $root.Values.oldNamingStyle | ternary (printf "datadir%d" $index) (printf "%s%d" (include "yugabyte.volume_name" $root) $index) }} @@ -492,7 +585,7 @@ spec: {{- end }} {{- if $root.Values.tls.enabled }} - name: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" .label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) .label) }} - mountPath: /opt/certs/yugabyte + mountPath: {{ $root.Values.tls.certManager.enabled | ternary "/home/yugabyte/cert-manager" "/opt/certs/yugabyte" }} readOnly: true - name: {{ $root.Values.oldNamingStyle | ternary "yugabyte-tls-client-cert" (printf "%s-client-tls" (include "yugabyte.fullname" $root)) }} mountPath: /root/.yugabytedb/ @@ -531,9 +624,86 @@ spec: - name: {{ $root.Values.oldNamingStyle | ternary "datadir0" (printf "%s0" (include "yugabyte.volume_name" $root)) }} mountPath: /var/yugabyte/cores subPath: cores + {{- if $root.Values.ybCleanup.resources }} + resources: {{ toYaml $root.Values.ybCleanup.resources | nindent 10 }} + {{- end }} {{- end }} + {{- if and (eq .name "yb-tservers") ($root.Values.ybc.enabled) }} + - name: yb-controller + image: "{{ $root.Values.Image.repository }}:{{ $root.Values.Image.tag }}" + imagePullPolicy: {{ $root.Values.Image.pullPolicy }} + lifecycle: + postStart: + exec: + command: + - "bash" + - "-c" + - > + mkdir -p /mnt/disk0/yw-data/controller/tmp; + mkdir -p /mnt/disk0/yw-data/controller/conf; + mkdir -p /mnt/disk0/ybc-data/controller/logs; + mkdir -p /tmp/yugabyte/controller; + ln -sf /mnt/disk0/ybc-data/controller/logs /tmp/yugabyte/controller; + ln -sf /mnt/disk0/yw-data/controller/bin /tmp/yugabyte/controller; + rm -f /tmp/yugabyte/controller/yb-controller.pid; + {{- if and $root.Values.tls.enabled $root.Values.tls.certManager.enabled }} + mkdir -p /opt/certs; + ln -sf /mnt/disk0/certs /opt/certs/yugabyte; + {{- end }} + command: + - "/sbin/tini" + - "--" + args: + - "/bin/bash" + - "-c" + - > + while true; do + sleep 60; + /home/yugabyte/tools/k8s_ybc_parent.py status || /home/yugabyte/tools/k8s_ybc_parent.py start; + done + {{- with index $service.ports "grpc-ybc-port" }} + ports: + - containerPort: {{ . }} + name: "grpc-ybc-port" + {{- end }} + volumeMounts: + - name: tserver-tmp + mountPath: /tmp + {{- if not $root.Values.storage.ephemeral }} + {{- range $index := until (int ($storageInfo.count)) }} + - name: {{ $root.Values.oldNamingStyle | ternary (printf "datadir%d" $index) (printf "%s%d" (include "yugabyte.volume_name" $root) $index) }} + mountPath: /mnt/disk{{ $index }} + {{- end }} + {{- end }} + {{- if $root.Values.tls.enabled }} + - name: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" .label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) .label) }} + mountPath: {{ $root.Values.tls.certManager.enabled | ternary "/home/yugabyte/cert-manager" "/opt/certs/yugabyte" }} + readOnly: true + {{- end }} + {{- if ($root.Values.tserver.extraVolumeMounts) -}} + {{- include "yugabyte.isExtraVolumesMappingExists" $root.Values.tserver -}} + {{- $root.Values.tserver.extraVolumeMounts | toYaml | nindent 10 -}} + {{- end -}} + {{- if $root.Values.ybc.resources }} + resources: {{ toYaml $root.Values.ybc.resources | nindent 10 }} + {{- end }} + {{- end}} + volumes: + {{- if (eq .name "yb-masters") }} + - name: debug-hooks-volume + configMap: + name: {{ include "yugabyte.fullname" $root }}-master-hooks + defaultMode: 0755 + {{- else if (eq .name "yb-tservers") }} + - name: debug-hooks-volume + configMap: + name: {{ include "yugabyte.fullname" $root }}-tserver-hooks + defaultMode: 0755 + - name: tserver-tmp + emptyDir: {} + {{- end }} {{ if not $root.Values.storage.ephemeral }} {{- range $index := until (int ($storageInfo.count)) }} - name: {{ $root.Values.oldNamingStyle | ternary (printf "datadir%d" $index) (printf "%s%d" (include "yugabyte.volume_name" $root) $index) }} @@ -542,25 +712,24 @@ spec: {{- end }} {{- end }} {{- if $root.Values.tls.enabled }} + {{- if $root.Values.tls.certManager.enabled }} + {{- /* certManager enabled */}} + - name: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" .label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) .label) }} + projected: + sources: + {{- if not $root.Values.tls.certManager.bootstrapSelfsigned }} + - secret: + name: {{ printf "%s-root-ca" (include "yugabyte.fullname" $root) }} + {{- end }} + - secret: + name: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" .label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) .label) }} + {{- else }} + {{/* certManager disabled */}} - name: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" .label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) .label) }} secret: secretName: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" .label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) .label) }} - {{- if $root.Values.tls.certManager.enabled }} - items: - {{- $replicas := (eq .name "yb-masters") | ternary $root.Values.replicas.master $root.Values.replicas.tserver -}} - {{- range $index := until ( int ( $replicas ) ) }} - {{- $nodeOldStyle := printf "%s-%d.%s.%s.svc.%s" $service.label $index $service.name $root.Release.Namespace $root.Values.domainName }} - {{- $nodeNewStyle := printf "%s-%s-%d.%s-%s.%s.svc.%s" (include "yugabyte.fullname" $root) $service.label $index (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace $root.Values.domainName }} - {{- $node := $root.Values.oldNamingStyle | ternary $nodeOldStyle $nodeNewStyle }} - - key: tls.crt - path: node.{{$node}}.crt - - key: tls.key - path: node.{{$node}}.key - {{- end }} - - key: ca.crt - path: ca.crt - {{- end }} defaultMode: 256 + {{- end }} - name: {{ $root.Values.oldNamingStyle | ternary "yugabyte-tls-client-cert" (printf "%s-client-tls" (include "yugabyte.fullname" $root)) }} secret: secretName: {{ $root.Values.oldNamingStyle | ternary "yugabyte-tls-client-cert" (printf "%s-client-tls" (include "yugabyte.fullname" $root)) }} diff --git a/charts/yugabyte/yugabyte/values.yaml b/charts/yugabyte/yugabyte/values.yaml index c0c74e346..65d895c95 100644 --- a/charts/yugabyte/yugabyte/values.yaml +++ b/charts/yugabyte/yugabyte/values.yaml @@ -2,10 +2,15 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. Component: "yugabytedb" + +fullnameOverride: "" +nameOverride: "" + Image: repository: "yugabytedb/yugabyte" - tag: 2.14.17.0-b6 + tag: 2.18.8.0-b42 pullPolicy: IfNotPresent + pullSecretName: "" storage: ephemeral: false # will not allocate PVs when true @@ -21,27 +26,38 @@ storage: resource: master: requests: - cpu: 2 + cpu: "2" memory: 2Gi limits: - cpu: 2 + cpu: "2" memory: 2Gi tserver: requests: - cpu: 2 + cpu: "2" memory: 4Gi limits: - cpu: 2 + cpu: "2" memory: 4Gi replicas: master: 3 tserver: 3 + ## Used to set replication factor when isMultiAz is set to true + totalMasters: 3 partition: master: 0 tserver: 0 +# Used in Multi-AZ setup +masterAddresses: "" + +isMultiAz: false +AZ: "" + +# Disable the YSQL +disableYsql: false + tls: # Set to true to enable the TLS. enabled: false @@ -52,25 +68,33 @@ tls: # Set enabled to true to use cert-manager instead of providing your own rootCA certManager: enabled: false - # Will create own ca certificate and issuer when set to false + # Will create own ca certificate and issuer when set to true + bootstrapSelfsigned: true + # Use ClusterIssuer when set to true, otherwise use Issuer useClusterIssuer: false - # ignored when useClusterIssuer is false + # Name of ClusterIssuer to use when useClusterIssuer is true clusterIssuer: cluster-ca + # Name of Issuer to use when useClusterIssuer is false + issuer: yugabyte-ca certificates: # The lifetime before cert-manager will issue a new certificate. # The re-issued certificates will not be automatically reloaded by the service. # It is necessary to provide some external means of restarting the pods. duration: 2160h # 90d renewBefore: 360h # 15d - algorithm: ECDSA # ECDSA or RSA - # Can be 2046, 4096 or 8192 for RSA + algorithm: RSA # ECDSA or RSA + # Can be 2048, 4096 or 8192 for RSA # Or 256, 384 or 521 for ECDSA - keySize: 521 + keySize: 2048 - # Will be ignored when certManager.enabled=true + ## When certManager.enabled=false, rootCA.cert and rootCA.key are used to generate TLS certs. + ## When certManager.enabled=true and boostrapSelfsigned=true, rootCA is ignored. + ## When certManager.enabled=true and bootstrapSelfsigned=false, only rootCA.cert is used + ## to verify TLS certs generated and signed by the external provider. rootCA: cert: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2VENDQWRHZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFXTVJRd0VnWURWUVFERXd0WmRXZGgKWW5sMFpTQkVRakFlRncweE9UQXlNRGd3TURRd01qSmFGdzB5T1RBeU1EVXdNRFF3TWpKYU1CWXhGREFTQmdOVgpCQU1UQzFsMVoyRmllWFJsSUVSQ01JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCnVOMWF1aWc4b2pVMHM0OXF3QXhrT2FCaHkwcTlyaVg2akVyZWJyTHJOWDJOeHdWQmNVcWJkUlhVc3VZNS96RUQKUC9CZTNkcTFuMm9EQ2ZGVEwweGkyNFdNZExRcnJBMndCdzFtNHM1WmQzcEJ1U04yWHJkVVhkeUx6dUxlczJNbgovckJxcWRscXp6LzAyTk9TOE9SVFZCUVRTQTBSOFNMQ1RjSGxMQmRkMmdxZ1ZmemVXRlVObXhWQ2EwcHA5UENuCmpUamJJRzhJWkh5dnBkTyt3aURQM1Y1a1ZEaTkvbEtUaGUzcTFOeDg5VUNFcnRJa1pjSkYvWEs3aE90MU1sOXMKWDYzb2lVMTE1Q2svbGFGRjR6dWgrZk9VenpOVXRXeTc2RE92cm5pVGlaU0tQZDBBODNNa2l2N2VHaDVkV3owWgpsKzJ2a3dkZHJaRzVlaHhvbGhGS3pRSURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQXFRd0hRWURWUjBsCkJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3RFFZSktvWkkKaHZjTkFRRUxCUUFEZ2dFQkFEQjVRbmlYd1ptdk52eG5VbS9sTTVFbms3VmhTUzRUZldIMHY4Q0srZWZMSVBTbwpVTkdLNXU5UzNEUWlvaU9SN1Vmc2YrRnk1QXljMmNUY1M2UXBxTCt0V1QrU1VITXNJNk9oQ05pQ1gvQjNKWERPCkd2R0RIQzBVOHo3aWJTcW5zQ2Rid05kajAyM0lwMHVqNE9DVHJ3azZjd0RBeXlwVWkwN2tkd28xYWJIWExqTnAKamVQMkwrY0hkc2dKM1N4WWpkK1kvei9IdmFrZG1RZDJTL1l2V0R3aU1SRDkrYmZXWkJVRHo3Y0QyQkxEVmU0aAp1bkFaK3NyelR2Sjd5dkVodzlHSDFyajd4Qm9VNjB5SUUrYSszK2xWSEs4WnBSV0NXMnh2eWNrYXJSKytPS2NKClFsL04wWExqNWJRUDVoUzdhOTdhQktTamNqY3E5VzNGcnhJa2tKST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" key: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdU4xYXVpZzhvalUwczQ5cXdBeGtPYUJoeTBxOXJpWDZqRXJlYnJMck5YMk54d1ZCCmNVcWJkUlhVc3VZNS96RURQL0JlM2RxMW4yb0RDZkZUTDB4aTI0V01kTFFyckEyd0J3MW00czVaZDNwQnVTTjIKWHJkVVhkeUx6dUxlczJNbi9yQnFxZGxxenovMDJOT1M4T1JUVkJRVFNBMFI4U0xDVGNIbExCZGQyZ3FnVmZ6ZQpXRlVObXhWQ2EwcHA5UENualRqYklHOElaSHl2cGRPK3dpRFAzVjVrVkRpOS9sS1RoZTNxMU54ODlVQ0VydElrClpjSkYvWEs3aE90MU1sOXNYNjNvaVUxMTVDay9sYUZGNHp1aCtmT1V6ek5VdFd5NzZET3ZybmlUaVpTS1BkMEEKODNNa2l2N2VHaDVkV3owWmwrMnZrd2RkclpHNWVoeG9saEZLelFJREFRQUJBb0lCQUJsdW1tU3gxR1djWER1Mwpwei8wZEhWWkV4c2NsU3U0SGRmZkZPcTF3cFlCUjlmeGFTZGsxQzR2YXF1UjhMaWl6WWVtVWViRGgraitkSnlSCmpwZ2JNaDV4S1BtRkw5empwU3ZUTkN4UHB3OUF5bm5sM3dyNHZhcU1CTS9aZGpuSGttRC9kQzBadEEvL0JIZ3YKNHk4d3VpWCsvUWdVaER0Z1JNcmR1ZUZ1OVlKaFo5UE9jYXkzSkkzMFhEYjdJSS9vNFNhYnhTcFI3bTg5WjY0NwpUb3hsOEhTSzl0SUQxbkl1bHVpTmx1dHI1RzdDdE93WTBSc2N5dmZ2elg4a1d2akpLZVJVbmhMSCtXVFZOaExICjdZc0tMNmlLa1NkckMzeWVPWnV4R0pEbVdrZVgxTzNPRUVGYkc4TjVEaGNqL0lXbDh1dGt3LzYwTEthNHBCS2cKTXhtNEx3RUNnWUVBNnlPRkhNY2pncHYxLzlHZC8yb3c2YmZKcTFjM1dqQkV2cnM2ZXNyMzgrU3UvdVFneXJNcAo5V01oZElpb2dYZjVlNjV5ZlIzYVBXcjJJdWMxZ0RUNlYycDZFR2h0NysyQkF1YkIzczloZisycVNRY1lkS3pmCnJOTDdKalE4ZEVGZWdYd041cHhKOTRTTVFZNEI4Qm9hOHNJWTd3TzU4dHpVMjZoclVnanFXQ1VDZ1lFQXlVUUIKNzViWlh6MGJ5cEc5NjNwYVp0bGlJY0cvUk1XMnVPOE9rVFNYSGdDSjBob25uRm5IMGZOc1pGTHdFWEtnTTRORworU3ZNbWtUekE5eVVSMHpIMFJ4UW44L1YzVWZLT2k5RktFeWx6NzNiRkV6ZW1QSEppQm12NWQ4ZTlOenZmU0E0CkdpRTYrYnFyV3VVWWRoRWlYTnY1SFNPZ3I4bUx1TzJDbGlmNTg0a0NnWUFlZzlDTmlJWmlOODAzOHNNWFYzZWIKalI5ZDNnYXY3SjJ2UnVyeTdvNDVGNDlpUXNiQ3AzZWxnY1RnczY5eWhkaFpwYXp6OGNEVndhREpyTW16cHF4cQpWY1liaFFIblppSWM5MGRubS9BaVF2eWJWNUZqNnQ5b05VVWtreGpaV1haalJXOGtZMW55QmtDUmJWVnhER0k4CjZOV0ZoeTFGaUVVVGNJcms3WVZFQlFLQmdRREpHTVIrYWRFamtlRlUwNjVadkZUYmN0VFVPY3dzb1Foalc2akkKZVMyTThxakNYeE80NnhQMnVTeFNTWFJKV3FpckQ3NDRkUVRvRjRCaEdXS21veGI3M3pqSGxWaHcwcXhDMnJ4VQorZENxODE0VXVJR3BlOTBMdWU3QTFlRU9kRHB1WVdUczVzc1FmdTE3MG5CUWQrcEhzaHNFZkhhdmJjZkhyTGpQCjQzMmhVUUtCZ1FDZ3hMZG5Pd2JMaHZLVkhhdTdPVXQxbGpUT240SnB5bHpnb3hFRXpzaDhDK0ZKUUQ1bkFxZXEKZUpWSkNCd2VkallBSDR6MUV3cHJjWnJIN3IyUTBqT2ZFallwU1dkZGxXaWh4OTNYODZ0aG83UzJuUlYrN1hNcQpPVW9ZcVZ1WGlGMWdMM1NGeHZqMHhxV3l0d0NPTW5DZGFCb0M0Tkw3enJtL0lZOEUwSkw2MkE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=" + ## When tls.certManager.enabled=false ## nodeCert and clientCert will be used only when rootCA.key is empty. ## Will be ignored and genSignedCert will be used to generate ## node and client certs if rootCA.key is provided. @@ -85,33 +109,58 @@ tls: gflags: master: default_memory_limit_to_ram_ratio: 0.85 -# tserver: + tserver: {} # use_cassandra_authentication: false PodManagementPolicy: Parallel enableLoadBalancer: true -isMultiAz: false +ybc: + enabled: false + ## https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-requests-and-limits-of-pod-and-container + ## Use the above link to learn more about Kubernetes resources configuration. + # resources: + # requests: + # cpu: "1" + # memory: 1Gi + # limits: + # cpu: "1" + # memory: 1Gi + +ybCleanup: {} + ## https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-requests-and-limits-of-pod-and-container + ## Use the above link to learn more about Kubernetes resources configuration. + # resources: + # requests: + # cpu: "1" + # memory: 1Gi + # limits: + # cpu: "1" + # memory: 1Gi domainName: "cluster.local" serviceEndpoints: - name: "yb-master-ui" type: LoadBalancer + annotations: {} + clusterIP: "" ## Sets the Service's externalTrafficPolicy - # externalTrafficPolicy: "" + externalTrafficPolicy: "" app: "yb-master" - # loadBalancerIP: "" + loadBalancerIP: "" ports: http-ui: "7000" - name: "yb-tserver-service" type: LoadBalancer + annotations: {} + clusterIP: "" ## Sets the Service's externalTrafficPolicy - # externalTrafficPolicy: "" + externalTrafficPolicy: "" app: "yb-tserver" - # loadBalancerIP: "" + loadBalancerIP: "" ports: tcp-yql-port: "9042" tcp-yedis-port: "6379" @@ -138,8 +187,11 @@ Services: http-ycql-met: "12000" http-yedis-met: "11000" http-ysql-met: "13000" + grpc-ybc-port: "18018" -## Should be set to true only if Istio is being used. + +## Should be set to true only if Istio is being used. This also adds +## the Istio sidecar injection labels to the pods. ## TODO: remove this once ## https://github.com/yugabyte/yugabyte-db/issues/5641 is fixed. ## @@ -156,6 +208,22 @@ multicluster: ## failover. Useful when using new naming style. createCommonTserverService: false + ## Enable it to deploy YugabyteDB in a multi-cluster services enabled + ## Kubernetes cluster (KEP-1645). This will create ServiceExport. + ## GKE Ref - https://cloud.google.com/kubernetes-engine/docs/how-to/multi-cluster-services#registering_a_service_for_export + ## You can use this gist for the reference to deploy the YugabyteDB in a multi-cluster scenario. + ## Gist - https://gist.github.com/baba230896/78cc9bb6f4ba0b3d0e611cd49ed201bf + createServiceExports: false + + ## Mandatory variable when createServiceExports is set to true. + ## Use: In case of GKE, you need to pass GKE Hub Membership Name. + ## GKE Ref - https://cloud.google.com/kubernetes-engine/docs/how-to/multi-cluster-services#enabling + kubernetesClusterId: "" + + ## mcsApiVersion is used for the MCS resources created by the + ## chart. Set to net.gke.io/v1 when using GKE MCS. + mcsApiVersion: "multicluster.x-k8s.io/v1alpha1" + serviceMonitor: ## If true, two ServiceMonitor CRs are created. One for yb-master ## and one for yb-tserver @@ -231,9 +299,37 @@ affinity: {} statefulSetAnnotations: {} +networkAnnotation: {} + +commonLabels: {} + +## @param dnsPolicy DNS Policy for pod +## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## E.g. +## dnsPolicy: ClusterFirst +dnsPolicy: "" +## @param dnsConfig DNS Configuration pod +## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## E.g. +## dnsConfig: +## options: +## - name: ndots +## value: "4" +dnsConfig: {} + + master: ## Ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#affinity-v1-core ## This might override the default affinity from service.yaml + # To successfully merge, we need to follow rules for merging nodeSelectorTerms that kubernentes + # has. Each new node selector term is ORed together, and each match expression or match field in + # a single selector is ANDed together. + # This means, if a pod needs to be scheduled on a label 'custom_label_1' with a value + # 'custom_value_1', we need to add this 'subterm' to each of our pre-defined node affinity + # terms. + # + # Pod anti affinity is a simpler merge. Each term is applied separately, and the weight is tracked. + # The pod that achieves the highest weight is selected. ## Example. # affinity: # podAntiAffinity: @@ -245,6 +341,8 @@ master: # values: # - "yb-master" # topologyKey: kubernetes.io/hostname + # + # For further examples, see examples/yugabyte/affinity_overrides.yaml affinity: {} ## Extra environment variables passed to the Master pods. @@ -301,10 +399,23 @@ master: # mountPath: /home/yugabyte/nfs-backup extraVolumeMounts: [] + ## Set service account for master DB pods. The service account + ## should exist in the namespace where the master DB pods are brought up. + serviceAccount: "" + tserver: ## Ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#affinity-v1-core ## This might override the default affinity from service.yaml + # To successfully merge, we need to follow rules for merging nodeSelectorTerms that kubernentes + # has. Each new node selector term is ORed together, and each match expression or match field in + # a single selector is ANDed together. + # This means, if a pod needs to be scheduled on a label 'custom_label_1' with a value + # 'custom_value_1', we need to add this 'subterm' to each of our pre-defined node affinity + # terms. + # + # Pod anti affinity is a simpler merge. Each term is applied separately, and the weight is tracked. + # The pod that achieves the highest weight is selected. ## Example. # affinity: # podAntiAffinity: @@ -316,6 +427,7 @@ tserver: # values: # - "yb-tserver" # topologyKey: kubernetes.io/hostname + # For further examples, see examples/yugabyte/affinity_overrides.yaml affinity: {} ## Extra environment variables passed to the TServer pods. @@ -328,13 +440,16 @@ tserver: # fieldPath: status.hostIP extraEnv: [] - # secretEnv variables are used to expose secrets data as env variables in the tserver pods. - # TODO Add namespace also to support copying secrets from other namespace. + ## secretEnv variables are used to expose secrets data as env variables in the tserver pods. + ## If namespace field is not specified we assume that user already + ## created the secret in the same namespace as DB pods. + ## Example # secretEnv: # - name: MYSQL_LDAP_PASSWORD # valueFrom: # secretKeyRef: # name: secretName + # namespace: my-other-namespace-with-ldap-secret # key: password secretEnv: [] @@ -377,6 +492,10 @@ tserver: # path: /home/yugabyte/nfs-backup extraVolumeMounts: [] + ## Set service account for tserver DB pods. The service account + ## should exist in the namespace where the tserver DB pods are brought up. + serviceAccount: "" + helm2Legacy: false ip_version_support: "v4_only" # v4_only, v6_only are the only supported values at the moment diff --git a/charts/yugabyte/yugaware/Chart.yaml b/charts/yugabyte/yugaware/Chart.yaml index e899e2fbf..36d356fed 100644 --- a/charts/yugabyte/yugaware/Chart.yaml +++ b/charts/yugabyte/yugaware/Chart.yaml @@ -3,15 +3,20 @@ annotations: catalog.cattle.io/display-name: YugabyteDB Anywhere catalog.cattle.io/kube-version: '>=1.18-0' catalog.cattle.io/release-name: yugaware -apiVersion: v1 -appVersion: 2.14.17.0-b6 -description: YugaWare is YugaByte Database's Orchestration and Management console. + charts.openshift.io/name: yugaware +apiVersion: v2 +appVersion: 2.18.8.0-b42 +description: YugabyteDB Anywhere provides deployment, orchestration, and monitoring + for managing YugabyteDB clusters. YugabyteDB Anywhere can create a YugabyteDB cluster + with multiple pods provided by Kubernetes or OpenShift and logically grouped together + to form one logical distributed database. home: https://www.yugabyte.com icon: https://avatars0.githubusercontent.com/u/17074854?s=200&v=4 +kubeVersion: '>=1.18-0' maintainers: -- email: ram@yugabyte.com - name: Ram Sri -- email: arnav@yugabyte.com - name: Arnav Agarwal +- email: sanketh@yugabyte.com + name: Sanketh Indarapu +- email: gjalla@yugabyte.com + name: Govardhan Reddy Jalla name: yugaware -version: 2.14.17 +version: 2.18.8 diff --git a/charts/yugabyte/yugaware/README.md b/charts/yugabyte/yugaware/README.md index fa27ce3e0..0d190c0be 100644 --- a/charts/yugabyte/yugaware/README.md +++ b/charts/yugabyte/yugaware/README.md @@ -1,5 +1,7 @@ YugabyteDB Anywhere gives you the simplicity and support to deliver a private database-as-a-service (DBaaS) at scale. Use YugabyteDB Anywhere to deploy YugabyteDB across any cloud anywhere in the world with a few clicks, simplify day 2 operations through automation, and get the services needed to realize business outcomes with the database. -YugabyteDB Anywhere can be deployed using this helm chart. Detailed documentation is available at +YugabyteDB Anywhere can be deployed using this Helm chart. Detailed documentation is available at: +- [Install YugabyteDB Anywhere software - Kubernetes](https://docs.yugabyte.com/preview/yugabyte-platform/install-yugabyte-platform/install-software/kubernetes/) +- [Install YugabyteDB Anywhere software - OpenShift (Helm based)](https://docs.yugabyte.com/preview/yugabyte-platform/install-yugabyte-platform/install-software/openshift/#helm-based-installation) [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/yugabyte)](https://artifacthub.io/packages/search?repo=yugabyte) diff --git a/charts/yugabyte/yugaware/openshift.values.yaml b/charts/yugabyte/yugaware/openshift.values.yaml new file mode 100644 index 000000000..6e797bfe8 --- /dev/null +++ b/charts/yugabyte/yugaware/openshift.values.yaml @@ -0,0 +1,24 @@ +# OCP compatible values for yugaware + +image: + + repository: quay.io/yugabyte/yugaware-ubi + + postgres: + registry: registry.redhat.io + tag: 1-88.1661531722 + name: rhscl/postgresql-13-rhel7 + + prometheus: + registry: registry.redhat.io + tag: v4.11.0 + name: openshift4/ose-prometheus + +rbac: + create: false + +ocpCompatibility: + enabled: true + +securityContext: + enabled: false diff --git a/charts/yugabyte/yugaware/questions.yaml b/charts/yugabyte/yugaware/questions.yaml index 11378b60c..446d616e1 100644 --- a/charts/yugabyte/yugaware/questions.yaml +++ b/charts/yugabyte/yugaware/questions.yaml @@ -15,7 +15,7 @@ questions: label: Yugabyte Platform image repository description: "Yugabyte Platform image repository" - variable: image.tag - default: "2.14.1.0-b36" + default: "2.5.1.0-b153" required: false type: string label: Yugabyte Platform image tag diff --git a/charts/yugabyte/yugaware/templates/_default_values.tpl b/charts/yugabyte/yugaware/templates/_default_values.tpl new file mode 100644 index 000000000..b55e7ba81 --- /dev/null +++ b/charts/yugabyte/yugaware/templates/_default_values.tpl @@ -0,0 +1,14 @@ +{{/* + The usage of helm upgrade [RELEASE] [CHART] --reuse-values --set [variable]:[value] throws an + error in the event that new entries are inserted to the values chart. + + This is because reuse-values flag uses the values from the last release. If --set (/--set-file/ + --set-string/--values/-f) is applied with the reuse-values flag, the values from the last + release are overridden for those variables alone, and newer changes to the chart are + unacknowledged. + + https://medium.com/@kcatstack/understand-helm-upgrade-flags-reset-values-reuse-values-6e58ac8f127e + + To prevent errors while applying upgrade with --reuse-values and --set flags after introducing + new variables, default values can be specified in this file. +*/}} diff --git a/charts/yugabyte/yugaware/templates/_helpers.tpl b/charts/yugabyte/yugaware/templates/_helpers.tpl index 329dba6ce..2ce99a3dc 100644 --- a/charts/yugabyte/yugaware/templates/_helpers.tpl +++ b/charts/yugabyte/yugaware/templates/_helpers.tpl @@ -169,6 +169,57 @@ server.pem: {{ $serverPemContent }} {{- end -}} {{- end -}} +{{/* +Check export of nss_wrapper environment variables required +*/}} +{{- define "checkNssWrapperExportRequired" -}} + {{- if .Values.securityContext.enabled -}} + {{- if and (ne (int .Values.securityContext.runAsUser) 0) (ne (int .Values.securityContext.runAsUser) 10001) -}} + {{- printf "true" -}} + {{- end -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + + +{{/* + Verify the extraVolumes and extraVolumeMounts mappings. + Every extraVolumes should have extraVolumeMounts +*/}} +{{- define "yugaware.isExtraVolumesMappingExists" -}} + {{- $lenExtraVolumes := len .extraVolumes -}} + {{- $lenExtraVolumeMounts := len .extraVolumeMounts -}} + + {{- if and (eq $lenExtraVolumeMounts 0) (gt $lenExtraVolumes 0) -}} + {{- fail "You have not provided the extraVolumeMounts for extraVolumes." -}} + {{- else if and (eq $lenExtraVolumes 0) (gt $lenExtraVolumeMounts 0) -}} + {{- fail "You have not provided the extraVolumes for extraVolumeMounts." -}} + {{- else if and (gt $lenExtraVolumes 0) (gt $lenExtraVolumeMounts 0) -}} + {{- $volumeMountsList := list -}} + {{- range .extraVolumeMounts -}} + {{- $volumeMountsList = append $volumeMountsList .name -}} + {{- end -}} + + {{- $volumesList := list -}} + {{- range .extraVolumes -}} + {{- $volumesList = append $volumesList .name -}} + {{- end -}} + + {{- range $volumesList -}} + {{- if not (has . $volumeMountsList) -}} + {{- fail (printf "You have not provided the extraVolumeMounts for extraVolume %s" .) -}} + {{- end -}} + {{- end -}} + + {{- range $volumeMountsList -}} + {{- if not (has . $volumesList) -}} + {{- fail (printf "You have not provided the extraVolumes for extraVolumeMounts %s" .) -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} + {{/* Make list of custom http headers */}} @@ -183,4 +234,4 @@ Make list of custom http headers {{- end -}} {{- end -}} ] -{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/yugabyte/yugaware/templates/certificates.yaml b/charts/yugabyte/yugaware/templates/certificates.yaml new file mode 100644 index 000000000..ff4b7021a --- /dev/null +++ b/charts/yugabyte/yugaware/templates/certificates.yaml @@ -0,0 +1,99 @@ +# Copyright (c) YugaByte, Inc. + +{{- $root := . }} +{{- $tls := $root.Values.tls }} +{{- if and $tls.enabled $tls.certManager.enabled }} +{{- if $tls.certManager.genSelfsigned }} +{{- if $tls.certManager.useClusterIssuer }} +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: {{ $root.Release.Name }}-yugaware-cluster-issuer +spec: + selfSigned: {} +{{- else }} # useClusterIssuer=false +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ $root.Release.Name }}-yugaware-issuer + namespace: {{ $root.Release.Namespace }} +spec: + selfSigned: {} +--- +{{- end }} # useClusterIssuer +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ $root.Release.Name }}-yugaware-ui-root-ca + namespace: {{ $root.Release.Namespace }} +spec: + isCA: true + commonName: Yugaware self signed CA + secretName: {{ .Release.Name }}-yugaware-root-ca + secretTemplate: + labels: + app: "{{ template "yugaware.name" . }}" + chart: "{{ template "yugaware.chart" . }}" + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + duration: {{ $tls.certManager.configuration.duration | quote }} + renewBefore: {{ $tls.certManager.configuration.renewBefore | quote }} + privateKey: + algorithm: {{ $tls.certManager.configuration.algorithm | quote }} + encoding: PKCS8 + size: {{ $tls.certManager.configuration.keySize }} + rotationPolicy: Always + issuerRef: + {{- if $tls.certManager.useClusterIssuer }} + name: {{ $root.Release.Name }}-yugaware-cluster-issuer + kind: ClusterIssuer + {{- else }} + name: {{ $root.Release.Name }}-yugaware-issuer + kind: Issuer + {{- end }} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ $root.Release.Name }}-yugaware-ca-issuer + namespace: {{ $root.Release.Namespace }} +spec: + ca: + secretName: {{ .Release.Name }}-yugaware-root-ca +--- +{{- end }} # genSelfsigned +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ $root.Release.Name }}-yugaware-ui-tls + namespace: {{ $root.Release.Namespace }} +spec: + isCA: false + commonName: {{ $tls.hostname }} + secretName: {{ .Release.Name }}-yugaware-tls-cert + secretTemplate: + labels: + app: "{{ template "yugaware.name" . }}" + chart: "{{ template "yugaware.chart" . }}" + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + duration: {{ $tls.certManager.configuration.duration | quote }} + renewBefore: {{ $tls.certManager.configuration.renewBefore | quote }} + privateKey: + algorithm: {{ $tls.certManager.configuration.algorithm | quote }} + encoding: PKCS8 + size: {{ $tls.certManager.configuration.keySize }} + rotationPolicy: Always + issuerRef: + name: {{ $tls.certManager.genSelfsigned | ternary (printf "%s%s" $root.Release.Name "-yugaware-ca-issuer") ($tls.certManager.useClusterIssuer | ternary $tls.certManager.clusterIssuer $tls.certManager.issuer) }} + {{- if $tls.certManager.useClusterIssuer }} + kind: ClusterIssuer + {{- else }} + kind: Issuer + {{- end }} +--- +{{- end }} diff --git a/charts/yugabyte/yugaware/templates/configs.yaml b/charts/yugabyte/yugaware/templates/configs.yaml index 932effddd..aa2f3d7c2 100644 --- a/charts/yugabyte/yugaware/templates/configs.yaml +++ b/charts/yugabyte/yugaware/templates/configs.yaml @@ -31,27 +31,31 @@ data: log.override.path = "/opt/yugabyte/yugaware/data/logs" db { + default.dbname=${POSTGRES_DB} {{ if .Values.postgres.external.host }} default.host="{{ .Values.postgres.external.host }}" default.port={{ .Values.postgres.external.port }} - default.url="jdbc:postgresql://"${db.default.host}":"${db.default.port}"/"${POSTGRES_DB}${db.default.params} {{ else if eq .Values.ip_version_support "v6_only" }} - default.host="::1" - default.url="jdbc:postgresql://[::1]:"${db.default.port}"/"${POSTGRES_DB}${db.default.params} + default.host="[::1]" {{ else }} default.host="127.0.0.1" - default.url="jdbc:postgresql://127.0.0.1:"${db.default.port}"/"${POSTGRES_DB}${db.default.params} {{ end }} + default.url="jdbc:postgresql://"${db.default.host}":"${db.default.port}"/"${db.default.dbname}${db.default.params} default.params="{{ .Values.jdbcParams }}" - default.driver=org.postgresql.Driver default.username=${POSTGRES_USER} default.password=${POSTGRES_PASSWORD} - default.logStatements=true - default.migration.initOnMigrate=true - default.migration.auto=true - } - ebean { - default = ["com.yugabyte.yw.models.*"] + {{ if .Values.yugaware.cloud.enabled }} + perf_advisor.driver="org.hsqldb.jdbc.JDBCDriver" + perf_advisor.url="jdbc:hsqldb:mem:perf-advisor" + perf_advisor.createDatabaseIfMissing=false + perf_advisor.username="sa" + perf_advisor.password="sa" + perf_advisor.migration.auto=false + perf_advisor.migration.disabled=true + {{ else }} + perf_advisor.url="jdbc:postgresql://"${db.default.host}":"${db.default.port}"/"${db.perf_advisor.dbname}${db.default.params} + perf_advisor.createDatabaseUrl="jdbc:postgresql://"${db.default.host}":"${db.default.port}"/"${db.default.dbname}${db.default.params} + {{ end }} } {{- if .Values.tls.enabled }} @@ -140,7 +144,7 @@ data: {{- range $key, $value := .Values.additionalAppConf.nonStringConf }} {{ $key }} = {{ $value }} {{- end }} -{{- if .Values.tls.enabled }} +{{- if and .Values.tls.enabled (not .Values.tls.certManager.enabled) }} --- apiVersion: v1 kind: Secret @@ -155,8 +159,8 @@ type: Opaque data: {{- include "getOrCreateServerPem" (dict "Namespace" .Release.Namespace "Root" . "Name" (printf "%s%s" .Release.Name "-yugaware-tls-pem")) | nindent 2 }} {{- end }} - --- +{{- if not (and (.Values.ocpCompatibility.enabled) (eq .Values.image.postgres.registry "registry.redhat.io")) }} apiVersion: v1 kind: ConfigMap metadata: @@ -182,6 +186,25 @@ data: docker-upgrade pg_upgrade | tee -a /pg_upgrade_logs/pg_upgrade_11_to_14.log; echo "host all all all scram-sha-256" >> "${PGDATANEW}/pg_hba.conf"; fi +{{- end }} +{{- if .Values.securityContext.enabled }} +--- +apiVersion: "v1" +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-yugaware-pg-prerun + labels: + app: {{ template "yugaware.name" . }} + chart: {{ template "yugaware.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Values.helm2Legacy | ternary "Tiller" (.Release.Service | quote) }} +data: + pg-prerun.sh: | + #!/bin/bash + set -x -o errexit + + mkdir -p $PGDATA && chown -R $PG_UID:$PG_GID $PGDATA; +{{- end }} {{- if .Values.prometheus.remoteWrite.tls.enabled }} --- @@ -252,7 +275,11 @@ data: - 'container_cpu_usage_seconds_total{pod=~"(.*)yb-(.*)"}' - 'container_memory_working_set_bytes{pod=~"(.*)yb-(.*)"}' # kube-state-metrics - - 'kube_pod_container_resource_requests_cpu_cores{pod=~"(.*)yb-(.*)"}' + # Supports >= OCP v4.4 + # OCP v4.4 has upgraded the KSM from 1.8.0 to 1.9.5. + # https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-release-notes.html#ocp-4-4-cluster-monitoring-version-updates + # - 'kube_pod_container_resource_requests_cpu_cores{pod=~"(.*)yb-(.*)"}' + - 'kube_pod_container_resource_requests{pod=~"(.*)yb-(.*)", unit="core"}' static_configs: - targets: @@ -272,8 +299,15 @@ data: regex: "(.*)" target_label: "container_name" replacement: "$1" + # rename new name of the CPU metric to the old name and label + # ref: https://github.com/kubernetes/kube-state-metrics/blob/master/CHANGELOG.md#v200-alpha--2020-09-16 + - source_labels: ["__name__", "unit"] + regex: "kube_pod_container_resource_requests;core" + target_label: "__name__" + replacement: "kube_pod_container_resource_requests_cpu_cores" {{- else }} + {{- if .Values.prometheus.scrapeKubernetesNodes }} - job_name: 'kubernetes-nodes' @@ -322,8 +356,8 @@ data: - targets: ['kube-state-metrics.kube-system.svc.{{.Values.domainName}}:8080'] metric_relabel_configs: # Only keep the metrics which we care about - - source_labels: ["__name__"] - regex: "kube_pod_container_resource_requests_cpu_cores" + - source_labels: ["__name__", "unit"] + regex: "kube_pod_container_resource_requests;core" action: keep # Save the name of the metric so we can group_by since we cannot by __name__ directly... - source_labels: ["__name__"] @@ -342,6 +376,16 @@ data: - source_labels: ["pod_name"] regex: "(.*)yb-(.*)" action: keep + # rename new name of the CPU metric to the old name and label + # ref: https://github.com/kubernetes/kube-state-metrics/blob/master/CHANGELOG.md#v200-alpha--2020-09-16 + - source_labels: ["__name__", "unit"] + regex: "kube_pod_container_resource_requests;core" + target_label: "__name__" + replacement: "kube_pod_container_resource_requests_cpu_cores" + # Keep metrics for CPU, discard duplicate metrics + - source_labels: ["__name__"] + regex: "kube_pod_container_resource_requests_cpu_cores" + action: keep - job_name: 'kubernetes-cadvisor' @@ -387,6 +431,21 @@ data: action: keep {{- end }} + {{- end }} + + {{- if .Values.tls.enabled }} + + - job_name: 'platform' + metrics_path: "/api/v1/prometheus_metrics" + scheme: https + tls_config: + insecure_skip_verify: true + static_configs: + - targets: [ + '{{ eq .Values.ip_version_support "v6_only" | ternary "[::1]" "127.0.0.1" }}:9443' + ] + + {{- else }} - job_name: 'platform' metrics_path: "/api/v1/prometheus_metrics" @@ -395,6 +454,14 @@ data: '{{ eq .Values.ip_version_support "v6_only" | ternary "[::1]" "127.0.0.1" }}:9000' ] + {{- end }} + + - job_name: 'node-agent' + metrics_path: "/metrics" + file_sd_configs: + - files: + - '/opt/yugabyte/prometheus/targets/node-agent.*.json' + - job_name: "node" file_sd_configs: - files: @@ -480,6 +547,8 @@ data: replacement: "$1" - job_name: "yugabyte" + tls_config: + insecure_skip_verify: true metrics_path: "/prometheus-metrics" file_sd_configs: - files: diff --git a/charts/yugabyte/yugaware/templates/global-config.yaml b/charts/yugabyte/yugaware/templates/global-config.yaml index 925e1bbb7..4d7f54f45 100644 --- a/charts/yugabyte/yugaware/templates/global-config.yaml +++ b/charts/yugabyte/yugaware/templates/global-config.yaml @@ -16,8 +16,8 @@ data: postgres_user: {{ .Values.postgres.external.user | b64enc | quote }} postgres_password: {{ .Values.postgres.external.pass | b64enc | quote }} {{- else }} - postgres_db: {{ "yugaware" | b64enc | quote }} - postgres_user: {{ "postgres" | b64enc | quote }} + postgres_db: {{ .Values.postgres.dbname | b64enc | quote }} + postgres_user: {{ .Values.postgres.user | b64enc | quote }} postgres_password: {{ include "getOrGeneratePasswordConfigMapToSecret" (dict "Namespace" .Release.Namespace "Name" (printf "%s%s" .Release.Name "-yugaware-global-config") "Key" "postgres_password") | quote }} {{- end }} app_secret: {{ randAlphaNum 64 | b64enc | b64enc | quote }} diff --git a/charts/yugabyte/yugaware/templates/rbac.yaml b/charts/yugabyte/yugaware/templates/rbac.yaml index 907f9e1ce..c1e2e057a 100644 --- a/charts/yugabyte/yugaware/templates/rbac.yaml +++ b/charts/yugabyte/yugaware/templates/rbac.yaml @@ -1,3 +1,4 @@ +{{ if not .Values.yugaware.serviceAccount }} apiVersion: v1 kind: ServiceAccount metadata: @@ -10,6 +11,7 @@ metadata: annotations: {{ toYaml .Values.yugaware.serviceAccountAnnotations | indent 4 }} {{- end }} +{{ end }} {{- if .Values.rbac.create }} {{- if .Values.ocpCompatibility.enabled }} --- @@ -21,7 +23,7 @@ metadata: app: yugaware subjects: - kind: ServiceAccount - name: {{ .Release.Name }} + name: {{ .Values.yugaware.serviceAccount | default .Release.Name }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole @@ -29,43 +31,172 @@ roleRef: apiGroup: rbac.authorization.k8s.io {{- else }} --- -kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: {{ .Release.Name }} - labels: - k8s-app: yugaware - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile rules: -- apiGroups: [""] - resources: - - nodes - - nodes/proxy - - services - - endpoints - - pods - - pods/exec - verbs: ["get", "list", "watch", "create"] +# Set of permissions required for operator - apiGroups: - - extensions + - operator.yugabyte.io resources: - - ingresses - verbs: ["get", "list", "watch"] -- nonResourceURLs: ["/metrics"] - verbs: ["get"] -- apiGroups: [""] + - "*" + verbs: + - "get" + - "create" + - "delete" + - "patch" + - "list" + - "watch" + - "update" +# Set of permissions required to install, upgrade, delete the yugabyte chart +- apiGroups: + - "policy" resources: - - namespaces - - secrets - - pods/portforward - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -- apiGroups: ["", "extensions"] + - "poddisruptionbudgets" + verbs: + - "get" + - "create" + - "delete" + - "patch" +- apiGroups: + - "" resources: - - deployments - - services - verbs: ["create", "get", "list", "watch", "update", "delete"] - + - "services" + verbs: + - "get" + - "delete" + - "create" + - "patch" +- apiGroups: + - "apps" + resources: + - "statefulsets" + verbs: + - "get" + - "list" + - "delete" + - "create" + - "patch" +- apiGroups: + - "" + resources: + - "secrets" + verbs: + - "create" + - "list" + - "get" + - "delete" + - "update" + - "patch" +- apiGroups: + - "cert-manager.io" + resources: + - "certificates" + verbs: + - "create" + - "delete" + - "get" + - "patch" +- apiGroups: + - "" + resources: + - "configmaps" + verbs: + - "get" + - "create" + - "patch" + - "delete" +# Set of permissions required by YBA to manage YB DB universes +- apiGroups: + - "" + resources: + - "namespaces" + verbs: + - "delete" + - "create" + - "patch" + - "get" + - "list" +- apiGroups: + - "" + resources: + - "pods" + verbs: + - "get" + - "list" + - "delete" +- apiGroups: + - "" + resources: + - "services" + verbs: + - "get" + - "list" +- apiGroups: + - "" + resources: + - "persistentvolumeclaims" + verbs: + - "get" + - "patch" + - "list" + - "delete" +- apiGroups: + - "" + resources: + - "pods/exec" + verbs: + - "create" +- apiGroups: + - "apps" + resources: + - "statefulsets/scale" + verbs: + - "patch" +- apiGroups: + - "" + resources: + - "events" + verbs: + - "list" +# required to scrape resource metrics like CPU, memory, etc. +- apiGroups: + - "" + resources: + - "nodes" + verbs: + - "list" + - "get" + - "watch" +# required to scrape resource metrics like CPU, memory, etc. +- apiGroups: + - "" + resources: + - "nodes/proxy" + verbs: + - "get" +# Ref: https://github.com/yugabyte/charts/commit/4a5319972385666487a7bc2cd0c35052f2cfa4c5 +- apiGroups: + - "" + resources: + - "events" + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "patch" + - "delete" +- apiGroups: + - "" + resources: + - "configmaps" + verbs: + - "list" + - "watch" + - "update" --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -77,7 +208,7 @@ metadata: addonmanager.kubernetes.io/mode: Reconcile subjects: - kind: ServiceAccount - name: {{ .Release.Name }} + name: {{ .Values.yugaware.serviceAccount | default .Release.Name }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole diff --git a/charts/yugabyte/yugaware/templates/service.yaml b/charts/yugabyte/yugaware/templates/service.yaml index 49fd54051..e02bb3d83 100644 --- a/charts/yugabyte/yugaware/templates/service.yaml +++ b/charts/yugabyte/yugaware/templates/service.yaml @@ -40,6 +40,10 @@ spec: {{- if and (eq .Values.yugaware.service.type "LoadBalancer") (.Values.yugaware.service.ip) }} loadBalancerIP: "{{ .Values.yugaware.service.ip }}" {{- end }} + {{- if .Values.yugaware.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml .Values.yugaware.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} {{- end }} {{- if .Values.yugaware.serviceMonitor.enabled }} --- diff --git a/charts/yugabyte/yugaware/templates/statefulset.yaml b/charts/yugabyte/yugaware/templates/statefulset.yaml index c6a216c1d..f529ebbe6 100644 --- a/charts/yugabyte/yugaware/templates/statefulset.yaml +++ b/charts/yugabyte/yugaware/templates/statefulset.yaml @@ -25,8 +25,11 @@ spec: {{- end }} labels: app: {{ .Release.Name }}-yugaware +{{- if .Values.yugaware.pod.labels }} +{{ toYaml .Values.yugaware.pod.labels | indent 8 }} +{{- end }} spec: - serviceAccountName: {{ .Release.Name }} + serviceAccountName: {{ .Values.yugaware.serviceAccount | default .Release.Name }} imagePullSecrets: - name: {{ .Values.image.pullSecret }} {{- if .Values.securityContext.enabled }} @@ -36,6 +39,30 @@ spec: fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }} {{- end }} {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8}} + {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{- with .Values.tolerations }}{{ toYaml . | nindent 8 }}{{ end }} + {{- end }} + {{- if .Values.zoneAffinity }} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: failure-domain.beta.kubernetes.io/zone + operator: In + values: +{{ toYaml .Values.zoneAffinity | indent 18 }} + - matchExpressions: + - key: topology.kubernetes.io/zone + operator: In + values: +{{ toYaml .Values.zoneAffinity | indent 18 }} + {{- end }} volumes: - name: yugaware-storage persistentVolumeClaim: @@ -84,15 +111,36 @@ spec: secret: secretName: {{ .Release.Name }}-yugaware-prometheus-remote-write-tls {{- end }} + {{- if not (and (.Values.ocpCompatibility.enabled) (eq .Values.image.postgres.registry "registry.redhat.io")) }} - name: pg-upgrade-11-to-14 configMap: name: {{ .Release.Name }}-yugaware-pg-upgrade items: - key: pg-upgrade-11-to-14.sh path: pg-upgrade-11-to-14.sh + {{- end }} + - name: pg-init + configMap: + name: {{ .Release.Name }}-yugaware-pg-prerun + items: + - key: pg-prerun.sh + path: pg-prerun.sh + {{- if .Values.postgres.extraVolumes -}} + {{- include "yugaware.isExtraVolumesMappingExists" .Values.postgres -}} + {{- .Values.postgres.extraVolumes | toYaml | nindent 8 -}} + {{ end }} + {{- with .Values.dnsConfig }} + dnsConfig: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.dnsPolicy }} + dnsPolicy: {{ . | quote }} + {{- end }} initContainers: - image: {{ include "full_yugaware_image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.initContainers.prometheusConfiguration.resources }} + resources: {{- toYaml .Values.initContainers.prometheusConfiguration.resources | nindent 12 }} + {{ end -}} name: prometheus-configuration {{- if .Values.securityContext.enabled }} command: @@ -120,9 +168,13 @@ spec: - name: init-container-script mountPath: /init-container {{- end }} + {{- if not (and (.Values.ocpCompatibility.enabled) (eq .Values.image.postgres.registry "registry.redhat.io")) }} - image: {{ include "full_image" (dict "containerName" "postgres-upgrade" "root" .) }} imagePullPolicy: {{ .Values.image.pullPolicy }} name: postgres-upgrade + {{- if .Values.initContainers.postgresUpgrade.resources }} + resources: {{- toYaml .Values.initContainers.postgresUpgrade.resources | nindent 12 }} + {{ end -}} command: - 'bash' - '-c' @@ -152,12 +204,46 @@ spec: - name: yugaware-storage mountPath: /pg_upgrade_logs subPath: postgres_data_14 + {{- end }} + {{- if .Values.securityContext.enabled }} + - image: {{ include "full_image" (dict "containerName" "postgres" "root" .) }} + name: postgres-init + {{- if .Values.initContainers.postgresInit.resources }} + resources: {{- toYaml .Values.initContainers.postgresInit.resources | nindent 12 }} + {{ end -}} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["/bin/bash", "/pg_prerun/pg-prerun.sh"] + env: + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + - name: PG_UID + value: {{ .Values.securityContext.runAsUser | quote }} + - name: PG_GID + value: {{ .Values.securityContext.runAsGroup | quote }} + volumeMounts: + - name: yugaware-storage + mountPath: /var/lib/postgresql/data + subPath: postgres_data_14 + - name: pg-init + mountPath: /pg_prerun + {{- end }} containers: {{ if not .Values.postgres.external.host }} - name: postgres image: {{ include "full_image" (dict "containerName" "postgres" "root" .) }} imagePullPolicy: {{ .Values.image.pullPolicy }} - args: ["-c", "huge_pages=off"] + args: + {{- if and (.Values.ocpCompatibility.enabled) (eq .Values.image.postgres.registry "registry.redhat.io") }} + - "run-postgresql" + {{- end }} + - "-c" + - "huge_pages=off" + {{- if .Values.securityContext.enabled }} + securityContext: + runAsUser: {{ required "runAsUser cannot be empty" .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }} + runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }} + {{- end }} env: - name: POSTGRES_USER valueFrom: @@ -174,8 +260,37 @@ spec: secretKeyRef: name: {{ .Release.Name }}-yugaware-global-config key: postgres_db + {{- if and (.Values.ocpCompatibility.enabled) (eq .Values.image.postgres.registry "registry.redhat.io") }} + # Hardcoded the POSTGRESQL_USER because it's mandatory env var in RH PG image + # It doesn't have access to create the DB, so YBA fails to create the perf_advisor DB. + # Need to use admin user of RH PG image (postgres) + # Changing the user name won't be possible moving forward for OpenShift certified chart + - name: POSTGRESQL_USER + value: pg-yba + # valueFrom: + # secretKeyRef: + # name: {{ .Release.Name }}-yugaware-global-config + # key: postgres_user + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-yugaware-global-config + key: postgres_password + - name: POSTGRESQL_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-yugaware-global-config + key: postgres_password + - name: POSTGRESQL_DATABASE + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-yugaware-global-config + key: postgres_db + {{- else }} + # The RH Postgres image doesn't allow this directory to be changed. - name: PGDATA value: /var/lib/postgresql/data/pgdata + {{- end }} ports: - containerPort: 5432 name: postgres @@ -187,8 +302,17 @@ spec: volumeMounts: - name: yugaware-storage + {{- if and (.Values.ocpCompatibility.enabled) (eq .Values.image.postgres.registry "registry.redhat.io") }} + mountPath: /var/lib/pgsql/data + subPath: postgres_data_13 + {{- else }} mountPath: /var/lib/postgresql/data subPath: postgres_data_14 + {{- end }} + {{- if .Values.postgres.extraVolumeMounts -}} + {{- include "yugaware.isExtraVolumesMappingExists" .Values.postgres -}} + {{- .Values.postgres.extraVolumeMounts | toYaml | nindent 12 -}} + {{- end -}} {{ end }} - name: prometheus image: {{ include "full_image" (dict "containerName" "prometheus" "root" .) }} @@ -214,6 +338,9 @@ spec: subPath: prometheus.yml - name: yugaware-storage mountPath: /prometheus/ + - mountPath: /opt/yugabyte/yugaware/data/keys/ + name: yugaware-storage + subPath: data/keys {{- if .Values.prometheus.scrapeNodes }} - name: yugaware-storage mountPath: /opt/yugabyte/prometheus/targets @@ -235,6 +362,9 @@ spec: - --web.enable-admin-api - --web.enable-lifecycle - --storage.tsdb.retention.time={{ .Values.prometheus.retentionTime }} + - --query.max-concurrency={{ .Values.prometheus.queryConcurrency }} + - --query.max-samples={{ .Values.prometheus.queryMaxSamples }} + - --query.timeout={{ .Values.prometheus.queryTimeout }} ports: - containerPort: 9090 - name: yugaware @@ -251,12 +381,18 @@ spec: resources: {{ toYaml .Values.yugaware.resources | indent 12 }} {{- end }} - - command: [ "/sbin/tini", "--"] - args: - - "bin/yugaware" - - "-Dconfig.file=/data/application.docker.conf" + args: ["bin/yugaware","-Dconfig.file=/data/application.docker.conf"] env: + # Conditionally set these env variables, if runAsUser is not 0(root) + # or 10001(yugabyte). + {{- if eq (include "checkNssWrapperExportRequired" .) "true" }} + - name: NSS_WRAPPER_GROUP + value: "/tmp/group.template" + - name: NSS_WRAPPER_PASSWD + value: "/tmp/passwd.template" + - name: LD_PRELOAD + value: "/usr/lib64/libnss_wrapper.so" + {{- end }} - name: POSTGRES_USER valueFrom: secretKeyRef: @@ -277,6 +413,7 @@ spec: secretKeyRef: name: {{ .Release.Name }}-yugaware-global-config key: app_secret + {{- with .Values.yugaware.extraEnv }}{{ toYaml . | nindent 12 }}{{ end }} ports: - containerPort: 9000 name: yugaware @@ -293,6 +430,9 @@ spec: - name: yugaware-storage mountPath: /opt/yugabyte/releases/ subPath: releases + - name: yugaware-storage + mountPath: /opt/yugabyte/ybc/releases/ + subPath: ybc_releases # old path for backward compatibility - name: yugaware-storage mountPath: /opt/releases/ diff --git a/charts/yugabyte/yugaware/templates/tests/test.yaml b/charts/yugabyte/yugaware/templates/tests/test.yaml new file mode 100644 index 000000000..89d02035c --- /dev/null +++ b/charts/yugabyte/yugaware/templates/tests/test.