andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Charts CI 

```
Updated:
  bitnami/cassandra:
    - 10.6.5
  bitnami/redis:
    - 18.4.0
  bitnami/spark:
    - 8.1.5
  datadog/datadog:
    - 3.49.0
  haproxy/haproxy:
    - 1.35.0
  hashicorp/vault:
    - 0.27.0
  jenkins/jenkins:
    - 4.8.3
  kong/kong:
    - 2.32.0
  kubecost/cost-analyzer:
    - 1.107.1
  kuma/kuma:
    - 2.5.0
  linkerd/linkerd-control-plane:
    - 1.16.5
  minio/minio-operator:
    - 5.0.11
  redpanda/redpanda:
    - 5.6.48
  speedscale/speedscale-operator:
    - 1.4.5
  sysdig/sysdig:
    - 1.16.21
```
pull/950/head
github-actions[bot] 2023-11-17 13:50:55 +00:00
parent 391ea56d71
commit a89ec7bc4e
146 changed files with 2470 additions and 2642 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/bitnami/cassandra-10.6.5.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/redis-18.4.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/spark-8.1.5.tgz Normal file
View File

Binary file not shown.

BIN
assets/datadog/datadog-3.49.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/haproxy/haproxy-1.35.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/hashicorp/vault-0.26.1.tgz
View File

Binary file not shown.

BIN
assets/hashicorp/vault-0.27.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/jenkins/jenkins-4.8.3.tgz Normal file
View File

Binary file not shown.

BIN
assets/kong/kong-2.32.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/kubecost/cost-analyzer-1.107.0.tgz
View File

Binary file not shown.

BIN
assets/kubecost/cost-analyzer-1.107.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/kuma/kuma-2.5.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/linkerd/linkerd-control-plane-1.16.4.tgz
View File

Binary file not shown.

BIN
assets/linkerd/linkerd-control-plane-1.16.5.tgz Normal file
View File

Binary file not shown.

BIN
assets/minio/minio-operator-5.0.11.tgz Normal file
View File

Binary file not shown.

BIN
assets/redpanda/redpanda-5.6.48.tgz Normal file
View File

Binary file not shown.

BIN
assets/speedscale/speedscale-operator-1.4.5.tgz Normal file
View File

Binary file not shown.

BIN
assets/sysdig/sysdig-1.16.21.tgz Normal file
View File

Binary file not shown.

8
charts/bitnami/cassandra/Chart.yaml
View File

@ -6,11 +6,11 @@ annotations:
category: Database
images: |
- name: cassandra-exporter
image: docker.io/bitnami/cassandra-exporter:2.3.8-debian-11-r429
image: docker.io/bitnami/cassandra-exporter:2.3.8-debian-11-r430
- name: cassandra
image: docker.io/bitnami/cassandra:4.1.3-debian-11-r73
image: docker.io/bitnami/cassandra:4.1.3-debian-11-r75
- name: os-shell
image: docker.io/bitnami/os-shell:11-debian-11-r90
image: docker.io/bitnami/os-shell:11-debian-11-r91
licenses: Apache-2.0
apiVersion: v2
appVersion: 4.1.3
@ -35,4 +35,4 @@ maintainers:
name: cassandra
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/cassandra
version: 10.6.2
version: 10.6.5

6
charts/bitnami/cassandra/values.yaml
View File

@ -76,7 +76,7 @@ diagnosticMode:
image:
registry: docker.io
repository: bitnami/cassandra
tag: 4.1.3-debian-11-r73
tag: 4.1.3-debian-11-r75
digest: ""
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
@ -628,7 +628,7 @@ volumePermissions:
image:
registry: docker.io
repository: bitnami/os-shell
tag: 11-debian-11-r90
tag: 11-debian-11-r91
digest: ""
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
@ -696,7 +696,7 @@ metrics:
image:
registry: docker.io
repository: bitnami/cassandra-exporter
tag: 2.3.8-debian-11-r429
tag: 2.3.8-debian-11-r430
digest: ""
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.

2
charts/bitnami/redis/Chart.yaml
View File

@ -37,4 +37,4 @@ maintainers:
name: redis
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/redis
version: 18.3.3
version: 18.4.0

2
charts/bitnami/redis/README.md
View File

@ -172,7 +172,7 @@ The command removes all the Kubernetes components associated with the chart and
| `master.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate Redis® pod(s) privileges | `false` |
| `master.containerSecurityContext.seccompProfile.type` | Set Redis® master containers' Security Context seccompProfile | `RuntimeDefault` |
| `master.containerSecurityContext.capabilities.drop` | Set Redis® master containers' Security Context capabilities to drop | `["ALL"]` |
| `master.kind` | Use either Deployment or StatefulSet (default) | `StatefulSet` |
| `master.kind` | Use either Deployment, StatefulSet (default) or DaemonSet | `StatefulSet` |
| `master.schedulerName` | Alternate scheduler for Redis® master pods | `""` |
| `master.updateStrategy.type` | Redis® master statefulset strategy type | `RollingUpdate` |
| `master.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` |

4
charts/bitnami/redis/templates/master/application.yaml
View File

@ -16,7 +16,9 @@ metadata:
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if not (eq .Values.master.kind "DaemonSet") }}
replicas: {{ .Values.master.count }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.master.podLabels .Values.commonLabels ) "context" . ) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
@ -472,7 +474,7 @@ spec:
{{- if .Values.metrics.extraVolumes }}
{{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumes "context" $ ) | nindent 8 }}
{{- end }}
{{- if not .Values.master.persistence.enabled }}
{{- if or (not .Values.master.persistence.enabled) (eq .Values.master.kind "DaemonSet") }}
- name: redis-data
{{- if or .Values.master.persistence.medium .Values.master.persistence.sizeLimit }}
emptyDir:

2
charts/bitnami/redis/templates/replicas/application.yaml
View File

@ -135,7 +135,7 @@ spec:
- name: REDIS_MASTER_HOST
{{- if .Values.replica.externalMaster.enabled }}
value: {{ .Values.replica.externalMaster.host | quote }}
{{- else if and (eq (int64 .Values.master.count) 1) (ne .Values.master.kind "Deployment") }}
{{- else if and (eq (int64 .Values.master.count) 1) (eq .Values.master.kind "StatefulSet") }}
value: {{ template "common.names.fullname" . }}-master-0.{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
{{- else }}
value: {{ template "common.names.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}

4
charts/bitnami/redis/values.schema.json
View File

@ -40,8 +40,8 @@
"type": "string",
"title": "Workload Kind",
"form": true,
"description": "Allowed values: `Deployment` or `StatefulSet`",
"enum": ["Deployment", "StatefulSet"]
"description": "Allowed values: `Deployment`, `StatefulSet` or `DaemonSet`",
"enum": ["Deployment", "StatefulSet", "DaemonSet"]
},
"persistence": {
"type": "object",

2
charts/bitnami/redis/values.yaml
View File

@ -299,7 +299,7 @@ master:
capabilities:
drop:
- ALL
## @param master.kind Use either Deployment or StatefulSet (default)
## @param master.kind Use either Deployment, StatefulSet (default) or DaemonSet
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/
##
kind: StatefulSet

4
charts/bitnami/spark/Chart.yaml
View File

@ -6,7 +6,7 @@ annotations:
category: Infrastructure
images: |
- name: spark
image: docker.io/bitnami/spark:3.5.0-debian-11-r12
image: docker.io/bitnami/spark:3.5.0-debian-11-r15
licenses: Apache-2.0
apiVersion: v2
appVersion: 3.5.0
@ -30,4 +30,4 @@ maintainers:
name: spark
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/spark
version: 8.1.1
version: 8.1.5