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Pod +metadata: + name: {{ .Release.Name }}-yugaware-test + labels: + app: {{ .Release.Name }}-yugaware-test + chart: {{ template "yugaware.chart" . }} + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: {{ .Values.image.pullSecret }} + containers: + - name: yugaware-test + image: {{ include "full_yugaware_image" . }} + command: + - '/bin/bash' + - '-ec' + - > + sleep 60s; + {{- if .Values.tls.enabled }} + - > + curl --head -k https://{{ .Release.Name }}-yugaware-ui + {{- else }} + - > + curl --head http://{{ .Release.Name }}-yugaware-ui + {{- end }} + # Hard coded resources to the test pod. + resources: + limits: + cpu: "1" + memory: "512Mi" + requests: + cpu: "0.5" + memory: "256Mi" + restartPolicy: Never diff --git a/charts/yugabyte/yugaware/tests/test_resources.yaml b/charts/yugabyte/yugaware/tests/test_resources.yaml new file mode 100644 index 000000000..cc793a585 --- /dev/null +++ b/charts/yugabyte/yugaware/tests/test_resources.yaml @@ -0,0 +1,40 @@ +suite: Resources verification +templates: +- statefulset.yaml +- configs.yaml +tests: +- it: YBA container + template: statefulset.yaml + asserts: + - isNotEmpty: + path: spec.template.spec.containers[?(@.name == "yugaware")].resources.requests + +- it: Postgres container + template: statefulset.yaml + asserts: + - isNotEmpty: + path: spec.template.spec.containers[?(@.name == "postgres")].resources.requests + +- it: Prometheus container + template: statefulset.yaml + asserts: + - isNotEmpty: + path: spec.template.spec.containers[?(@.name == "prometheus")].resources.requests + +- it: Postgres-init initContainer + template: statefulset.yaml + asserts: + - isNotEmpty: + path: spec.template.spec.initContainers[?(@.name == "postgres-init")].resources.requests + +- it: Prometheus-configuration initContainer + template: statefulset.yaml + asserts: + - isNotEmpty: + path: spec.template.spec.initContainers[?(@.name == "prometheus-configuration")].resources.requests + +- it: Postgres-upgrade initContainer + template: statefulset.yaml + asserts: + - isNotEmpty: + path: spec.template.spec.initContainers[?(@.name == "postgres-upgrade")].resources.requests diff --git a/charts/yugabyte/yugaware/values.yaml b/charts/yugabyte/yugaware/values.yaml index b7a32b670..861540fec 100644 --- a/charts/yugabyte/yugaware/values.yaml +++ b/charts/yugabyte/yugaware/values.yaml @@ -2,20 +2,22 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +fullnameOverride: "" +nameOverride: "" + image: commonRegistry: "" # Setting commonRegistry to say, quay.io overrides the registry settings for all images # including the yugaware image repository: quay.io/yugabyte/yugaware - tag: 2.14.17.0-b6 + tag: 2.18.8.0-b42 pullPolicy: IfNotPresent pullSecret: yugabyte-k8s-pull-secret ## Docker config JSON File name ## If set, this file content will be used to automatically create secret named as above - # pullSecretFile: - - + pullSecretFile: "" + postgres: registry: "" tag: '14.9' @@ -31,36 +33,46 @@ image: tag: v2.47.1 name: prom/prometheus + yugaware: replicas: 1 storage: 100Gi storageClass: "" storageAnnotations: {} multiTenant: false - serviceAccount: yugaware + ## Name of existing ServiceAccount. When provided, the chart won't create a ServiceAccount. + ## It will attach the required RBAC roles to it. + ## Helpful in Yugabyte Platform GKE App. + serviceAccount: '' serviceMonitor: enabled: false annotations: {} serviceAccountAnnotations: {} service: annotations: {} + clusterIP: "" enabled: true ip: "" type: "LoadBalancer" + ## whitelist source CIDRs + #loadBalancerSourceRanges: + #- 0.0.0.0/0 + #- 192.168.100.0/24 pod: annotations: {} + labels: {} health: username: "" password: "" email: "" resources: requests: - cpu: 2 + cpu: "2" memory: 4Gi enableProxyMetricsAuth: true ## List of additional alowed CORS origins in case of complex rev-proxy additionAllowedCorsOrigins: [] - proxyEndpointTimeoutMs: 1 minute + proxyEndpointTimeoutMs: 3 minute ## Enables features specific for cloud deployments cloud: enabled: false @@ -71,6 +83,10 @@ yugaware: # Note that the default of 0 doesn't really make sense since a StatefulSet isn't allowed to schedule extra replicas. However it is maintained as the default while we do additional testing. This value will likely change in the future. maxUnavailable: 0 + universe_boot_script: "" + + extraEnv: [] + # In case client wants to enable the additional headers to the YBA's http response # Previously, it was possible via nginx, but given that we no longer have it, we can # expose the same as application config/runtime config. @@ -79,6 +95,10 @@ yugaware: ## Configure PostgreSQL part of the application postgres: + # DO NOT CHANGE if using OCP Certified helm chart + user: postgres + dbname: yugaware + service: ## Expose internal Postgres as a Service enabled: false @@ -91,12 +111,12 @@ postgres: resources: requests: - cpu: 0.5 + cpu: "0.5" memory: 1Gi # If external.host is set then we will connect to an external postgres database server instead of starting our own. external: - host: null + host: "" port: 5432 pass: "" dbname: postgres @@ -105,22 +125,65 @@ postgres: ## JDBC connection parameters including the leading `?`. jdbcParams: "" + + ## Extra volumes + ## extraVolumesMounts are mandatory for each extraVolumes. + ## Ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#volume-v1-core + ## Example: + # extraVolumes: + # - name: custom-nfs-vol + # persistentVolumeClaim: + # claimName: some-nfs-claim + extraVolumes: [] + + ## Extra volume mounts + ## Ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#volumemount-v1-core + ## Example: + # extraVolumeMounts: + # - name: custom-nfs-vol + # mountPath: /home/yugabyte/nfs-backup + extraVolumeMounts: [] + tls: enabled: false hostname: "localhost" - certificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZDVENDQXZHZ0F3SUJBZ0lVTlhvN2N6T2dyUWQrU09wOWdNdE00b1Vva3hFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF3d0piRzlqWVd4b2IzTjBNQjRYRFRJeE1EUXdOakExTXpnMU4xb1hEVE14TURRdwpOREExTXpnMU4xb3dGREVTTUJBR0ExVUVBd3dKYkc5allXeG9iM04wTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBZzhBTUlJQ0NnS0NBZ0VBMUxsSTFBLzRPOVIzSkNlN1N2MUxYVXhDSmxoTWpIWUoxV1FNVmcvai82RHkKazRTTmY0MkFLQjI0dFJFK2lEWTBNaTJrRWhJcVZ4TFdPN0hkWHVSN0tYNGxSZWFVVkRFTUtYUWNQUC9QWDZkbwpwZVZTUFpSVjVHNHNxTElXUFFkTVdIam9IQWx1aml5dGJsSVJUUWdLU3QrMmpuREFDN0dxRURMREdhNXRUWEM2CktRWkNtOERlaklOUTMzaGU2TDN0Q2hBRnhJM1pwY21sR0twbzdKVXJSUG14Mk9zTHFRcTB5dEVVK0lGZGppWHEKaHJLeFR0NUhHM3M3ZUNWaTRXdlZPelVGUitJbWRlQzBRZTBXeG5iZlZUMnJkVitQL1FaVXhWSEVtWnBPc0k2LwpmczhlK1dsMlduWXY1TTg5MWkxZER3Zi9lMDdiN20xQVRKdDRtTGRldzBtd1V4UGFGT2pDMDh6cU94NmF0cGhLClU1eHNWQmhGNVhyME9DeTQyMzN0MU5URXdWUEFDOFcwQmhHdldTRXBQTXNTKzM1b2lueEFrcFQzL01ibFpjNisKcXhSYUh6MHJhSksvVGIzelVKVWxWZFkxbGl5MVYyVjNxWEU2NWlsOUFHZ2pIaHhBNFBwSktCbzZ0WVRUT3pnTworL25mc0toMk95aE8zUWxBZ0JFUHlYUm5wL0xGSTVuQ2gzdjNiOXlabFNrSk05NkVoWEJ1bHhWUWN3L2p3N2NxCkRLSlBEeHFUQy9rWUs1V0FVZGhkWG1KQkRNMFBLcngzUGVOYjRsYnQzSTFIZW1QRDBoZktiWFd6alhiVTJQdWQKdjZmT0dXTDRLSFpaem9KZ1ljMFovRXRUMEpCR09GM09mMW42N2c5dDRlUnAzbEVSL09NM0FPY1dRbWFvOHlVQwpBd0VBQWFOVE1GRXdIUVlEVlIwT0JCWUVGTU00SjA4WG8wUGY1cTlOSWZiMGYyRzZqc1FoTUI4R0ExVWRJd1FZCk1CYUFGTU00SjA4WG8wUGY1cTlOSWZiMGYyRzZqc1FoTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3RFFZSktvWkkKaHZjTkFRRUxCUUFEZ2dJQkFBRmxrWVJkdzA0Zm9vT29BelUyaU5ORGV1aiszemhIeFQ5eU9iSkdwREZIRitoZQpuY1ZRWGZpMitHNjBWY0xuZERsWFhmbDZLOSs4ME55aEg4QjR1UEJNTWhoWG01MjJmYnJac1dFcnR3WE1rM2prClZ5UVA3MGk2NHE1ZGVrZzhoYzI0SXhFUlVsam9XM2lDTTdrb0VxaG15VkpGeDNxMVdobFEwdzNkWVpMQVNRclYKU0RpL2JGWjlqOXVtWVdoc0Y4QjFPSThPVjNlL0YyakU1UCtoTlJJazAzbW9zWE1Rdy9iZ3ZzV0hvSkZ5blB4UApHNGUzUjBob2NnbzI0Q2xOQ21YMWFBUms5c1pyN2h0NlVsM1F1d0dMdzZkK2I5emxrUW56TzFXQzc5ekVNU1R0ClRRRzFNT2ZlL2dTVkR3dThTSnpBOHV1Z0pYTktWWkxCZlpaNW41Tk9sOHdpOVVLa1BVUW4wOHo3VWNYVDR5ZnQKZHdrbnZnWDRvMFloUnNQNHpPWDF6eWxObzhqRDhRNlV1SkdQSksrN1JnUm8zVERPV3k4MEZpUzBxRmxrSFdMKwptT0pUWGxzaEpwdHE5b1c1eGx6N1lxTnFwZFVnRmNyTjJLQWNmaGVlNnV3SUFnOFJteTQvRlhRZjhKdXluSG5oClFhVlFnTEpEeHByZTZVNk5EdWg1Y1VsMUZTcWNCUGFPY0x0Q0ViVWg5ckQxajBIdkRnTUUvTTU2TGp1UGdGZlEKMS9xeXlDUkFjc2NCSnVMYjRxcXRUb25tZVZ3T1BBbzBsNXBjcC9JcjRTcTdwM0NML0kwT0o1SEhjcmY3d3JWSgpQVWgzdU1LbWVHVDRyeDdrWlQzQzBXenhUU0loc0lZOU12MVRtelF4MEprQm93c2NYaUYrcXkvUkl5UVgKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" - key: "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRRFV1VWpVRC9nNzFIY2sKSjd0Sy9VdGRURUltV0V5TWRnblZaQXhXRCtQL29QS1RoSTEvallBb0hiaTFFVDZJTmpReUxhUVNFaXBYRXRZNwpzZDFlNUhzcGZpVkY1cFJVTVF3cGRCdzgvODlmcDJpbDVWSTlsRlhrYml5b3NoWTlCMHhZZU9nY0NXNk9MSzF1ClVoRk5DQXBLMzdhT2NNQUxzYW9RTXNNWnJtMU5jTG9wQmtLYndONk1nMURmZUY3b3ZlMEtFQVhFamRtbHlhVVkKcW1qc2xTdEUrYkhZNnd1cENyVEswUlQ0Z1YyT0plcUdzckZPM2tjYmV6dDRKV0xoYTlVN05RVkg0aVoxNExSQgo3UmJHZHQ5VlBhdDFYNC85QmxURlVjU1ptazZ3anI5K3p4NzVhWFphZGkva3p6M1dMVjBQQi85N1R0dnViVUJNCm0zaVl0MTdEU2JCVEU5b1U2TUxUek9vN0hwcTJtRXBUbkd4VUdFWGxldlE0TExqYmZlM1UxTVRCVThBTHhiUUcKRWE5WklTazh5eEw3Zm1pS2ZFQ1NsUGY4eHVWbHpyNnJGRm9mUFN0b2tyOU52Zk5RbFNWVjFqV1dMTFZYWlhlcApjVHJtS1gwQWFDTWVIRURnK2trb0dqcTFoTk03T0E3NytkK3dxSFk3S0U3ZENVQ0FFUS9KZEdlbjhzVWptY0tICmUvZHYzSm1WS1FrejNvU0ZjRzZYRlZCekQrUER0eW9Nb2s4UEdwTUwrUmdybFlCUjJGMWVZa0VNelE4cXZIYzkKNDF2aVZ1M2NqVWQ2WThQU0Y4cHRkYk9OZHRUWSs1Mi9wODRaWXZnb2Rsbk9nbUJoelJuOFMxUFFrRVk0WGM1LwpXZnJ1RDIzaDVHbmVVUkg4NHpjQTV4WkNacWp6SlFJREFRQUJBb0lDQUFmY2lScDlOSmxSY3MyOVFpaTFUN0cwCi9jVFpBb3MyV1lxdlZkMWdYUGEzaGY5NXFKa01LNjVQMnVHbUwzOXRNV1NoVnl6cnl2REkyMjM5VnNjSS9wdzcKOHppd0dzODV1TTlYWVN2SDhHd0NqZFdEc2hSZ2hRUWFKa0JkeElDZzRtdHFuSGxjeDk4dE80T1dPTmwxOEp0dgp4UmxpaFZacFRIV295cGtLWHpPN2RNWExXMjdTSStkaGV2Mm5QeXF1eWpIVEFjT1AwbmxVQ0d2dThFMjkvWWxoCkNQZVJTQzhKSEVGYWxNSFNWaGpJd2ZBVWJvVVJwZU1ZSE15RjVTK2JncGZiajhSbVVUR09DbHRkWGJnYjhJai8KN0hROEFlQkIrYVFKTDVEVnFRN1JWN1ppQlMwR2ZyODlHdXdEMUs4em9mcktPdURkdXpjR2hwZk9MeGpGdmhTOApSQ2Y1Z3BFMzg0aWlHc2tWZC9mZDJLK3NhSmk0L09HbHo0aHhhc1hDcTN1TXB5OTZPNFRrMXZzM3BXdWZNVmJXCnR2d1Mrcjhvbk9uOXZqa3lqOU11eUpId1BpSlNGMUt0ZzhPUU5WMlVST0xXcHlYMWk4Z2xoMXdSelRTQ2diQnMKZ3ZxWkFvaU1pWFh3SlVXN3Zpb0RLZjI0TnZvcjViaVNzeUh0MHVKUVZJaW1iK1prTFJwTWdwRlkyTlcrTnd6LwoxOW9DS2ZUVVpWNkJia09IK0NoOUowLy9hTTRGNnUvMTI4V0UxalJQU05mdWQ0b0dpdGVPNXRsRDNWSXRsb1hlCjNyWVMrcTNuYXU1RStWc2FRZGFVNzhrSnpXYmUrWURmQ1JwWGd6TkloSkMyQ1k5d0RSK3hIaVFwbzdLSHV6dngKUkpuRjhIcGwzdWhIdWxEam44dEpBb0lCQVFEeGxhVVIwN1l6TGF2OVZtamZCenpZMjcwOU9tWnhpa3NtRnlhWApKTkJMQVB3SGdXOEVCUHdKOEprSDhXR1NTekp1OXZGd1JDVEVqZ1J5dWUvS05DWnNmUWF2UDg3dzhablJHaEhjCklHUUV1MFN3bmJzZXFJK1VWa0M5amZjaFE4dlowM0dQTGZ6bWpsSW9PNkNLTVM3TlV2Ynk5MksvOHRVVWRtWWgKMmJJa2N4V0J1RDJoenh3K1ZId3ArWktMQ0FPZi9sOG8vQ20xQ1dZSFNGdVYzTkl3T016Z2FKaExJODJNR08zQwpuODZTMXcweGc2MHB5dUV6L0hXZS9JMFZkRGNsWlgyNC9jalVBb01kQlkvSGY4Tkh2ZUNhZExQeXI3eGpRY2NLClAzN0RhdFRyK2RTZ2RoVkxzUDRRRzVVZEZxNUlMSHoxTXBkb2xXZ2pDSlZqcTZMekFvSUJBUURoYXNYdVRzMDIKNEkvYkRlSGRZSmw2Q1NzVUh2NmJXL3dpYlRhd2dpbDh5RUNWS2x6eFY4eENwWnoxWVhRQlY1YnVvQlArbjZCWApnVHgzTTJHc2R5UU1xdGRCWG9qdGp1czB6ekFNQVQzOWNmdWlHMGR0YXF3eWJMVlEwYThDZnFmMDVyUmZ0ekVmCmtTUDk2d01kVUEyTGdCbnU4akwzOU41UkxtK2RpZUdxeDAwYmJTa3l5UE9HNHIvcDl6KzN6TmVmeUhmbm94bTkKUnQza1RpeGhVNkd4UGhOSnZpWEUrWUpwT0dKVXMvK2dUWWpjUE1zRW9ONHIyR215cUs3S21NZExFa3Y1SHliWgprbmNsV2FMVFlhNEpjMjJUaWZJd01NTWMwaCtBMkJVckdjZFZ6MTA0UXluUFZQZDdXcEszenhqcjRPUHh1YnQ2CjZvTWk2REdRSVNlSEFvSUJBUURTK1YyVHFQRDMxczNaU3VvQXc2Qld2ZWVRbmZ5eThSUFpxdVFQb0oycXNxeG0KblpsbXlEZVhNcDloK1dHOVVhQTBtY0dWeWx6VnJqU2lRRkR4cEFOZVFQMWlkSFh6b3ZveVN2TUg2dDJONkVELwpnRy9XUVZ4S0xkMFI3UFhCL2lQN0VaV2RkWXJqaWF5ajZCYTJPR2RuOWlrbFcvZklLM2Y4QzczN2w5TGoxQUVYCkxOL2QvREh0R1BqcDYwTVgyYUxZeVZzdlBxL3BvdENRVVpkeDA4dFhRM05nRXRmVTN1cDFpNXV2bU1IZEtLTWoKOTV0MDRQRTA1aWVOOVgzOEcyYkJhTldYaFVJcUxCdDJiOUgxWmxVU3hQWnR6TGNObkgwSHJYejJMU2MxMzRrYwpueXdhQ2FWbFdhYzJSL0E3Mi8vTmxkUjJpWDBDWDEvM0lGcmVGUmtUQW9JQkFBbGt0S2pRbWRhZWx3QU8zUW1uCm05MnRBaUdOaFJpZVJheDlscGpXWTdveWNoYUZOR2hPTzFIUHF2SEN4TjNGYzZHd0JBVkpTNW81NVhZbUt2elAKM2kyMDlORmhpaDAwSm5NRjZ6K2swWnQ5STNwRzNyd2RoTjE1RURrMDg3RUw3QjNWZTFDOXhvdEZOaFcvdEZxRgpXbnNrdEcvem9kSVpYeVpNNUJQUmloamV3MFRRVUxZd0Q0M2daeFR0MjdiaUQxNDJNV0R5dUFEZU1pTHdhd01IClJDYXBxbzRaSVdQSzdmZEtoVFo0WmIrZFc0V3A5dC9UZ0U2ZGJ4SWwyMXJQOFFZYzFoT2tpNjduWHBXczNZOG4KYytRcTdqY0d1WlB1aEVMd01xWGcyMGozZ3duOVlTb1dDbWo4Wm0rNmY0Q3ZYWjkrdUtEN0YyZncyOVFaanU4dApvb01DZ2dFQkFPbVVHZ1VoT0tUVys1eEpkZlFKRUVXUncyVFF6Z2l6dSt3aVkzaDYrYXNTejRNY0srVGx6bWxVCmFHT013dFhTUzc0RXIxVmlCVXMrZnJKekFPR21IV0ExZWdtaGVlY1BvaE9ybTh5WkVueVJOSkRhWC9UUXBSUnEKaVdoWENBbjJTWFQxcFlsYVBzMjdkbXpFWnQ3UlVUSkJZZ1hHZXQ4dXFjUXZaVDJZK3N6cHFNV3UzaEpWdmIxdgpZNGRJWE12RG1aV1BPVjFwbHJEaTVoc214VW05TDVtWk1IblllNzFOYkhsaEIxK0VUNXZmWFZjOERzU1RRZWRRCitDRHJKNGQ0em85dFNCa2pwYTM5M2RDRjhCSURESUQyWkVJNCtBVW52NWhTNm82NitOLzBONlp3cXkwc2pKY0cKQ21LeS9tNUpqVzFJWDMxSmZ1UU5Ldm9YNkRFN0Zkaz0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=" + ## Expects base 64 encoded values for certificate and key. + certificate: "" + key: "" sslProtocols: "" # if set, override default Nginx SSL protocols setting + ## cert-manager values + ## If cert-manager is enabled: + ## If genSelfsigned: true: + ## Create a self-signed issuer/clusterIssuer + ## Generate a rootCA using the above issuer. + ## Generate a tls certificate with secret name as: {{ .Release.Name }}-yugaware-tls-cert + ## Else if genSelfsigned: false: + ## Expect a clusterIssuer/issuer