8
charts/bitnami/spark/README.md
View File

@ -11,10 +11,10 @@ Trademarks: This software listing is packaged by Bitnami. The respective tradema
## TL;DR
```console
helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/spark
helm install my-release oci://registry-1.docker.io/bitnamicharts/spark
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
Looking to use Apache Spark in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog.
## Introduction
@ -24,8 +24,6 @@ Apache Spark includes APIs for Java, Python, Scala and R.
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
Looking to use Apache Spark in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog.
## Prerequisites
- Kubernetes 1.23+
@ -354,7 +352,7 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/spark
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
> **Tip**: You can use the default [values.yaml](values.yaml)
> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/spark/values.yaml)
## Configuration and installation details

2
charts/bitnami/spark/values.yaml
View File

@ -95,7 +95,7 @@ diagnosticMode:
image:
registry: docker.io
repository: bitnami/spark
tag: 3.5.0-debian-11-r12
tag: 3.5.0-debian-11-r15
digest: ""
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'

24
charts/datadog/datadog/CHANGELOG.md
View File

@ -1,5 +1,29 @@
# Datadog changelog
## 3.49.0
* Beta: Add `datadog.apm.instrumentation` section to configure APM Single Step Instrumentation
## 3.48.0
* Set default `Agent` and `Cluster-Agent` version to `7.49.1`.
## 3.47.2
* Fix CI following enabling container image collection by default.
## 3.47.1
* Fix `registry` being ignored even if set.
## 3.47.0
* `registry` is now set automatically adapted based on `datadog.site` value. Still default to `gcr.io/datadoghq` if not set.
## 3.46.0
* Enable container image collection by default.
## 3.45.0
* Separate values for `DD_CONTAINER_INCLUDE` and `DD_CONTAINER_EXCLUDE` in `Agent` and `Cluster-Agent`

2
charts/datadog/datadog/Chart.yaml
View File

@ -19,4 +19,4 @@ name: datadog
sources:
- https://app.datadoghq.com/account/settings#agent/kubernetes
- https://github.com/DataDog/datadog-agent
version: 3.45.0
version: 3.49.0

74
charts/datadog/datadog/README.md
View File

@ -1,6 +1,6 @@
# Datadog
![Version: 3.45.0](https://img.shields.io/badge/Version-3.45.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
![Version: 3.49.0](https://img.shields.io/badge/Version-3.49.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
[Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
@ -228,6 +228,64 @@ datadog:
socketEnabled: false
```
### Enabling APM Single Step Instrumentation (beta)
APM tracing libraries and configurations can be automatically injected in your application pods in the whole cluster or specific namespaces using Single Step Instrumentation.
Update your `datadog-values.yaml` file with the following configration to enable Single Step Instrumentation in the whole cluster:
```yaml
datadog:
# (...)
apm:
instrumentation:
enabled: true
```
Single Step Instrumentation can be disabled in specific namespaces using configuration option `disabledNamespaces`:
```yaml
datadog:
# (...)
apm:
instrumentation:
enabled: true
disabledNamespaces:
- namespaceA
- namespaceB
```
Single Step Instrumentation can be enabled in specific namespaces using configuration option `enabledNamespaces`:
```yaml
datadog:
# (...)
apm:
instrumentation:
enabled: false
enabledNamespaces:
- namespaceC
```
To confiure the version of Tracing library that Single Step Instrumentation will instrument applications with, set the configuration `libVersions`:
```yaml
datadog:
# (...)
apm:
instrumentation:
enabled: false
libVersions:
java: v1.18.0
python: v1.20.0
```
then upgrade your Datadog Helm chart:
```bash
helm upgrade -f datadog-values.yaml <RELEASE_NAME> datadog/datadog
```
### Enabling Log Collection
Update your `datadog-values.yaml` file with the following log collection configuration:
@ -450,7 +508,7 @@ helm install <RELEASE_NAME> \
| agents.image.pullPolicy | string | `"IfNotPresent"` | Datadog Agent image pull policy |
| agents.image.pullSecrets | list | `[]` | Datadog Agent repository pullSecret (ex: specify docker registry credentials) |
| agents.image.repository | string | `nil` | Override default registry + image.name for Agent |
| agents.image.tag | string | `"7.49.0"` | Define the Agent version to use |
| agents.image.tag | string | `"7.49.1"` | Define the Agent version to use |
| agents.image.tagSuffix | string | `""` | Suffix to append to Agent tag |
| agents.localService.forceLocalServiceEnabled | bool | `false` | Force the creation of the internal traffic policy service to target the agent running on the local node. By default, the internal traffic service is created only on Kubernetes 1.22+ where the feature became beta and enabled by default. This option allows to force the creation of the internal traffic service on kubernetes 1.21 where the feature was alpha and required a feature gate to be explicitly enabled. |
| agents.localService.overrideName | string | `""` | Name of the internal traffic service to target the agent running on the local node |
@ -516,7 +574,7 @@ helm install <RELEASE_NAME> \
| clusterAgent.image.pullPolicy | string | `"IfNotPresent"` | Cluster Agent image pullPolicy |
| clusterAgent.image.pullSecrets | list | `[]` | Cluster Agent repository pullSecret (ex: specify docker registry credentials) |
| clusterAgent.image.repository | string | `nil` | Override default registry + image.name for Cluster Agent |
| clusterAgent.image.tag | string | `"7.49.0"` | Cluster Agent image tag to use |
| clusterAgent.image.tag | string | `"7.49.1"` | Cluster Agent image tag to use |
| clusterAgent.livenessProbe | object | Every 15s / 6 KO / 1 OK | Override default Cluster Agent liveness probe settings |
| clusterAgent.metricsProvider.aggregator | string | `"avg"` | Define the aggregator the cluster agent will use to process the metrics. The options are (avg, min, max, sum) |
| clusterAgent.metricsProvider.createReaderRbac | bool | `true` | Create `external-metrics-reader` RBAC automatically (to allow HPA to read data from Cluster Agent) |
@ -567,7 +625,7 @@ helm install <RELEASE_NAME> \
| clusterChecksRunner.image.pullPolicy | string | `"IfNotPresent"` | Datadog Agent image pull policy |
| clusterChecksRunner.image.pullSecrets | list | `[]` | Datadog Agent repository pullSecret (ex: specify docker registry credentials) |
| clusterChecksRunner.image.repository | string | `nil` | Override default registry + image.name for Cluster Check Runners |
| clusterChecksRunner.image.tag | string | `"7.49.0"` | Define the Agent version to use |
| clusterChecksRunner.image.tag | string | `"7.49.1"` | Define the Agent version to use |
| clusterChecksRunner.image.tagSuffix | string | `""` | Suffix to append to Agent tag |
| clusterChecksRunner.livenessProbe | object | Every 15s / 6 KO / 1 OK | Override default agent liveness probe settings |
| clusterChecksRunner.networkPolicy.create | bool | `false` | If true, create a NetworkPolicy for the cluster checks runners. DEPRECATED. Use datadog.networkPolicy.create instead |
@ -596,6 +654,10 @@ helm install <RELEASE_NAME> \
| datadog.apiKeyExistingSecret | string | `nil` | Use existing Secret which stores API key instead of creating a new one. The value should be set with the `api-key` key inside the secret. |
| datadog.apm.enabled | bool | `false` | Enable this to enable APM and tracing, on port 8126 DEPRECATED. Use datadog.apm.portEnabled instead |
| datadog.apm.hostSocketPath | string | `"/var/run/datadog/"` | Host path to the trace-agent socket |
| datadog.apm.instrumentation.disabledNamespaces | list | `[]` | Disable injecting the Datadog APM libraries into pods in specific namespaces (beta). |
| datadog.apm.instrumentation.enabled | bool | `false` | Enable injecting the Datadog APM libraries into all pods in the cluster (beta). |
| datadog.apm.instrumentation.enabledNamespaces | list | `[]` | Enable injecting the Datadog APM libraries into pods in specific namespaces (beta). |
| datadog.apm.instrumentation.libVersions | object | `{}` | Inject specific version of tracing libraries with Single Step Instrumentation (beta). |
| datadog.apm.port | int | `8126` | Override the trace Agent port |
| datadog.apm.portEnabled | bool | `false` | Enable APM over TCP communication (hostPort 8126 by default) |
| datadog.apm.socketEnabled | bool | `true` | Enable APM over Socket (Unix Socket or windows named pipe) |
@ -614,7 +676,7 @@ helm install <RELEASE_NAME> \
| datadog.containerExclude | string | `nil` | Exclude containers from Agent Autodiscovery, as a space-separated list |
| datadog.containerExcludeLogs | string | `nil` | Exclude logs from Agent Autodiscovery, as a space-separated list |
| datadog.containerExcludeMetrics | string | `nil` | Exclude metrics from Agent Autodiscovery, as a space-separated list |
| datadog.containerImageCollection.enabled | bool | `false` | Enable collection of container image metadata |
| datadog.containerImageCollection.enabled | bool | `true` | Enable collection of container image metadata |
| datadog.containerInclude | string | `nil` | Include containers in Agent Autodiscovery, as a space-separated list. If a container matches an include rule, its always included in Autodiscovery |
| datadog.containerIncludeLogs | string | `nil` | Include logs in Agent Autodiscovery, as a space-separated list |
| datadog.containerIncludeMetrics | string | `nil` | Include metrics in Agent Autodiscovery, as a space-separated list |
@ -772,7 +834,7 @@ helm install <RELEASE_NAME> \
| providers.eks.ec2.useHostnameFromFile | bool | `false` | Use hostname from EC2 filesystem instead of fetching from metadata endpoint. |
| providers.gke.autopilot | bool | `false` | Enables Datadog Agent deployment on GKE Autopilot |
| providers.gke.cos | bool | `false` | Enables Datadog Agent deployment on GKE with Container-Optimized OS (COS) |
| registry | string | `"gcr.io/datadoghq"` | Registry to use for all Agent images (default gcr.io) |
| registry | string | `nil` | Registry to use for all Agent images (default to [gcr.io | eu.gcr.io | asia.gcr.io | public.ecr.aws/datadog] depending on datadog.site value) |
| remoteConfiguration.enabled | bool | `true` | Set to true to enable remote configuration on the Cluster Agent (if set) and the node agent. Can be overridden if `datadog.remoteConfiguration.enabled` or `clusterAgent.admissionController.remoteInstrumentation.enabled` is set to `false`. Preferred way to enable Remote Configuration. |
| targetSystem | string | `"linux"` | Target OS for this deployment (possible values: linux, windows) |