to be provided by user + ## Generate a tls cert based on above issuer with secret name as: {{ .Release.Name }}-yugaware-tls-cert + certManager: + enabled: false + genSelfsigned: true + useClusterIssuer: false + clusterIssuer: cluster-ca + issuer: yugaware-ca + ## Configuration for the TLS certificate requested from Issuer/ClusterIssuer + configuration: + duration: 8760h # 90d + renewBefore: 240h # 15d + algorithm: RSA # ECDSA or RSA + # Can be 2048, 4096 or 8192 for RSA + # Or 256, 384 or 521 for ECDSA + keySize: 2048 ## yugaware pod Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: - enabled: false + enabled: true ## fsGroup related values are set at the pod level. fsGroup: 10001 fsGroupChangePolicy: "OnRootMismatch" - ## The following values are set for yugaware and prometheus containers. - ## Setting runAsUser other than 10001 will fail the VM universe deployment flow. + ## Expected to have runAsUser values != 0 when + ## runAsNonRoot is set to true, otherwise container creation fails. runAsUser: 10001 runAsGroup: 10001 runAsNonRoot: true @@ -150,15 +213,66 @@ ocpCompatibility: # Extra containers to add to the pod. sidecars: [] +## Following two controls for placement of pod - nodeSelector and AZ affinity. +## Note: Remember to also provide a yugaware.StorageClass that has a olumeBindingMode of +## WaitForFirstConsumer so that the PVC is created in the right topology visible to this pod. +## See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector +## eg. +## nodeSelector: +## topology.kubernetes.io/region: us-west1 +nodeSelector: {} + +## Affinity to a particular zone for the pod. +## See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## eg. +## nodeAffinity: +## requiredDuringSchedulingIgnoredDuringExecution: +## nodeSelectorTerms: +## - matchExpressions: +## - key: failure-domain.beta.kubernetes.io/zone +## operator: In +## values: +## - us-west1-a +## - us-west1-b +zoneAffinity: {} + +## The tolerations that the pod should have. +## See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ +tolerations: [] + +## @param dnsPolicy DNS Policy for pod +## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## E.g. +## dnsPolicy: ClusterFirst +dnsPolicy: "" +## @param dnsConfig DNS Configuration pod +## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## E.g. +## dnsConfig: +## options: +## - name: ndots +## value: "4" +dnsConfig: {} + ## Don't want prometheus to scrape nodes and evaluate alert rules in some cases (for example - cloud). prometheus: + ## Setting this to false will disable scraping of TServer and Master + ## nodes (could be pods or VMs) scrapeNodes: true evaluateAlertRules: true retentionTime: 15d + queryConcurrency: 20 + queryMaxSamples: 5000000 + queryTimeout: 30s + ## Set this to false to disable scraping of Kubernetes worker + ## nodes. Setting this to false will results in blank graphs of + ## resource utilization for Kubernetes universes. Useful for + ## scenarios where only VM based universes are being created. + scrapeKubernetesNodes: true resources: requests: - cpu: 2 + cpu: "2" memory: 4Gi ## Prometheus remote write config, as described here: @@ -179,8 +293,10 @@ prometheus: # Arbitrary key=value config entries for application.docker.conf additionalAppConf: - stringConf: - nonStringConf: + stringConf: {} + nonStringConf: {} + +jdbcParams: "" ## Override the APIVersion used by policy group for ## PodDisruptionBudget resources. The chart selects the correct @@ -188,3 +304,25 @@ additionalAppConf: ## to modify this unless you are using helm template command i.e. GKE ## app's deployer image against a Kubernetes cluster >= 1.21. # pdbPolicyVersionOverride: "v1beta1" +pdbPolicyVersionOverride: "" + +initContainers: + prometheusConfiguration: + resources: + ## https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-requests-and-limits-of-pod-and-container + ## Use the above link to learn more about Kubernetes resources configuration. + requests: + cpu: "0.25" + memory: 500Mi + + postgresUpgrade: + resources: + requests: + cpu: "0.5" + memory: 500Mi + + postgresInit: + resources: + requests: + cpu: "0.25" + memory: 500Mi diff --git a/index.yaml b/index.yaml index 7b1b2e34e..d2e454d6e 100644 --- a/index.yaml +++ b/index.yaml @@ -241,6 +241,40 @@ entries: - assets/amd/amd-gpu-0.9.0.tgz version: 0.9.0 artifactory-ha: + - annotations: + artifactoryServiceVersion: 7.84.19 + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: JFrog Artifactory HA + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/release-name: artifactory-ha + apiVersion: v2 + appVersion: 7.84.16 + created: "2024-07-02T21:23:48.2461829Z" + dependencies: + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 10.3.18 + description: Universal Repository Manager supporting all major packaging formats, + build tools and CI servers. + digest: 2e6b399a51948e51ac531eca48c877314043ce663b7e2c6bf9c6bc9e758fad05 + home: https://www.jfrog.com/artifactory/ + icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-ha/logo/artifactory-logo.png + keywords: + - artifactory + - jfrog + - devops + kubeVersion: '>= 1.19.0-0' + maintainers: + - email: installers@jfrog.com + name: Chart Maintainers at JFrog + name: artifactory-ha + sources: + - https://github.com/jfrog/charts + type: application + urls: + - assets/jfrog/artifactory-ha-107.84.16.tgz + version: 107.84.16 - annotations: artifactoryServiceVersion: 7.84.18 catalog.cattle.io/certified: partner @@ -1336,6 +1370,40 @@ entries: - assets/jfrog/artifactory-ha-107.55.14.tgz version: 107.55.14 artifactory-jcr: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: JFrog Container Registry + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/release-name: artifactory-jcr + apiVersion: v2 + appVersion: 7.84.16 + created: "2024-07-02T21:23:48.509256617Z" + dependencies: + - name: artifactory + repository: file://./charts/artifactory + version: 107.84.16 + description: JFrog Container Registry + digest: 28c0e05d28e67e54ca99468aa1cb9e91fa9c43d74bbe90dc8d921b0178365b23 + home: https://jfrog.com/container-registry/ + icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-jcr/logo/jcr-logo.png + keywords: + - artifactory + - jfrog + - container + - registry + - devops + - jfrog-container-registry + kubeVersion: '>= 1.19.0-0' + maintainers: + - email: helm@jfrog.com + name: Chart Maintainers at JFrog + name: artifactory-jcr + sources: + - https://github.com/jfrog/charts + type: application + urls: + - assets/jfrog/artifactory-jcr-107.84.16.tgz + version: 107.84.16 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Container Registry @@ -4812,6 +4880,36 @@ entries: - assets/cockroach-labs/cockroachdb-11.0.1.tgz version: 11.0.1 community-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: MongoDB Community Operator + catalog.cattle.io/kube-version: '>=1.16-0' + catalog.cattle.io/release-name: community-operator + apiVersion: v2 + appVersion: 0.10.0 + created: "2024-07-02T21:24:06.286400561Z" + dependencies: + - condition: community-operator-crds.enabled + name: community-operator-crds + repository: file://./charts/community-operator-crds + version: 0.10.0 + description: MongoDB Kubernetes Community Operator + digest: 63598ae4fd13e67472ccb21336407904add5827253ee51ad08eee93b7ece222e + home: https://github.com/mongodb/mongodb-kubernetes-operator + icon: https://mongodb-images-new.s3.eu-west-1.amazonaws.com/leaf-green-dark.png + keywords: + - mongodb + - database + - nosql + kubeVersion: '>=1.16-0' + maintainers: + - email: support@mongodb.com + name: MongoDB + name: community-operator + type: application + urls: + - assets/mongodb/community-operator-0.10.0.tgz + version: 0.10.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: MongoDB Community Operator @@ -5802,12 +5900,29 @@ entries: catalog.cattle.io/featured: "1" catalog.cattle.io/release-name: cost-analyzer apiVersion: v2 + appVersion: 2.3.1 + created: "2024-07-02T21:23:54.985726016Z" + description: Kubecost Helm chart - monitor your cloud costs! + digest: 5443d474c780fd3872a2ed44bd49ac80642dd038d4a0bf4841f5b5c734f81974 + icon: https://partner-charts.rancher.io/assets/logos/kubecost.png + name: cost-analyzer + urls: + - assets/kubecost/cost-analyzer-2.3.1.tgz + version: 2.3.1 + - annotations: + artifacthub.io/links: | + - name: Homepage + url: https://www.kubecost.com + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kubecost + catalog.cattle.io/release-name: cost-analyzer + apiVersion: v2 appVersion: 2.2.5 - created: "2024-05-22T00:54:39.805032631Z" + created: "2024-07-02T21:23:49.238927032Z" description: A Helm chart that sets up Kubecost, Prometheus, and Grafana to monitor cloud costs. - digest: 8d9f0e49c5c0d31775452d11b5780e33974f13e4b6e16d95c6861500cb60c4d6 - icon: file://assets/icons/cost-analyzer.png + digest: 32590e4d0932a9e432d05f5ff967d8a9aae78e18936f49c8cf909ac27931b725 + icon: https://partner-charts.rancher.io/assets/logos/kubecost.png name: cost-analyzer urls: - assets/kubecost/cost-analyzer-2.2.5.tgz @@ -7559,6 +7674,40 @@ entries: - assets/dell/csi-vxflexos-2.7.0.tgz version: 2.7.0 csi-wekafsplugin: + - annotations: + artifacthub.io/category: storage + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: BA9F2D31BE9193E01FA17450BCE0A5CF67AC0C59 + url: https://weka.github.io/csi-wekafs/csi-public.gpg + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: WekaFS CSI Driver + catalog.cattle.io/release-name: csi-wekafsplugin + apiVersion: v2 + appVersion: v2.4.0 + created: "2024-07-02T21:24:07.732131759Z" + description: Helm chart for Deployment of WekaIO Container Storage Interface (CSI) + plugin for WekaFS - the world fastest filesystem + digest: 03f4506ccb4b5bb84f115103737057ba16cfd4cb3745a45f23f9597cc13abc93 + home: https://github.com/weka/csi-wekafs + icon: https://weka.github.io/csi-wekafs/logo.png + keywords: + - storage + - filesystem + - HPC + maintainers: + - email: csi@weka.io + name: WekaIO, Inc. + url: https://weka.io + name: csi-wekafsplugin + sources: + - https://github.com/weka/csi-wekafs/tree/v2.4.0 + type: application + urls: + - assets/weka/csi-wekafsplugin-2.4.0.tgz + version: 2.4.0 - annotations: artifacthub.io/category: storage artifacthub.io/containsSecurityUpdates: "true" @@ -8106,6 +8255,33 @@ entries: - assets/dh2i/dxoperator-1.0.1.tgz version: 1.0.1 dynatrace-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Dynatrace Operator + catalog.cattle.io/kube-version: '>=1.19.0-0' + catalog.cattle.io/release-name: dynatrace-operator + apiVersion: v2 + appVersion: 1.2.0 + created: "2024-07-02T21:23:47.369607112Z" + description: The Dynatrace Operator Helm chart for Kubernetes and OpenShift + digest: d5d6ff8a0b5745c863846475623e0188de64a6ec567fb6df5f5c026fc0acd3ad + home: https://www.dynatrace.com/ + icon: https://assets.dynatrace.com/global/resources/Signet_Logo_RGB_CP_512x512px.png + kubeVersion: '>=1.19.0-0' + maintainers: + - email: marcell.sevcsik@dynatrace.com + name: 0sewa0 + - email: christoph.muellner@dynatrace.com + name: chrismuellner + - email: lukas.hinterreiter@dynatrace.com + name: luhi-DT + name: dynatrace-operator + sources: + - https://github.com/Dynatrace/dynatrace-operator + type: application + urls: + - assets/dynatrace/dynatrace-operator-1.2.0.tgz + version: 1.2.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dynatrace Operator @@ -11386,6 +11562,34 @@ entries: - assets/gopaddle/gopaddle-4.2.7.tgz version: 4.2.7 haproxy: + - annotations: + artifacthub.io/changes: | + - Use Ingress Controller 3.0.0 version for base image + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.23.0-0' + catalog.cattle.io/release-name: haproxy + apiVersion: v2 + appVersion: 3.0.0 + created: "2024-07-02T21:23:47.65365991Z" + description: A Helm chart for HAProxy Kubernetes Ingress Controller + digest: 2a2caab03a6386176cc5e41343cc162bd0d5b9b695298b8d4c9fe6100db6d4ac + home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png + keywords: + - ingress + - haproxy + kubeVersion: '>=1.23.0-0' + maintainers: + - email: dkorunic@haproxy.com + name: Dinko Korunic + name: haproxy + sources: + - https://github.com/haproxytech/kubernetes-ingress + type: application + urls: + - assets/haproxy/haproxy-1.40.0.tgz + version: 1.40.0 - annotations: artifacthub.io/changes: | - Replace tpl with default for Ingress Controller image tag (#244) @@ -12070,6 +12274,39 @@ entries: - assets/haproxy/haproxy-1.30.6.tgz version: 1.30.6 harbor: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Harbor + catalog.cattle.io/kube-version: '>=1.20-0' + catalog.cattle.io/release-name: harbor + apiVersion: v1 + appVersion: 2.11.0 + created: "2024-07-02T21:23:47.67606149Z" + description: An open source trusted cloud native registry that stores, signs, + and scans content + digest: 7ca26fd1032b714c5c8d7536118773a7ff54c6a697c26558f59fbf601745485c + home: https://goharbor.io + icon: https://raw.githubusercontent.com/goharbor/website/main/static/img/logos/harbor-icon-color.png + keywords: + - docker + - registry + - harbor + maintainers: + - email: yan-yw.wang@broadcom.com + name: Yan Wang + - email: wenkai.yin@broadcom.com + name: Wenkai Yin + - email: miner.yang@broadcom.com + name: Miner Yang + - email: shengwen.yu@broadcom.com + name: Shengwen Yu + name: harbor + sources: + - https://github.com/goharbor/harbor + - https://github.com/goharbor/harbor-helm + urls: + - assets/harbor/harbor-1.15.0.tgz + version: 1.15.