58
charts/datadog/datadog/README.md.gotmpl
View File

@ -224,6 +224,64 @@ datadog:
socketEnabled: false
```
### Enabling APM Single Step Instrumentation (beta)
APM tracing libraries and configurations can be automatically injected in your application pods in the whole cluster or specific namespaces using Single Step Instrumentation.
Update your `datadog-values.yaml` file with the following configration to enable Single Step Instrumentation in the whole cluster:
```yaml
datadog:
# (...)
apm:
instrumentation:
enabled: true
```
Single Step Instrumentation can be disabled in specific namespaces using configuration option `disabledNamespaces`:
```yaml
datadog:
# (...)
apm:
instrumentation:
enabled: true
disabledNamespaces:
- namespaceA
- namespaceB
```
Single Step Instrumentation can be enabled in specific namespaces using configuration option `enabledNamespaces`:
```yaml
datadog:
# (...)
apm:
instrumentation:
enabled: false
enabledNamespaces:
- namespaceC
```
To confiure the version of Tracing library that Single Step Instrumentation will instrument applications with, set the configuration `libVersions`:
```yaml
datadog:
# (...)
apm:
instrumentation:
enabled: false
libVersions:
java: v1.18.0
python: v1.20.0
```
then upgrade your Datadog Helm chart:
```bash
helm upgrade -f datadog-values.yaml <RELEASE_NAME> datadog/datadog
```
### Enabling Log Collection
Update your `datadog-values.yaml` file with the following log collection configuration:

10
charts/datadog/datadog/ci/apm-single-step-instrumentation-admission-controller-values.yaml Normal file
View File

@ -0,0 +1,10 @@
datadog:
apiKey: "00000000000000000000000000000000"
appKey: "0000000000000000000000000000000000000000"
apm:
instrumentation:
enabled: true
clusterAgent:
enabled: true
admissionController:
enabled: true

2
charts/datadog/datadog/ci/gke-autopilot-cri-less-values.yaml
View File

@ -13,7 +13,7 @@ datadog:
enabled: true
containerRuntimeSupport:
enabled: false
enabled: true
providers:
gke:

62
charts/datadog/datadog/templates/NOTES.txt
View File

@ -125,6 +125,68 @@ Trace Agent liveness probe port ({{ $liveness.port }}) is different from the con
The Datadog Agent is listening on port {{ $apmPort }} for APM service.
{{- end }}
{{- if and .Values.datadog.apm.instrumentation.enabled_namespaces .Values.datadog.apm.instrumentation.disabled_namespaces }}
###################################################################################
#### ERROR: APM Single Step Instrumentation misconfiguration ####
###################################################################################
{{- fail "The options `datadog.apm.instrumentation.enabled_namespaces` and `datadog.apm.instrumentation.disabled_namespaces` cannot be set together." }}
{{- end }}
{{- if and .Values.datadog.apm.instrumentation.enabled (eq (include "cluster-agent-enabled" .) "false")}}
#################################################################
#### WARNING: Configuration notice ####
#################################################################
{{- fail "You are using datadog.apm.instrumentation.enabled but you disabled the cluster agent. This configuration is unsupported and Kubernetes resource monitoring has been turned off. To enable it please set clusterAgent.enabled to 'true'." }}
{{- end }}
{{- if and .Values.datadog.apm.instrumentation.enabled (not .Values.clusterAgent.admissionController.enabled)}}
#################################################################
#### WARNING: Configuration notice ####
#################################################################
{{- fail "You are using datadog.apm.instrumentation.enabled but you disabled the admission controller. This configuration is unsupported. To enable it please set clusterAgent.admissionController.enabled to 'true'." }}
{{- end }}
{{- if and .Values.datadog.apm.instrumentation.enabled_namespaces (eq (include "cluster-agent-enabled" .) "false")}}
#################################################################
#### WARNING: Configuration notice ####
#################################################################
You are using datadog.apm.instrumentation.enabled_namespaces but you disabled the cluster agent. This configuration is unsupported and Kubernetes resource monitoring has been turned off.
To enable it please set clusterAgent.enabled to 'true'.
{{- end }}
{{- if and .Values.datadog.apm.instrumentation.enabled .Values.datadog.apm.instrumentation.enabled_namespaces }}
#################################################################
#### WARNING: Configuration notice ####
#################################################################
The options `datadog.apm.instrumentation.enabled` and `datadog.apm.instrumentation.enabled_namespaces` are set together.
APM Single Step Instrumentation will be enabled in the whole cluster.
{{- end }}
{{- if and .Values.datadog.apm.instrumentation.disabled_namespaces (eq .Values.datadog.apm.instrumentation.enabled "false") }}
#################################################################
#### WARNING: Configuration notice ####
#################################################################
The option `datadog.apm.instrumentation.enabled_namespaces` is set while `datadog.apm.instrumentation.enabled` is disabled.
APM Single Step Instrumentation will be disabled in the whole cluster.
{{- end }}
{{- if .Values.datadog.apm.enabled }}
#################################################################

22
charts/datadog/datadog/templates/_helpers.tpl
View File

@ -261,6 +261,23 @@ Accepts a map with `port` (default port) and `settings` (probe settings).
{{- end -}}
{{- end -}}
{{/*
Return the proper registry based on datadog.site (requires .Values to be passed as .)
*/}}
{{- define "registry" -}}
{{- if .registry -}}
{{- .registry -}}
{{- else if eq .datadog.site "datadoghq.eu" -}}
eu.gcr.io/datadoghq
{{- else if eq .datadog.site "ddog-gov.com" -}}
public.ecr.aws/datadog
{{- else if eq .datadog.site "ap1.datadoghq.com" -}}
asia.gcr.io/datadoghq
{{- else -}}
gcr.io/datadoghq
{{- end -}}
{{- end -}}
{{/*
Return a remote image path based on `.Values` (passed as root) and `.` (any `.image` from `.Values` passed as parameter)
*/}}
@ -269,7 +286,7 @@ Return a remote image path based on `.Values` (passed as root) and `.` (any `.im
{{- if .image.repository -}}
{{- .image.repository -}}@{{ .image.digest }}
{{- else -}}
{{ .root.registry }}/{{ .image.name }}@{{ .image.digest }}
{{ include "registry" .root }}/{{ .image.name }}@{{ .image.digest }}
{{- end -}}
{{- else -}}
{{- $tagSuffix := "" -}}
@ -279,10 +296,11 @@ Return a remote image path based on `.Values` (passed as root) and `.` (any `.im
{{- if .image.repository -}}
{{- .image.repository -}}:{{ .image.tag }}{{ $tagSuffix }}
{{- else -}}
{{ .root.registry }}/{{ .image.name }}:{{ .image.tag }}{{ $tagSuffix }}
{{ include "registry" .root }}/{{ .image.name }}:{{ .image.tag }}{{ $tagSuffix }}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a system-probe feature is enabled.
*/}}

16
charts/datadog/datadog/templates/cluster-agent-deployment.yaml
View File

@ -236,6 +236,22 @@ spec:
{{- end }}
- name: DD_REMOTE_CONFIGURATION_ENABLED
value: {{ include "clusterAgent-remoteConfiguration-enabled" . | quote }}
{{- if .Values.datadog.apm.instrumentation.enabled }}
- name: DD_APM_INSTRUMENTATION_ENABLED
value: "true"
{{- end }}
{{- if .Values.datadog.apm.instrumentation.enabledNamespaces }}
- name: DD_APM_INSTRUMENTATION_ENABLED_NAMESPACES
value: {{ .Values.datadog.apm.instrumentation.enabledNamespaces | toJson | quote }}
{{- end }}
{{- if .Values.datadog.apm.instrumentation.disabledNamespaces }}
- name: DD_APM_INSTRUMENTATION_DISABLED_NAMESPACES
value: {{ .Values.datadog.apm.instrumentation.disabledNamespaces | toJson | quote }}
{{- end }}
{{- if .Values.datadog.apm.instrumentation.libVersions }}
- name: DD_APM_INSTRUMENTATION_LIB_VERSIONS
value: {{ .Values.datadog.apm.instrumentation.libVersions | toJson | quote }}
{{- end }}
{{- if .Values.datadog.clusterChecks.enabled }}
- name: DD_CLUSTER_CHECKS_ENABLED
value: {{ .Values.datadog.clusterChecks.enabled | quote }}

34
charts/datadog/datadog/values.yaml
View File

@ -18,13 +18,15 @@ targetSystem: "linux"
commonLabels: {}
# team_name: dev
# registry -- Registry to use for all Agent images (default gcr.io)
# registry -- Registry to use for all Agent images (default to [gcr.io | eu.gcr.io | asia.gcr.io | public.ecr.aws/datadog] depending on datadog.site value)
## Currently we offer Datadog Agent images on:
## GCR - use gcr.io/datadoghq (default)
## DockerHub - use docker.io/datadog
## GCR US - use gcr.io/datadoghq
## GCR Europe - use eu.gcr.io/datadoghq
## GCR Asia - use asia.gcr.io/datadoghq
## AWS - use public.ecr.aws/datadog
registry: gcr.io/datadoghq
## DockerHub - use docker.io/datadog
registry: # gcr.io/datadoghq
datadog:
# datadog.apiKey -- Your Datadog API key
@ -463,6 +465,20 @@ datadog:
# datadog.apm.hostSocketPath -- Host path to the trace-agent socket
hostSocketPath: /var/run/datadog/
# APM Single Step Instrumentation
# This feature is in beta. It requires Cluster Agent 7.49+.
instrumentation:
# datadog.apm.instrumentation.enabled -- Enable injecting the Datadog APM libraries into all pods in the cluster (beta).
enabled: false
# datadog.apm.instrumentation.enabledNamespaces -- Enable injecting the Datadog APM libraries into pods in specific namespaces (beta).
enabledNamespaces: []
# datadog.apm.instrumentation.disabledNamespaces -- Disable injecting the Datadog APM libraries into pods in specific namespaces (beta).
disabledNamespaces: []
# datadog.apm.instrumentation.libVersions -- Inject specific version of tracing libraries with Single Step Instrumentation (beta).
libVersions: {}
## OTLP ingest related configuration
otlp:
receiver:
@ -634,7 +650,9 @@ datadog:
containerImageCollection:
# datadog.containerImageCollection.enabled -- Enable collection of container image metadata
enabled: false
# This parameter requires Agent version 7.46+
enabled: true
orchestratorExplorer:
# datadog.orchestratorExplorer.enabled -- Set this to false to disable the orchestrator explorer
@ -856,7 +874,7 @@ clusterAgent:
name: cluster-agent
# clusterAgent.image.tag -- Cluster Agent image tag to use
tag: 7.49.0
tag: 7.49.1
# clusterAgent.image.digest -- Cluster Agent image digest to use, takes precedence over tag if specified
digest: ""
@ -1284,7 +1302,7 @@ agents:
name: agent
# agents.image.tag -- Define the Agent version to use
tag: 7.49.0
tag: 7.49.1
# agents.image.digest -- Define Agent image digest to use, takes precedence over tag if specified
digest: ""
@ -1752,7 +1770,7 @@ clusterChecksRunner:
name: agent
# clusterChecksRunner.image.tag -- Define the Agent version to use
tag: 7.49.0
tag: 7.49.1
# clusterChecksRunner.image.digest -- Define Agent image digest to use, takes precedence over tag if specified
digest: ""

9
charts/haproxy/haproxy/Chart.yaml
View File

@ -1,13 +1,14 @@
annotations:
artifacthub.io/changes: |
- Fixes for .Capabilities.APIVersions issues (issues #202 and #211)
- semverCompare fixes for appProtocol
- Use Ingress Controller 1.10.10 version for base image
- Add CRD install/upgrade job for automated CRD management
- Remove default CRDs provided by Chart
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller
catalog.cattle.io/kube-version: '>=1.22.0-0'
catalog.cattle.io/release-name: haproxy
apiVersion: v2
appVersion: 1.10.9
appVersion: 1.10.10
description: A Helm chart for HAProxy Kubernetes Ingress Controller
home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress
icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png
@ -22,4 +23,4 @@ name: haproxy
sources:
- https://github.com/haproxytech/kubernetes-ingress
type: application
version: 1.34.1
version: 1.35.0

3
charts/haproxy/haproxy/README.md
View File

@ -262,6 +262,9 @@ kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/
kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml
```
Note: from Helm Chart 1.35.0, Helm Chart contains CRD install/upgrade job that will take care of both installing and
upgrading CRDs accordingly.
## Uninstalling the chart
To uninstall/delete the _my-release_ deployment:

903
charts/haproxy/haproxy/crds/core.haproxy.org_backends.yaml
View File

@ -1,903 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: backends.core.haproxy.org
spec:
group: core.haproxy.org
names:
kind: Backend
plural: backends
scope: Namespaced
versions:
- name: v1alpha2
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
config:
title: Backend
description: HAProxy backend configuration
type: object
properties:
abortonclose:
type: string
enum:
- enabled
- disabled
accept_invalid_http_response:
type: string
enum:
- enabled
- disabled
adv_check:
type: string
enum:
- ssl-hello-chk
- smtpchk
- ldap-check
- mysql-check
- pgsql-check
- tcp-check
- redis-check
- httpchk
allbackups:
type: string
enum:
- enabled
- disabled
balance:
type: object
required:
- algorithm
properties:
algorithm:
type: string
enum:
- roundrobin
- static-rr
- leastconn
- first
- source
- uri
- url_param
- hdr
- random
- rdp-cookie
hdr_name:
type: string
hdr_use_domain_only:
type: boolean
random_draws:
type: integer
rdp_cookie_name:
type: string
pattern: ^[^\s]+$
uri_depth:
type: integer
uri_len:
type: integer
uri_path_only:
type: boolean
uri_whole:
type: boolean
url_param:
type: string
pattern: ^[^\s]+$
url_param_check_post:
type: integer
url_param_max_wait:
type: integer
bind_process:
type: string
pattern: ^[^\s]+$
check_timeout:
type: integer
nullable: true
compression:
type: object
properties:
algorithms:
type: array
items:
type: string
enum:
- identity
- gzip
- deflate
- raw-deflate
offload:
type: boolean
types:
type: array
items:
type: string
connect_timeout:
type: integer
nullable: true
cookie:
type: object
required:
- name
properties:
domain:
type: array
items:
type: object
properties:
value:
type: string
pattern: ^[^\s]+$
dynamic:
type: boolean
httponly:
type: boolean
indirect:
type: boolean
maxidle:
type: integer
maxlife:
type: integer
name:
type: string
pattern: ^[^\s]+$
nocache:
type: boolean
postonly:
type: boolean
preserve:
type: boolean
secure:
type: boolean
type:
type: string
enum:
- rewrite
- insert
- prefix
default_server:
type: object
title: Default Server
properties:
address:
type: string
pattern: ^[^\s]+$
agent-addr:
type: string
pattern: ^[^\s]+$
agent-check:
type: string
enum:
- enabled
- disabled
agent-inter:
type: integer
nullable: true
agent-port:
type: integer
maximum: 65535
minimum: 1
nullable: true
agent-send:
type: string
allow_0rtt:
type: boolean
alpn:
type: string
pattern: ^[^\s]+$
backup:
type: string
enum:
- enabled
- disabled
ca_file:
type: string
check:
type: string
enum:
- enabled
- disabled
check-send-proxy:
type: string
enum:
- enabled
- disabled
check-sni:
type: string
pattern: ^[^\s]+$
check-ssl:
type: string
enum:
- enabled
- disabled
check_alpn:
type: string
pattern: ^[^\s]+$
check_proto:
type: string
pattern: ^[^\s]+$
check_via_socks4:
type: string
enum:
- enabled
- disabled
ciphers:
type: string
ciphersuites:
type: string
cookie:
type: string
pattern: ^[^\s]+$
crl_file:
type: string
disabled:
type: string
enum:
- enabled
- disabled
downinter:
type: integer
nullable: true
enabled:
type: string
enum:
- enabled
- disabled
error_limit:
type: integer
fall:
type: integer
nullable: true
fastinter:
type: integer
nullable: true
force_sslv3:
type: string
enum:
- enabled
- disabled
force_tlsv10:
type: string
enum:
- enabled
- disabled
force_tlsv11:
type: string
enum:
- enabled
- disabled
force_tlsv12:
type: string
enum:
- enabled
- disabled
force_tlsv13:
type: string
enum:
- enabled
- disabled
health_check_port:
type: integer
maximum: 65535
minimum: 1
nullable: true
init-addr:
type: string
pattern: ^[^\s]+$
inter:
type: integer
nullable: true
log_proto:
type: string
enum:
- legacy
- octet-count
max_reuse:
type: integer
nullable: true
maxconn:
type: integer
nullable: true
maxqueue:
type: integer
nullable: true
minconn:
type: integer
nullable: true
name:
type: string
pattern: ^[^\s]+$
namespace:
type: string
no_sslv3:
type: string
enum:
- enabled
- disabled
no_tlsv10:
type: string
enum:
- enabled
- disabled
no_tlsv11:
type: string
enum:
- enabled
- disabled
no_tlsv12:
type: string
enum:
- enabled
- disabled
no_tlsv13:
type: string
enum:
- enabled
- disabled
no_verifyhost:
type: string
enum:
- enabled
- disabled
npn:
type: string
observe:
type: string
enum:
- layer4
- layer7
on-error:
type: string
enum:
- fastinter
- fail-check
- sudden-death
- mark-down
on-marked-down:
type: string
enum:
- shutdown-sessions
on-marked-up:
type: string
enum:
- shutdown-backup-sessions
pool_low_conn:
type: integer
nullable: true
pool_max_conn:
type: integer
nullable: true
pool_purge_delay:
type: integer
nullable: true
port:
type: integer
maximum: 65535
minimum: 1
nullable: true
proto:
type: string
pattern: ^[^\s]+$
proxy-v2-options:
type: array
items:
type: string
enum:
- ssl
- cert-cn
- ssl-cipher
- cert-sig
- cert-key
- authority
- crc32c
- unique-id
redir:
type: string
resolve-net:
type: string
pattern: ^[^\s]+$
resolve-prefer:
type: string
pattern: ^[^\s]+$
enum:
- ipv4
- ipv6
resolve_opts:
type: string
pattern: ^[^,\s][^\,]*[^,\s]*$
resolvers:
type: string
pattern: ^[^\s]+$
rise:
type: integer
nullable: true
send-proxy:
type: string
enum:
- enabled
- disabled
send-proxy-v2:
type: string
enum:
- enabled
- disabled
send_proxy_v2_ssl:
type: string
enum:
- enabled
- disabled
send_proxy_v2_ssl_cn:
type: string
enum:
- enabled
- disabled
slowstart:
type: integer
nullable: true
sni:
type: string
pattern: ^[^\s]+$
socks4:
type: string
pattern: ^[^\s]+$
source:
type: string
ssl:
type: string
enum:
- enabled
- disabled
ssl_certificate:
type: string
pattern: ^[^\s]+$
ssl_max_ver:
type: string
enum:
- SSLv3
- TLSv1.0
- TLSv1.1
- TLSv1.2
- TLSv1.3
ssl_min_ver:
type: string
enum:
- SSLv3
- TLSv1.0
- TLSv1.1
- TLSv1.2
- TLSv1.3
ssl_reuse:
type: string
enum:
- enabled
- disabled
stick:
type: string
enum:
- enabled
- disabled
tcp_ut:
type: integer
tfo:
type: string
enum:
- enabled
- disabled
tls_tickets:
type: string
enum:
- enabled
- disabled
track:
type: string
verify:
type: string
enum:
- none
- required
verifyhost:
type: string
weight:
type: integer
nullable: true
dynamic_cookie_key:
type: string
pattern: ^[^\s]+$
external_check:
type: string
enum:
- enabled
- disabled
external_check_command:
type: string
pattern: ^[^\s]+$
external_check_path:
type: string
pattern: ^[^\s]+$
forwardfor:
type: object
required:
- enabled
properties:
enabled:
type: string
enum:
- enabled
except:
type: string
pattern: ^[^\s]+$
header:
type: string
pattern: ^[^\s]+$
ifnone:
type: boolean
h1_case_adjust_bogus_server:
type: string
enum:
- enabled
- disabled
hash_type:
type: object
properties:
function:
type: string
enum:
- sdbm
- djb2
- wt6
- crc32
method:
type: string
enum:
- map-based
- consistent
modifier:
type: string
enum:
- avalanche
http-buffer-request:
type: string
enum:
- enabled
- disabled
http-check:
type: object
title: HTTP Check
required:
- index
- type
properties:
addr:
type: string
pattern: ^[^\s]+$
alpn:
type: string
pattern: ^[^\s]+$
body:
type: string
body_log_format:
type: string
check_comment:
type: string
default:
type: boolean
error_status:
type: string
enum:
- L7OKC
- L7RSP
- L7STS
- L6RSP
- L4CON
exclamation_mark:
type: boolean
headers:
type: array
items:
type: object
required:
- name
- fmt
properties:
fmt:
type: string
name:
type: string
index:
type: integer
nullable: true
linger:
type: boolean
match:
type: string
pattern: ^[^\s]+$
enum:
- status
- rstatus
- hdr
- fhdr
- string
- rstring
method:
type: string
min_recv:
type: integer
nullable: true
ok_status:
type: string
enum:
- L7OK
- L7OKC
- L6OK
- L4OK
on_error:
type: string
on_success:
type: string
pattern:
type: string
port:
type: integer
maximum: 65535
minimum: 1
nullable: true
port_string:
type: string
proto:
type: string
send_proxy:
type: boolean
sni:
type: string
ssl:
type: boolean
status-code:
type: string
tout_status:
type: string
enum:
- L7TOUT
- L6TOUT
- L4TOUT
type:
type: string
enum:
- comment
- connect
- disable-on-404
- expect
- send
- send-state
- set-var
- set-var-fmt
- unset-var
uri:
type: string
uri_log_format:
type: string
var_expr:
type: string
var_format:
type: string
var_name:
type: string
pattern: ^[^\s]+$
var_scope:
type: string
pattern: ^[^\s]+$
version:
type: string
via_socks4:
type: boolean
http-keep-alive:
type: string
enum:
- enabled
- disabled
http-no-delay:
type: string
enum:
- enabled
- disabled
http-server-close:
type: string
enum:
- enabled
- disabled
http-use-htx:
type: string
pattern: ^[^\s]+$
enum:
- enabled
- disabled
http_connection_mode:
type: string
enum:
- httpclose
- http-server-close
- http-keep-alive
http_keep_alive_timeout:
type: integer
nullable: true
http_pretend_keepalive:
type: string
enum:
- enabled
- disabled
http_proxy:
type: string
enum:
- enabled
- disabled
http_request_timeout:
type: integer
nullable: true
http_reuse:
type: string
enum:
- aggressive
- always
- never
- safe
httpchk_params:
type: object
properties:
method:
type: string
enum:
- HEAD
- PUT
- POST
- GET
- TRACE
- PATCH
uri:
type: string
pattern: ^[^ ]*$
version:
type: string
httpclose:
type: string
enum:
- enabled
- disabled
log_health_checks:
type: string
enum:
- enabled
- disabled
log_tag:
type: string
pattern: ^[^\s]+$
mode:
type: string
enum:
- http
- tcp
mysql_check_params:
type: object
properties:
client_version:
type: string
enum:
- pre-41
- post-41
username:
type: string
name:
type: string
pattern: ^[A-Za-z0-9-_.:]+$
pgsql_check_params:
type: object
properties:
username:
type: string
queue_timeout:
type: integer
nullable: true
redispatch:
type: object
required:
- enabled
properties:
enabled:
type: string
enum:
- enabled
- disabled
interval:
type: integer
retries:
type: integer
nullable: true
server_timeout:
type: integer
nullable: true
smtpchk_params:
type: object
properties:
domain:
type: string
hello:
type: string
srvtcpka:
type: string
enum:
- enabled
- disabled
stats_options:
type: object
properties:
stats_admin:
type: boolean
stats_admin_cond:
type: string
enum:
- if
- unless
stats_admin_cond_test:
type: string
stats_enable:
type: boolean
stats_hide_version:
type: boolean
stats_maxconn:
type: integer
minimum: 1
stats_refresh_delay:
type: integer
nullable: true
stats_show_desc:
type: string
nullable: true
stats_show_legends:
type: boolean
stats_show_node_name:
type: string
pattern: ^[^\s]+$
nullable: true
stats_uri_prefix:
type: string
pattern: ^[^\s]+$
stick_table:
type: object
properties:
expire:
type: integer
nullable: true
keylen:
type: integer
nullable: true
nopurge:
type: boolean
peers:
type: string
pattern: ^[^\s]+$
size:
type: integer
nullable: true
store:
type: string
pattern: ^[^\s]+$
type:
type: string
enum:
- ip
- ipv6
- integer
- string
- binary
tcpka:
type: string
enum:
- enabled
- disabled
tunnel_timeout:
type: integer
nullable: true