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Harbor @@ -12488,6 +12725,36 @@ entries: - assets/hpe/hpe-csi-info-metrics-1.0.2.tgz version: 1.0.2 instana-agent: + - annotations: + artifacthub.io/links: | + - name: Instana website + url: https://www.ibm.com/products/instana + - name: Instana Helm charts + url: https://github.com/instana/helm-charts + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Instana Agent + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: instana-agent + apiVersion: v2 + appVersion: 1.275.0 + created: "2024-07-02T21:23:47.825996372Z" + description: Instana Agent for Kubernetes + digest: 4fbd0cd2b5c085cb5197c84e01c0ba1ee97e73cc34427ec32ad1915aa577cc45 + home: https://www.instana.com/ + icon: https://agents.instana.io/helm/stan-logo-2020.png + maintainers: + - email: felix.marx@ibm.com + name: FelixMarxIBM + - email: henning.treu@ibm.com + name: htreu + - email: torsten.kohn@ibm.com + name: tkohn + name: instana-agent + sources: + - https://github.com/instana/instana-agent-docker + urls: + - assets/instana/instana-agent-1.2.73.tgz + version: 1.2.73 - annotations: artifacthub.io/links: | - name: Instana website @@ -13080,6 +13347,63 @@ entries: - assets/intel/intel-device-plugins-sgx-0.26.1.tgz version: 0.26.1 jenkins: + - annotations: + artifacthub.io/category: integration-delivery + artifacthub.io/changes: | + - Update `jenkins/inbound-agent` to version `3256.v88a_f6e922152-1` + artifacthub.io/images: | + - name: jenkins + image: docker.io/jenkins/jenkins:2.452.2-jdk17 + - name: k8s-sidecar + image: docker.io/kiwigrid/k8s-sidecar:1.27.4 + - name: inbound-agent + image: jenkins/inbound-agent:3256.v88a_f6e922152-1 + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/jenkinsci/helm-charts/tree/main/charts/jenkins + - name: Jenkins + url: https://www.jenkins.io/ + - name: support + url: https://github.com/jenkinsci/helm-charts/issues + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Jenkins + catalog.cattle.io/kube-version: '>=1.14-0' + catalog.cattle.io/release-name: jenkins + apiVersion: v2 + appVersion: 2.452.2 + created: "2024-07-02T21:23:47.988743756Z" + description: 'Jenkins - Build great things at any scale! As the leading open source + automation server, Jenkins provides over 1800 plugins to support building, deploying + and automating any project. ' + digest: 784458877bab61f87703d0fa4700c4197782710f207ed9d2e5900d57525f113e + home: https://www.jenkins.io/ + icon: https://get.jenkins.io/art/jenkins-logo/logo.svg + keywords: + - jenkins + - ci + - devops + maintainers: + - email: maor.friedman@redhat.com + name: maorfr + - email: mail@torstenwalter.de + name: torstenwalter + - email: garridomota@gmail.com + name: mogaal + - email: wmcdona89@gmail.com + name: wmcdona89 + - email: timjacomb1@gmail.com + name: timja + name: jenkins + sources: + - https://github.com/jenkinsci/jenkins + - https://github.com/jenkinsci/docker-inbound-agent + - https://github.com/maorfr/kube-tasks + - https://github.com/jenkinsci/configuration-as-code-plugin + type: application + urls: + - assets/jenkins/jenkins-5.3.3.tgz + version: 5.3.3 - annotations: artifacthub.io/category: integration-delivery artifacthub.io/changes: | @@ -16001,6 +16325,62 @@ entries: - assets/trilio/k8s-triliovault-operator-3.1.1.tgz version: 3.1.1 k10: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: K10 + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: k10 + apiVersion: v2 + appVersion: 7.0.3 + created: "2024-07-02T21:23:48.831624651Z" + dependencies: + - condition: grafana.enabled + name: grafana + repository: file://./charts/grafana + version: 7.3.2 + - condition: prometheus.server.enabled + name: prometheus + repository: file://./charts/prometheus + version: 25.18.0 + description: Kasten’s K10 Data Management Platform + digest: e12135d6c502047cc53da9a0b989e93f0c2486fc624597aabb5a9fdeedac96b6 + home: https://kasten.io/ + icon: https://docs.kasten.io/_static/logo-kasten-k10-blue-white.png + maintainers: + - email: contact@kasten.io + name: kastenIO + name: k10 + urls: + - assets/kasten/k10-7.0.301.tgz + version: 7.0.301 + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: K10 + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: k10 + apiVersion: v2 + appVersion: 7.0.2 + created: "2024-07-02T21:23:48.820049961Z" + dependencies: + - condition: grafana.enabled + name: grafana + repository: file://./charts/grafana + version: 7.3.2 + - condition: prometheus.server.enabled + name: prometheus + repository: file://./charts/prometheus + version: 25.18.0 + description: Kasten’s K10 Data Management Platform + digest: 816f3d01848a5912ed60461a96b9a7dd0a21e3ea2c94294d9c6f09cfda31aef5 + home: https://kasten.io/ + icon: https://docs.kasten.io/_static/logo-kasten-k10-blue-white.png + maintainers: + - email: contact@kasten.io + name: kastenIO + name: k10 + urls: + - assets/kasten/k10-7.0.201.tgz + version: 7.0.201 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: K10 @@ -16682,6 +17062,35 @@ entries: - assets/kasten/k10-6.0.1.tgz version: 6.0.1 kamaji: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kamaji + catalog.cattle.io/kube-version: '>=1.21.0-0' + catalog.cattle.io/release-name: kamaji + apiVersion: v2 + appVersion: v1.0.0 + created: "2024-07-02T21:23:47.162980408Z" + description: Kamaji is the Hosted Control Plane Manager for Kubernetes. + digest: 8027fffeff8624b40ba9e03895e8a7965f603873b21934de6c44e0f764538f9b + home: https://github.com/clastix/kamaji + icon: https://github.com/clastix/kamaji/raw/master/assets/logo-colored.png + kubeVersion: '>=1.21.0-0' + maintainers: + - email: dario@tranchitella.eu + name: Dario Tranchitella + url: https://clastix.io + - email: me@maxgio.it + name: Massimiliano Giovagnoli + - email: me@bsctl.io + name: Adriano Pezzuto + url: https://clastix.io + name: kamaji + sources: + - https://github.com/clastix/kamaji + type: application + urls: + - assets/clastix/kamaji-1.0.0.tgz + version: 1.0.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Kamaji @@ -18225,6 +18634,36 @@ entries: - assets/avesha/kubeslice-worker-1.1.1.tgz version: 1.1.1 kuma: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kuma + catalog.cattle.io/namespace: kuma-system + catalog.cattle.io/release-name: kuma + apiVersion: v2 + appVersion: 2.8.0 + created: "2024-07-02T21:23:55.051626278Z" + description: A Helm chart for the Kuma Control Plane + digest: 8fa0d1c20acb4b8593952190ea1917de4e64b53ab6eac13152d51398c1ce6460 + home: https://github.com/kumahq/kuma + icon: https://kuma.io/assets/images/brand/kuma-logo-new.svg + keywords: + - service mesh + - control plane + maintainers: + - email: jakub.dyszkiewicz@konghq.com + name: Jakub Dyszkiewicz + url: https://github.com/jakubdyszkiewicz + - email: charly.molter@konghq.com + name: Charly Molter + url: https://github.com/lahabana + - email: michael.beaumont@konghq.com + name: Mike Beaumont + url: https://github.com/michaelbeaumont + name: kuma + type: application + urls: + - assets/kuma/kuma-2.8.0.tgz + version: 2.8.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Kuma @@ -18786,17 +19225,49 @@ entries: catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: linkerd-control-plane apiVersion: v2 - appVersion: edge-24.6.2 - created: "2024-06-15T00:56:05.147072815Z" + appVersion: edge-24.6.4 + created: "2024-07-02T21:24:06.179282377Z" dependencies: - name: partials repository: file://./charts/partials version: 0.1.0 description: 'Linkerd gives you observability, reliability, and security for your microservices — with no code change required. ' - digest: dbcb658e1581a8143eea6036e25dddab949155dd6f55469939ab69e9e54876e6 + digest: 41cc3c4e19ff46cf4aa1bd31c4709df5e7d926b473deeed79e5eb77c9823b9be home: https://linkerd.io - icon: file://assets/icons/linkerd-control-plane.png + icon: https://linkerd.io/images/logo-only-200h.png + keywords: + - service-mesh + kubeVersion: '>=1.22.0-0' + maintainers: + - email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ + name: linkerd-control-plane + sources: + - https://github.com/linkerd/linkerd2/ + type: application + urls: + - assets/linkerd/linkerd-control-plane-2024.6.4.tgz + version: 2024.6.4 + - annotations: + catalog.cattle.io/auto-install: linkerd-crds + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd Control Plane + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: linkerd-control-plane + apiVersion: v2 + appVersion: edge-24.6.2 + created: "2024-07-02T21:23:55.098365906Z" + dependencies: + - name: partials + repository: file://./charts/partials + version: 0.1.0 + description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' + digest: 97f03087ef45aca0c342b7a183b8b8bf1343f63eb85f334b15f4c4ca7124cb3b + home: https://linkerd.io + icon: https://linkerd.io/images/logo-only-200h.png keywords: - service-mesh kubeVersion: '>=1.22.0-0' @@ -19601,6 +20072,36 @@ entries: - assets/linkerd/linkerd-control-plane-1.12.5.tgz version: 1.12.5 linkerd-crds: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd CRDs + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: linkerd-crds + apiVersion: v2 + created: "2024-07-02T21:24:06.230690351Z" + dependencies: + - name: partials + repository: file://./charts/partials + version: 0.1.0 + description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' + digest: 6e0d37cec47970dbe1982da1401d832fc705dbcf69a05ffe7bbe232f1a6c81f4 + home: https://linkerd.io + icon: https://linkerd.io/images/logo-only-200h.png + keywords: + - service-mesh + kubeVersion: '>=1.22.0-0' + maintainers: + - email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ + name: linkerd-crds + sources: + - https://github.com/linkerd/linkerd2/ + type: application + urls: + - assets/linkerd/linkerd-crds-2024.6.4.tgz + version: 2024.6.4 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Linkerd CRDs @@ -20052,6 +20553,41 @@ entries: - assets/linkerd/linkerd-crds-2024.3.3.tgz version: 2024.3.3 loft: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Loft + catalog.cattle.io/kube-version: '>=1.22-0' + catalog.cattle.io/release-name: loft + apiVersion: v2 + created: "2024-07-02T21:24:06.273204334Z" + description: Secure Cluster Sharing, Self-Service Namespace Provisioning and Virtual + Clusters + digest: a2c5c21c3085f70b834ee0b6e4bf67f2cd6f77af1e99111ce0799f65c234e8e1 + home: https://loft.sh + icon: https://static.loft.sh/loft/logo/loft-logo.svg + keywords: + - developer + - development + - sharing + - share + - multi-tenancy + - tenancy + - cluster + - space + - namespace + - vcluster + - vclusters + maintainers: + - email: info@loft.sh + name: Loft Labs, Inc. + url: https://twitter.com/loft_sh + name: loft + sources: + - https://github.com/loft-sh/loft + type: application + urls: + - assets/loft/loft-3.4.8.tgz + version: 3.4.8 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Loft @@ -21435,6 +21971,32 @@ entries: - assets/nats/nats-0.19.15.tgz version: 0.19.15 nginx-ingress: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NGINX Ingress Controller + catalog.cattle.io/kube-version: '>= 1.23.0-0' + catalog.cattle.io/release-name: nginx-ingress + apiVersion: v2 + appVersion: 3.6.0 + created: "2024-07-02T21:23:47.480233932Z" + description: NGINX Ingress Controller + digest: 74ae20e77b3616a35f4870339057b94d0377cd6f3c27552494e26df5adb4d39a + home: https://github.com/nginxinc/kubernetes-ingress + icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/charts/nginx-ingress/chart-icon.png + keywords: + - ingress + - nginx + kubeVersion: '>= 1.23.0-0' + maintainers: + - email: kubernetes@nginx.com + name: nginxinc + name: nginx-ingress + sources: + - https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/charts/nginx-ingress + type: application + urls: + - assets/f5/nginx-ingress-1.3.0.tgz + version: 1.3.