929
charts/haproxy/haproxy/crds/core.haproxy.org_defaults.yaml
View File

@ -1,929 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: defaults.core.haproxy.org
spec:
group: core.haproxy.org
names:
kind: Defaults
plural: defaults
scope: Namespaced
versions:
- name: v1alpha2
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
required:
- config
properties:
config:
title: Defaults
description: HAProxy defaults configuration
type: object
properties:
abortonclose:
type: string
enum:
- enabled
- disabled
accept_invalid_http_request:
type: string
enum:
- enabled
- disabled
accept_invalid_http_response:
type: string
enum:
- enabled
- disabled
adv_check:
type: string
enum:
- ssl-hello-chk
- smtpchk
- ldap-check
- mysql-check
- pgsql-check
- tcp-check
- redis-check
- httpchk
allbackups:
type: string
enum:
- enabled
- disabled
backlog:
type: integer
nullable: true
balance:
type: object
required:
- algorithm
properties:
algorithm:
type: string
enum:
- roundrobin
- static-rr
- leastconn
- first
- source
- uri
- url_param
- hdr
- random
- rdp-cookie
hdr_name:
type: string
hdr_use_domain_only:
type: boolean
random_draws:
type: integer
rdp_cookie_name:
type: string
pattern: ^[^\s]+$
uri_depth:
type: integer
uri_len:
type: integer
uri_path_only:
type: boolean
uri_whole:
type: boolean
url_param:
type: string
pattern: ^[^\s]+$
url_param_check_post:
type: integer
url_param_max_wait:
type: integer
bind_process:
type: string
pattern: ^[^\s]+$
check_timeout:
type: integer
nullable: true
clflog:
type: boolean
client_fin_timeout:
type: integer
nullable: true
client_timeout:
type: integer
nullable: true
clitcpka:
type: string
enum:
- enabled
- disabled
compression:
type: object
properties:
algorithms:
type: array
items:
type: string
enum:
- identity
- gzip
- deflate
- raw-deflate
offload:
type: boolean
types:
type: array
items:
type: string
connect_timeout:
type: integer
nullable: true
contstats:
type: string
enum:
- enabled
cookie:
type: object
required:
- name
properties:
domain:
type: array
items:
type: object
properties:
value:
type: string
pattern: ^[^\s]+$
dynamic:
type: boolean
httponly:
type: boolean
indirect:
type: boolean
maxidle:
type: integer
maxlife:
type: integer
name:
type: string
pattern: ^[^\s]+$
nocache:
type: boolean
postonly:
type: boolean
preserve:
type: boolean
secure:
type: boolean
type:
type: string
enum:
- rewrite
- insert
- prefix
default_backend:
type: string
pattern: ^[A-Za-z0-9-_.:]+$
default_server:
type: object
title: Default Server
properties:
address:
type: string
pattern: ^[^\s]+$
agent-addr:
type: string
pattern: ^[^\s]+$
agent-check:
type: string
enum:
- enabled
- disabled
agent-inter:
type: integer
nullable: true
agent-port:
type: integer
maximum: 65535
minimum: 1
nullable: true
agent-send:
type: string
allow_0rtt:
type: boolean
alpn:
type: string
pattern: ^[^\s]+$
backup:
type: string
enum:
- enabled
- disabled
ca_file:
type: string
check:
type: string
enum:
- enabled
- disabled
check-send-proxy:
type: string
enum:
- enabled
- disabled
check-sni:
type: string
pattern: ^[^\s]+$
check-ssl:
type: string
enum:
- enabled
- disabled
check_alpn:
type: string
pattern: ^[^\s]+$
check_proto:
type: string
pattern: ^[^\s]+$
check_via_socks4:
type: string
enum:
- enabled
- disabled
ciphers:
type: string
ciphersuites:
type: string
cookie:
type: string
pattern: ^[^\s]+$
crl_file:
type: string
disabled:
type: string
enum:
- enabled
- disabled
downinter:
type: integer
nullable: true
enabled:
type: string
enum:
- enabled
- disabled
error_limit:
type: integer
fall:
type: integer
nullable: true
fastinter:
type: integer
nullable: true
force_sslv3:
type: string
enum:
- enabled
- disabled
force_tlsv10:
type: string
enum:
- enabled
- disabled
force_tlsv11:
type: string
enum:
- enabled
- disabled
force_tlsv12:
type: string
enum:
- enabled
- disabled
force_tlsv13:
type: string
enum:
- enabled
- disabled
health_check_port:
type: integer
maximum: 65535
minimum: 1
nullable: true
init-addr:
type: string
pattern: ^[^\s]+$
inter:
type: integer
nullable: true
log_proto:
type: string
enum:
- legacy
- octet-count
max_reuse:
type: integer
nullable: true
maxconn:
type: integer
nullable: true
maxqueue:
type: integer
nullable: true
minconn:
type: integer
nullable: true
name:
type: string
pattern: ^[^\s]+$
namespace:
type: string
no_sslv3:
type: string
enum:
- enabled
- disabled
no_tlsv10:
type: string
enum:
- enabled
- disabled
no_tlsv11:
type: string
enum:
- enabled
- disabled
no_tlsv12:
type: string
enum:
- enabled
- disabled
no_tlsv13:
type: string
enum:
- enabled
- disabled
no_verifyhost:
type: string
enum:
- enabled
- disabled
npn:
type: string
observe:
type: string
enum:
- layer4
- layer7
on-error:
type: string
enum:
- fastinter
- fail-check
- sudden-death
- mark-down
on-marked-down:
type: string
enum:
- shutdown-sessions
on-marked-up:
type: string
enum:
- shutdown-backup-sessions
pool_low_conn:
type: integer
nullable: true
pool_max_conn:
type: integer
nullable: true
pool_purge_delay:
type: integer
nullable: true
port:
type: integer
maximum: 65535
minimum: 1
nullable: true
proto:
type: string
pattern: ^[^\s]+$
proxy-v2-options:
type: array
items:
type: string
enum:
- ssl
- cert-cn
- ssl-cipher
- cert-sig
- cert-key
- authority
- crc32c
- unique-id
redir:
type: string
resolve-net:
type: string
pattern: ^[^\s]+$
resolve-prefer:
type: string
pattern: ^[^\s]+$
enum:
- ipv4
- ipv6
resolve_opts:
type: string
pattern: ^[^,\s][^\,]*[^,\s]*$
resolvers:
type: string
pattern: ^[^\s]+$
rise:
type: integer
nullable: true
send-proxy:
type: string
enum:
- enabled
- disabled
send-proxy-v2:
type: string
enum:
- enabled
- disabled
send_proxy_v2_ssl:
type: string
enum:
- enabled
- disabled
send_proxy_v2_ssl_cn:
type: string
enum:
- enabled
- disabled
slowstart:
type: integer
nullable: true
sni:
type: string
pattern: ^[^\s]+$
socks4:
type: string
pattern: ^[^\s]+$
source:
type: string
ssl:
type: string
enum:
- enabled
- disabled
ssl_certificate:
type: string
pattern: ^[^\s]+$
ssl_max_ver:
type: string
enum:
- SSLv3
- TLSv1.0
- TLSv1.1
- TLSv1.2
- TLSv1.3
ssl_min_ver:
type: string
enum:
- SSLv3
- TLSv1.0
- TLSv1.1
- TLSv1.2
- TLSv1.3
ssl_reuse:
type: string
enum:
- enabled
- disabled
stick:
type: string
enum:
- enabled
- disabled
tcp_ut:
type: integer
tfo:
type: string
enum:
- enabled
- disabled
tls_tickets:
type: string
enum:
- enabled
- disabled
track:
type: string
verify:
type: string
enum:
- none
- required
verifyhost:
type: string
weight:
type: integer
nullable: true
disable_h2_upgrade:
type: string
enum:
- enabled
- disabled
dontlognull:
type: string
enum:
- enabled
- disabled
dynamic_cookie_key:
type: string
pattern: ^[^\s]+$
error_files:
type: array
items:
type: object
properties:
code:
type: integer
enum:
- 200
- 400
- 403
- 405
- 408
- 425
- 429
- 500
- 502
- 503
- 504
file:
type: string
external_check:
type: string
enum:
- enabled
- disabled
external_check_command:
type: string
pattern: ^[^\s]+$
external_check_path:
type: string
pattern: ^[^\s]+$
forwardfor:
type: object
required:
- enabled
properties:
enabled:
type: string
enum:
- enabled
except:
type: string
pattern: ^[^\s]+$
header:
type: string
pattern: ^[^\s]+$
ifnone:
type: boolean
h1_case_adjust_bogus_client:
type: string
enum:
- enabled
- disabled
h1_case_adjust_bogus_server:
type: string
enum:
- enabled
- disabled
http-buffer-request:
type: string
enum:
- enabled
- disabled
http-check:
type: object
title: HTTP Check
required:
- index
- type
properties:
addr:
type: string
pattern: ^[^\s]+$
alpn:
type: string
pattern: ^[^\s]+$
body:
type: string
body_log_format:
type: string
check_comment:
type: string
default:
type: boolean
error_status:
type: string
enum:
- L7OKC
- L7RSP
- L7STS
- L6RSP
- L4CON
exclamation_mark:
type: boolean
headers:
type: array
items:
type: object
required:
- name
- fmt
properties:
fmt:
type: string
name:
type: string
index:
type: integer
nullable: true
linger:
type: boolean
match:
type: string
pattern: ^[^\s]+$
enum:
- status
- rstatus
- hdr
- fhdr
- string
- rstring
method:
type: string
min_recv:
type: integer
nullable: true
ok_status:
type: string
enum:
- L7OK
- L7OKC
- L6OK
- L4OK
on_error:
type: string
on_success:
type: string
pattern:
type: string
port:
type: integer
maximum: 65535
minimum: 1
nullable: true
port_string:
type: string
proto:
type: string
send_proxy:
type: boolean
sni:
type: string
ssl:
type: boolean
status-code:
type: string
tout_status:
type: string
enum:
- L7TOUT
- L6TOUT
- L4TOUT
type:
type: string
enum:
- comment
- connect
- disable-on-404
- expect
- send
- send-state
- set-var
- set-var-fmt
- unset-var
uri:
type: string
uri_log_format:
type: string
var_expr:
type: string
var_format:
type: string
var_name:
type: string
pattern: ^[^\s]+$
var_scope:
type: string
pattern: ^[^\s]+$
version:
type: string
via_socks4:
type: boolean
http-use-htx:
type: string
enum:
- enabled
- disabled
http_connection_mode:
type: string
enum:
- httpclose
- http-server-close
- http-keep-alive
http_keep_alive_timeout:
type: integer
nullable: true
http_pretend_keepalive:
type: string
enum:
- enabled
- disabled
http_request_timeout:
type: integer
nullable: true
http_reuse:
type: string
enum:
- aggressive
- always
- never
- safe
httpchk_params:
type: object
properties:
method:
type: string
enum:
- HEAD
- PUT
- POST
- GET
- TRACE
- PATCH
uri:
type: string
pattern: ^[^ ]*$
version:
type: string
httplog:
type: boolean
load_server_state_from_file:
type: string
enum:
- global
- local
- none
log_format:
type: string
log_format_sd:
type: string
log_health_checks:
type: string
enum:
- enabled
- disabled
log_separate_errors:
type: string
enum:
- enabled
- disabled
log_tag:
type: string
pattern: ^[^\s]+$
logasap:
type: string
enum:
- enabled
- disabled
maxconn:
type: integer
nullable: true
mode:
type: string
enum:
- tcp
- http
monitor_uri:
type: string
mysql_check_params:
type: object
properties:
client_version:
type: string
enum:
- pre-41
- post-41
username:
type: string
pgsql_check_params:
type: object
properties:
username:
type: string
queue_timeout:
type: integer
nullable: true
redispatch:
type: object
required:
- enabled
properties:
enabled:
type: string
enum:
- enabled
- disabled
interval:
type: integer
retries:
type: integer
nullable: true
server_fin_timeout:
type: integer
nullable: true
server_timeout:
type: integer
nullable: true
smtpchk_params:
type: object
properties:
domain:
type: string
hello:
type: string
srvtcpka:
type: string
enum:
- enabled
- disabled
stats_options:
type: object
properties:
stats_admin:
type: boolean
stats_admin_cond:
type: string
enum:
- if
- unless
stats_admin_cond_test:
type: string
stats_enable:
type: boolean
stats_hide_version:
type: boolean
stats_maxconn:
type: integer
minimum: 1
stats_refresh_delay:
type: integer
nullable: true
stats_show_desc:
type: string
nullable: true
stats_show_legends:
type: boolean
stats_show_node_name:
type: string
pattern: ^[^\s]+$
nullable: true
stats_uri_prefix:
type: string
pattern: ^[^\s]+$
tcpka:
type: string
enum:
- enabled
- disabled
tcplog:
type: boolean
tunnel_timeout:
type: integer
nullable: true
unique_id_format:
type: string
unique_id_header:
type: string