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: NGINX Ingress Controller @@ -21618,6 +22180,95 @@ entries: - assets/f5/nginx-ingress-1.0.2.tgz version: 1.0.2 nri-bundle: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: New Relic + catalog.cattle.io/release-name: nri-bundle + apiVersion: v2 + created: "2024-07-02T21:24:06.82616295Z" + dependencies: + - condition: infrastructure.enabled,newrelic-infrastructure.enabled + name: newrelic-infrastructure + repository: file://./charts/newrelic-infrastructure + version: 3.34.0 + - condition: prometheus.enabled,nri-prometheus.enabled + name: nri-prometheus + repository: file://./charts/nri-prometheus + version: 2.1.17 + - condition: newrelic-prometheus-agent.enabled + name: newrelic-prometheus-agent + repository: file://./charts/newrelic-prometheus-agent + version: 1.14.0 + - condition: webhook.enabled,nri-metadata-injection.enabled + name: nri-metadata-injection + repository: file://./charts/nri-metadata-injection + version: 4.20.0 + - condition: metrics-adapter.enabled,newrelic-k8s-metrics-adapter.enabled + name: newrelic-k8s-metrics-adapter + repository: file://./charts/newrelic-k8s-metrics-adapter + version: 1.11.0 + - condition: ksm.enabled,kube-state-metrics.enabled + name: kube-state-metrics + repository: file://./charts/kube-state-metrics + version: 5.12.1 + - condition: kubeEvents.enabled,nri-kube-events.enabled + name: nri-kube-events + repository: file://./charts/nri-kube-events + version: 3.10.0 + - condition: logging.enabled,newrelic-logging.enabled + name: newrelic-logging + repository: file://./charts/newrelic-logging + version: 1.22.1 + - condition: newrelic-pixie.enabled + name: newrelic-pixie + repository: file://./charts/newrelic-pixie + version: 2.1.4 + - condition: k8s-agents-operator.enabled + name: k8s-agents-operator + repository: file://./charts/k8s-agents-operator + version: 0.9.0 + - alias: pixie-chart + condition: pixie-chart.enabled + name: pixie-operator-chart + repository: file://./charts/pixie-operator-chart + version: 0.1.6 + - condition: newrelic-infra-operator.enabled + name: newrelic-infra-operator + repository: file://./charts/newrelic-infra-operator + version: 2.11.0 + description: Groups together the individual charts for the New Relic Kubernetes + solution for a more comfortable deployment. + digest: d5d2cc8503f2fded4b97bfb0071d42ec1d2dd8fe9a66ae7fb87314b10ba20dda + home: https://github.com/newrelic/helm-charts + icon: https://newrelic.com/themes/custom/erno/assets/mediakit/new_relic_logo_vertical.svg + keywords: + - infrastructure + - newrelic + - monitoring + maintainers: + - name: juanjjaramillo + url: https://github.com/juanjjaramillo + - name: csongnr + url: https://github.com/csongnr + - name: dbudziwojskiNR + url: https://github.com/dbudziwojskiNR + name: nri-bundle + sources: + - https://github.com/newrelic/nri-bundle/ + - https://github.com/newrelic/nri-bundle/tree/master/charts/nri-bundle + - https://github.com/newrelic/nri-kubernetes/tree/master/charts/newrelic-infrastructure + - https://github.com/newrelic/nri-prometheus/tree/master/charts/nri-prometheus + - https://github.com/newrelic/newrelic-prometheus-configurator/tree/master/charts/newrelic-prometheus-agent + - https://github.com/newrelic/k8s-metadata-injection/tree/master/charts/nri-metadata-injection + - https://github.com/newrelic/newrelic-k8s-metrics-adapter/tree/master/charts/newrelic-k8s-metrics-adapter + - https://github.com/newrelic/nri-kube-events/tree/master/charts/nri-kube-events + - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-logging + - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-pixie + - https://github.com/newrelic/newrelic-infra-operator/tree/master/charts/newrelic-infra-operator + - https://github.com/newrelic/k8s-agents-operator/tree/master/charts/k8s-agents-operator + urls: + - assets/new-relic/nri-bundle-5.0.84.tgz + version: 5.0.84 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: New Relic @@ -25195,6 +25846,28 @@ entries: - assets/portshift-operator/portshift-operator-0.1.000.tgz version: 0.1.000 psmdb-db: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Percona Server for MongoDB + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: psmdb-db + apiVersion: v2 + appVersion: 1.16.1 + created: "2024-07-02T21:24:06.936925538Z" + description: A Helm chart for installing Percona Server MongoDB Cluster Databases + using the PSMDB Operator. + digest: 05470e4ea5e322ffeaa0ba31ecbe8228464762d8d7844ceb7118b4d546406c6a + home: https://www.percona.com/doc/kubernetes-operator-for-psmongodb/index.html + icon: https://raw.githubusercontent.com/percona/percona-server-mongodb-operator/main/operator.png + maintainers: + - email: tomislav.plavcic@percona.com + name: tplavcic + - email: natalia.marukovich@percona.com + name: nmarukovich + name: psmdb-db + urls: + - assets/percona/psmdb-db-1.16.2.tgz + version: 1.16.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Percona Server for MongoDB @@ -25328,6 +26001,29 @@ entries: - assets/percona/psmdb-db-1.14.4.tgz version: 1.14.4 psmdb-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Percona Operator for MongoDB + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: psmdb-operator + apiVersion: v2 + appVersion: 1.16.1 + created: "2024-07-02T21:24:06.953295045Z" + description: A Helm chart for deploying the Percona Operator for MongoDB + digest: 5d9ce440a7ac920f0665988c7b907d0197e3210f5cae4b87fb528a721810968d + home: https://docs.percona.com/percona-operator-for-mongodb/ + icon: https://raw.githubusercontent.com/percona/percona-server-mongodb-operator/main/operator.png + maintainers: + - email: tomislav.plavcic@percona.com + name: tplavcic + - email: natalia.marukovich@percona.com + name: nmarukovich + - email: sergey.pronin@percona.com + name: spron-in + name: psmdb-operator + urls: + - assets/percona/psmdb-operator-1.16.2.tgz + version: 1.16.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Percona Operator for MongoDB @@ -25755,6 +26451,31 @@ entries: - assets/percona/pxc-db-1.12.3.tgz version: 1.12.3 pxc-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Percona Operator For MySQL based on Percona + XtraDB Cluster + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: pxc-operator + apiVersion: v2 + appVersion: 1.14.0 + created: "2024-07-02T21:24:06.976219777Z" + description: A Helm chart for deploying the Percona Operator for MySQL (based + on Percona XtraDB Cluster) + digest: 706504d6abb7e2baaa247edcbbd4461556cec3d2e25d86e4be8b1420fe200913 + home: https://docs.percona.com/percona-operator-for-mysql/pxc/ + icon: https://raw.githubusercontent.com/percona/percona-xtradb-cluster-operator/main/operator.png + maintainers: + - email: tomislav.plavcic@percona.com + name: tplavcic + - email: natalia.marukovich@percona.com + name: nmarukovich + - email: sergey.pronin@percona.com + name: spron-in + name: pxc-operator + urls: + - assets/percona/pxc-operator-1.14.2.tgz + version: 1.14.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Percona Operator For MySQL based on Percona @@ -26001,6 +26722,50 @@ entries: - assets/quobyte/quobyte-cluster-0.1.8.tgz version: 0.1.8 redpanda: + - annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/redpanda:v24.1.1 + - name: busybox + image: busybox:latest + - name: mintel/docker-alpine-bash-curl-jq + image: mintel/docker-alpine-bash-curl-jq:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.10.0)" + url: https://helm.sh/docs/intro/install/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redpanda + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: redpanda + apiVersion: v2 + appVersion: v24.1.8 + created: "2024-07-02T21:24:07.26827615Z" + dependencies: + - condition: console.enabled + name: console + repository: file://./charts/console + version: '>=0.5 <1.0' + - condition: connectors.enabled + name: connectors + repository: file://./charts/connectors + version: '>=0.1.2 <1.0' + description: Redpanda is the real-time engine for modern apps. + digest: 786b7e998b90ca13796896a72a27fa37a823b59cc3b340958dc44a4b8e37e6e2 + icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg + kubeVersion: '>=1.21-0' + maintainers: + - name: redpanda-data + url: https://github.com/orgs/redpanda-data/people + name: redpanda + sources: + - https://github.com/redpanda-data/helm-charts + type: application + urls: + - assets/redpanda/redpanda-5.8.11.tgz + version: 5.8.11 - annotations: artifacthub.io/images: | - name: redpanda @@ -29223,6 +29988,37 @@ entries: - assets/shipa/shipa-1.4.0.tgz version: 1.4.0 speedscale-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Speedscale Operator + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: speedscale-operator + apiVersion: v1 + appVersion: 2.2.74 + created: "2024-07-02T21:24:07.381306512Z" + description: Stress test your APIs with real world scenarios. Collect and replay + traffic without scripting. + digest: f482bfef030aa8d025e74c1d7001f3df9b10f205142df98f3e1ac793d4bdf03c + home: https://speedscale.com + icon: https://raw.githubusercontent.com/speedscale/assets/main/logo/gold_logo_only.png + keywords: + - speedscale + - test + - testing + - regression + - reliability + - load + - replay + - network + - traffic + kubeVersion: '>= 1.17.0-0' + maintainers: + - email: support@speedscale.com + name: Speedscale Support + name: speedscale-operator + urls: + - assets/speedscale/speedscale-operator-2.2.74.tgz + version: 2.2.74 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Speedscale Operator @@ -31177,6 +31973,34 @@ entries: - assets/speedscale/speedscale-operator-1.3.10.tgz version: 1.3.10 stackstate-k8s-agent: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: StackState Agent + catalog.cattle.io/kube-version: '>=1.19.0-0' + catalog.cattle.io/release-name: stackstate-k8s-agent + apiVersion: v2 + appVersion: 3.0.0 + created: "2024-07-02T21:24:07.421269659Z" + dependencies: + - alias: httpHeaderInjectorWebhook + name: http-header-injector + repository: file://./charts/http-header-injector + version: 0.0.11 + description: Helm chart for the StackState Agent. + digest: cc74a12ca7cb3c4f9d4c306a5477d55257de9fd6c0ee77c24c2312e2af691975 + home: https://github.com/StackVista/stackstate-agent + icon: https://raw.githubusercontent.com/StackVista/helm-charts/master/stable/stackstate-k8s-agent/logo.svg + keywords: + - monitoring + - observability + - stackstate + maintainers: + - email: ops@stackstate.com + name: Stackstate + name: stackstate-k8s-agent + urls: + - assets/stackstate/stackstate-k8s-agent-1.0.88.tgz + version: 1.0.88 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: StackState Agent @@ -33335,6 +34159,32 @@ entries: - assets/hashicorp/vault-0.25.0.tgz version: 0.25.0 yugabyte: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: YugabyteDB + catalog.cattle.io/kube-version: '>=1.18-0' + catalog.cattle.io/release-name: yugabyte + charts.openshift.io/name: yugabyte + apiVersion: v2 + appVersion: 2.18.8.0-b42 + created: "2024-07-02T21:24:07.763422445Z" + description: YugabyteDB is the high-performance distributed SQL database for building + global, internet-scale apps. + digest: b7fa9299093ae687a0b5b3dd252543388830bf78e69c91fa0a6be9580f636db6 + home: https://www.yugabyte.com + icon: https://avatars0.githubusercontent.com/u/17074854?s=200&v=4 + kubeVersion: '>=1.18-0' + maintainers: + - email: sanketh@yugabyte.com + name: Sanketh Indarapu + - email: gjalla@yugabyte.com + name: Govardhan Reddy Jalla + name: yugabyte + sources: + - https://github.com/yugabyte/yugabyte-db + urls: + - assets/yugabyte/yugabyte-2.18.8.tgz + version: 2.18.8 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: YugabyteDB @@ -33790,6 +34640,32 @@ entries: - assets/yugabyte/yugabyte-2.14.11.tgz version: 2.14.11 yugaware: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: YugabyteDB Anywhere + catalog.cattle.io/kube-version: '>=1.18-0' + catalog.cattle.io/release-name: yugaware + charts.openshift.io/name: yugaware + apiVersion: v2 + appVersion: 2.18.8.0-b42 + created: "2024-07-02T21:24:07.787544287Z" + description: YugabyteDB Anywhere provides deployment, orchestration, and monitoring + for managing YugabyteDB clusters. YugabyteDB Anywhere can create a YugabyteDB + cluster with multiple pods provided by Kubernetes or OpenShift and logically + grouped together to form one logical distributed database. + digest: d0cee98f97cbdb6ceda6be11f937e63a11c823907e3c81dff863b3ae130f559b + home: https://www.yugabyte.com + icon: https://avatars0.githubusercontent.com/u/17074854?s=200&v=4 + kubeVersion: '>=1.18-0' + maintainers: + - email: sanketh@yugabyte.com + name: Sanketh Indarapu + - email: gjalla@yugabyte.com + name: Govardhan Reddy Jalla + name: yugaware + urls: + - assets/yugabyte/yugaware-2.18.8.tgz + version: 2.18.8 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: YugabyteDB Anywhere