438
charts/haproxy/haproxy/crds/core.haproxy.org_globals.yaml
View File

@ -1,438 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: globals.core.haproxy.org
spec:
group: core.haproxy.org
names:
kind: Global
plural: globals
scope: Namespaced
versions:
- name: v1alpha2
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
config:
description: HAProxy global configuration
type: object
title: Global
properties:
busy_polling:
type: boolean
ca_base:
type: string
chroot:
type: string
pattern: ^[^\s]+$
cpu_maps:
type: array
items:
type: object
required:
- process
- cpu_set
properties:
cpu_set:
type: string
process:
type: string
crt_base:
type: string
daemon:
type: string
enum:
- enabled
- disabled
external_check:
type: boolean
gid:
type: integer
group:
type: string
pattern: ^[^\s]+$
h1_case_adjust:
type: array
items:
type: object
required:
- from
- to
properties:
from:
type: string
to:
type: string
h1_case_adjust_file:
type: string
hard_stop_after:
type: integer
nullable: true
localpeer:
type: string
pattern: ^[^\s]+$
log_send_hostname:
type: object
required:
- enabled
properties:
enabled:
type: string
enum:
- enabled
- disabled
param:
type: string
pattern: ^[^\s]+$
lua_loads:
type: array
items:
type: object
required:
- file
properties:
file:
type: string
pattern: ^[^\s]+$
lua_prepend_path:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
pattern: ^[^\s]+$
type:
type: string
enum:
- path
- cpath
master-worker:
type: boolean
max_spread_checks:
type: integer
maxcompcpuusage:
type: integer
maxcomprate:
type: integer
maxconn:
type: integer
maxconnrate:
type: integer
maxpipes:
type: integer
maxsessrate:
type: integer
maxsslconn:
type: integer
maxsslrate:
type: integer
maxzlibmem:
type: integer
nbproc:
type: integer
nbthread:
type: integer
noepoll:
type: boolean
noevports:
type: boolean
nogetaddrinfo:
type: boolean
nokqueue:
type: boolean
nopoll:
type: boolean
noreuseport:
type: boolean
nosplice:
type: boolean
pidfile:
type: string
profiling_tasks:
type: string
enum:
- auto
- on
- off
runtime_apis:
type: array
items:
type: object
required:
- address
properties:
address:
type: string
pattern: '^[^\s]+$'
mode:
type: string
pattern: '^[^\s]+$'
level:
type: string
enum: [user, operator, admin]
process:
type: string
pattern: '^[^\s]+$'
exposeFdListeners:
type: boolean
server_state_base:
type: string
pattern: ^[^\s]+$
server_state_file:
type: string
pattern: ^[^\s]+$
spread_checks:
type: integer
ssl_default_bind_ciphers:
type: string
ssl_default_bind_ciphersuites:
type: string
ssl_default_bind_options:
type: string
ssl_default_server_ciphers:
type: string
ssl_default_server_ciphersuites:
type: string
ssl_default_server_options:
type: string
ssl_mode_async:
type: string
enum:
- enabled
- disabled
stats_timeout:
type: integer
nullable: true
tune_options:
type: object
properties:
buffers_limit:
type: integer
nullable: true
buffers_reserve:
type: integer
minimum: 2
bufsize:
type: integer
comp_maxlevel:
type: integer
fail_alloc:
type: boolean
h2_header_table_size:
type: integer
maximum: 65535
h2_initial_window_size:
type: integer
nullable: true
h2_max_concurrent_streams:
type: integer
h2_max_frame_size:
type: integer
http_cookielen:
type: integer
http_logurilen:
type: integer
http_maxhdr:
type: integer
maximum: 32767
minimum: 1
idle_pool_shared:
type: string
enum:
- enabled
- disabled
idletimer:
type: integer
maximum: 65535
minimum: 0
nullable: true
listener_multi_queue:
type: string
enum:
- enabled
- disabled
lua_forced_yield:
type: integer
lua_maxmem:
type: boolean
lua_service_timeout:
type: integer
nullable: true
lua_session_timeout:
type: integer
nullable: true
lua_task_timeout:
type: integer
nullable: true
maxaccept:
type: integer
maxpollevents:
type: integer
maxrewrite:
type: integer
pattern_cache_size:
type: integer
nullable: true
pipesize:
type: integer
pool_high_fd_ratio:
type: integer
pool_low_fd_ratio:
type: integer
rcvbuf_client:
type: integer
nullable: true
rcvbuf_server:
type: integer
nullable: true
recv_enough:
type: integer
runqueue_depth:
type: integer
sched_low_latency:
type: string
enum:
- enabled
- disabled
sndbuf_client:
type: integer
nullable: true
sndbuf_server:
type: integer
nullable: true
ssl_cachesize:
type: integer
nullable: true
ssl_capture_buffer_size:
type: integer
nullable: true
ssl_ctx_cache_size:
type: integer
ssl_default_dh_param:
type: integer
ssl_force_private_cache:
type: boolean
ssl_keylog:
type: string
enum:
- enabled
- disabled
ssl_lifetime:
type: integer
nullable: true
ssl_maxrecord:
type: integer
nullable: true
vars_global_max_size:
type: integer
nullable: true
vars_proc_max_size:
type: integer
nullable: true
vars_reqres_max_size:
type: integer
nullable: true
vars_sess_max_size:
type: integer
nullable: true
vars_txn_max_size:
type: integer
nullable: true
zlib_memlevel:
type: integer
maximum: 9
minimum: 1
zlib_windowsize:
type: integer
maximum: 15
minimum: 8
tune_ssl_default_dh_param:
type: integer
uid:
type: integer
user:
type: string
pattern: ^[^\s]+$
log_targets:
type: array
items:
type: object
required:
- address
- facility
properties:
index:
type: integer
nullable: true
address:
type: string
pattern: ^[^\s]+$
length:
type: integer
format:
type: string
enum:
- rfc3164
- rfc5424
- short
- raw
facility:
type: string
enum:
- kern
- user
- mail
- daemon
- auth
- syslog
- lpr
- news
- uucp
- cron
- auth2
- ftp
- ntp
- audit
- alert
- cron2
- local0
- local1
- local2
- local3
- local4
- local5
- local6
- local7
level:
type: string
enum:
- emerg
- alert
- crit
- err
- warning
- notice
- info
- debug
minlevel:
type: string
enum:
- emerg
- alert
- crit
- err
- warning
- notice
- info
- debug

7
charts/haproxy/haproxy/templates/_helpers.tpl
View File

@ -152,4 +152,11 @@ Create a FQDN for the Service metrics.
{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }}
{{- end -}}
{{/*
Create a default fully qualified default CRD job name.
*/}}
{{- define "kubernetes-ingress.crdjob.fullname" -}}
{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "crdjob" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/* vim: set filetype=mustache: */}}

14
charts/haproxy/haproxy/templates/clusterrole.yaml
View File

@ -95,7 +95,10 @@ rules:
- get
- list
- watch
- create
- update
- patch
- delete
{{- if .Values.controller.kubernetesGateway.enabled }}
- apiGroups:
- "gateway.networking.k8s.io"
@ -117,4 +120,15 @@ rules:
verbs:
- update
{{- end }}
{{- if .Values.controller.techdump.enabled }}
- apiGroups:
- "apps"
resources:
- replicasets
- deployments
- daemonsets
verbs:
- get
- list
{{- end }}
{{- end -}}

51
charts/haproxy/haproxy/templates/controller-crdjob.yaml Normal file
View File

@ -0,0 +1,51 @@
{{/*
Copyright 2023 HAProxy Technologies LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "kubernetes-ingress.crdjob.fullname" . }}
namespace: {{ include "kubernetes-ingress.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
helm.sh/chart: {{ include "kubernetes-ingress.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
spec:
template:
metadata:
labels:
app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.controller.podLabels }}
{{ toYaml .Values.controller.podLabels | indent 8 }}
{{- end }}
{{- if .Values.controller.podAnnotations }}
annotations:
{{ toYaml .Values.controller.podAnnotations | indent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }}
containers:
- name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }}
image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}"
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
command:
- /haproxy-ingress-controller
- --job-check-crd
restartPolicy: Never
backoffLimit: 0

5
charts/haproxy/haproxy/values.yaml
View File

@ -533,3 +533,8 @@ controller:
path: /metrics
scheme: http
interval: 30s
## Techdump
## Toggle to add the RBAC permissions needed for the techdump tool.
techdump:
enabled: false

16
charts/hashicorp/vault/CHANGELOG.md
View File

@ -1,5 +1,21 @@
## Unreleased
## 0.27.0 (November 16, 2023)
Changes:
* Default `vault` version updated to 1.15.2
Features:
* server: Support setting `persistentVolumeClaimRetentionPolicy` on the StatefulSet [GH-965](https://github.com/hashicorp/vault-helm/pull/965)
* server: Support setting labels on PVCs [GH-969](https://github.com/hashicorp/vault-helm/pull/969)
* server: Support setting ingress rules for networkPolicy [GH-877](https://github.com/hashicorp/vault-helm/pull/877)
Improvements:
* Support exec in the server liveness probe [GH-971](https://github.com/hashicorp/vault-helm/pull/971)
## 0.26.1 (October 30, 2023)
Bugs:

4
charts/hashicorp/vault/Chart.yaml
View File

@ -6,7 +6,7 @@ annotations:
catalog.cattle.io/release-name: vault
charts.openshift.io/name: HashiCorp Vault
apiVersion: v2
appVersion: 1.15.1
appVersion: 1.15.2
description: Official HashiCorp Vault Chart
home: https://www.vaultproject.io
icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png
@ -25,4 +25,4 @@ sources:
- https://github.com/hashicorp/vault-helm
- https://github.com/hashicorp/vault-k8s
- https://github.com/hashicorp/vault-csi-provider
version: 0.26.1
version: 0.27.0

32
charts/hashicorp/vault/templates/_helpers.tpl
View File

@ -289,6 +289,7 @@ storage might be desired by the user.
- metadata:
name: data
{{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }}
{{- include "vault.dataVolumeClaim.labels" . | nindent 6 }}
spec:
accessModes:
- {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }}
@ -303,6 +304,7 @@ storage might be desired by the user.
- metadata:
name: audit
{{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }}
{{- include "vault.auditVolumeClaim.labels" . | nindent 6 }}
spec:
accessModes:
- {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }}
@ -782,6 +784,21 @@ Sets VolumeClaim annotations for data volume
{{- end }}
{{- end -}}
{{/*
Sets VolumeClaim labels for data volume
*/}}
{{- define "vault.dataVolumeClaim.labels" -}}
{{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.labels) }}
labels:
{{- $tp := typeOf .Values.server.dataStorage.labels }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.dataStorage.labels . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.dataStorage.labels | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sets VolumeClaim annotations for audit volume
*/}}
@ -797,6 +814,21 @@ Sets VolumeClaim annotations for audit volume
{{- end }}
{{- end -}}
{{/*
Sets VolumeClaim labels for audit volume
*/}}
{{- define "vault.auditVolumeClaim.labels" -}}
{{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.labels) }}
labels:
{{- $tp := typeOf .Values.server.auditStorage.labels }}
{{- if eq $tp "string" }}
{{- tpl .Values.server.auditStorage.labels . | nindent 4 }}
{{- else }}
{{- toYaml .Values.server.auditStorage.labels | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Set's the container resources if the user has set any.
*/}}

9
charts/hashicorp/vault/templates/server-network-policy.yaml
View File

@ -16,14 +16,7 @@ spec:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
ingress:
- from:
- namespaceSelector: {}
ports:
- port: 8200
protocol: TCP
- port: 8201
protocol: TCP
ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }}
{{- if .Values.server.networkPolicy.egress }}
egress:
{{- toYaml .Values.server.networkPolicy.egress | nindent 4 }}

11
charts/hashicorp/vault/templates/server-statefulset.yaml
View File

@ -24,6 +24,9 @@ spec:
replicas: {{ template "vault.replicas" . }}
updateStrategy:
type: {{ .Values.server.updateStrategyType }}
{{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }}
persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
@ -179,10 +182,18 @@ spec:
{{- end }}
{{- if .Values.server.livenessProbe.enabled }}
livenessProbe:
{{- if .Values.server.livenessProbe.execCommand }}
exec:
command:
{{- range (.Values.server.livenessProbe.execCommand) }}
- {{ . | quote }}
{{- end }}
{{- else }}
httpGet:
path: {{ .Values.server.livenessProbe.path | quote }}
port: {{ .Values.server.livenessProbe.port }}
scheme: {{ include "vault.scheme" . | upper }}
{{- end }}
failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }}
initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }}

4
charts/hashicorp/vault/values.openshift.yaml
View File

@ -13,12 +13,12 @@ injector:
agentImage:
repository: "registry.connect.redhat.com/hashicorp/vault"
tag: "1.15.1-ubi"
tag: "1.15.2-ubi"
server:
image:
repository: "registry.connect.redhat.com/hashicorp/vault"
tag: "1.15.1-ubi"
tag: "1.15.2-ubi"
readinessProbe:
path: "/v1/sys/health?uninitcode=204"

32
charts/hashicorp/vault/values.schema.json
View File

@ -559,6 +559,12 @@
"string"
]
},
"labels": {
"type": [
"object",
"string"
]
},
"enabled": {
"type": [
"boolean",
@ -599,6 +605,12 @@
"string"
]
},
"labels": {
"type": [
"object",
"string"
]
},
"enabled": {
"type": [
"boolean",
@ -619,6 +631,17 @@
}
}
},
"persistentVolumeClaimRetentionPolicy": {
"type": "object",
"properties": {
"whenDeleted": {
"type": "string"
},
"whenScaled": {
"type": "string"
}
}
},
"dev": {
"type": "object",
"properties": {
@ -818,6 +841,12 @@
"path": {
"type": "string"
},
"port": {
"type": "integer"
},
"execCommand": {
"type": "array"
},
"periodSeconds": {
"type": "integer"
},
@ -843,6 +872,9 @@
},
"enabled": {
"type": "boolean"
},
"ingress": {
"type": "array"
}
}
},

34
charts/hashicorp/vault/values.yaml
View File

@ -76,7 +76,7 @@ injector:
# required.
agentImage:
repository: "hashicorp/vault"
tag: "1.15.1"
tag: "1.15.2"
# The default values for the injected Vault Agent containers.
agentDefaults:
@ -377,7 +377,7 @@ server:
image:
repository: "hashicorp/vault"
tag: "1.15.1"
tag: "1.15.2"
# Overrides the default Image Pull Policy
pullPolicy: IfNotPresent
@ -531,8 +531,14 @@ server:
# Used to enable a livenessProbe for the pods
livenessProbe:
enabled: false
# Used to define a liveness exec command. If provided, exec is preferred to httpGet (path) as the livenessProbe handler.
execCommand: []
# - /bin/sh
# - -c
# - /vault/userconfig/mylivenessscript/run.sh
# Path for the livenessProbe to use httpGet as the livenessProbe handler
path: "/v1/sys/health?standbyok=true"
# Port number on which livenessProbe will be checked.
# Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler
port: 8200
# When a probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 2
@ -641,6 +647,14 @@ server:
# ports:
# - protocol: TCP
# port: 443
ingress:
- from:
- namespaceSelector: {}
ports:
- port: 8200
protocol: TCP
- port: 8201
protocol: TCP
# Priority class for server pods
priorityClassName: ""
@ -755,6 +769,16 @@ server:
accessMode: ReadWriteOnce
# Annotations to apply to the PVC
annotations: {}
# Labels to apply to the PVC
labels: {}
# Persistent Volume Claim (PVC) retention policy
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
# Example:
# persistentVolumeClaimRetentionPolicy:
# whenDeleted: Retain
# whenScaled: Retain
persistentVolumeClaimRetentionPolicy: {}
# This configures the Vault Statefulset to create a PVC for audit
# logs. Once Vault is deployed, initialized, and unsealed, Vault must
@ -774,6 +798,8 @@ server:
accessMode: ReadWriteOnce
# Annotations to apply to the PVC
annotations: {}
# Labels to apply to the PVC
labels: {}
# Run Vault in "dev" mode. This requires no further setup, no state management,
# and no initialization. This is useful for experimenting with Vault without
@ -1139,7 +1165,7 @@ csi:
image:
repository: "hashicorp/vault"
tag: "1.15.1"
tag: "1.15.2"
pullPolicy: IfNotPresent
logFormat: standard

5
charts/jenkins/jenkins/CHANGELOG.md
View File

@ -12,6 +12,11 @@ Use the following links to reference issues, PRs, and commits prior to v2.6.0.
The changelog until v1.5.7 was auto-generated based on git commits.
Those entries include a reference to the git commit to be able to get more details.
## 4.8.3
Update Jenkins image and appVersion to jenkins lts release version 2.426.1
## 4.8.2
Add the ability to modify `retentionTimeout` and `waitForPodSec` default value in JCasC

6
charts/jenkins/jenkins/Chart.yaml
View File

@ -2,7 +2,7 @@ annotations:
artifacthub.io/category: integration-delivery
artifacthub.io/images: |
- name: jenkins
image: jenkins/jenkins:2.414.3-jdk11
image: jenkins/jenkins:2.426.1-jdk11
- name: k8s-sidecar
image: kiwigrid/k8s-sidecar:1.24.4
- name: inbound-agent
@ -22,7 +22,7 @@ annotations:
catalog.cattle.io/kube-version: '>=1.14-0'
catalog.cattle.io/release-name: jenkins
apiVersion: v2
appVersion: 2.414.3
appVersion: 2.426.1
description: Jenkins - Build great things at any scale! The leading open source automation
server, Jenkins provides over 1800 plugins to support building, deploying and automating
any project.
@ -49,4 +49,4 @@ sources:
- https://github.com/jenkinsci/docker-inbound-agent
- https://github.com/maorfr/kube-tasks
- https://github.com/jenkinsci/configuration-as-code-plugin
version: 4.8.2
version: 4.8.3

2
charts/jenkins/jenkins/values.yaml
View File

@ -22,7 +22,7 @@ controller:
# Used for label app.kubernetes.io/component
componentName: "jenkins-controller"
image: "jenkins/jenkins"
# tag: "2.414.3-jdk11"
# tag: "2.426.1-jdk11"
tagLabel: jdk11
imagePullPolicy: "Always"
imagePullSecretName:

12
charts/kong/kong/CHANGELOG.md
View File

@ -1,5 +1,17 @@
# Changelog
## Unreleased
Nothing yet.
## 2.32.0
### Improvements
* Add new `deployment.hostname` value to make identifying instances in
controlplane/dataplane configurations easier.
[#943](https://github.com/Kong/charts/pull/943)
## 2.31.0
### Improvements

2
charts/kong/kong/Chart.yaml
View File

@ -18,4 +18,4 @@ maintainers:
name: kong
sources:
- https://github.com/Kong/charts/tree/main/charts/kong
version: 2.31.0
version: 2.32.0

10
charts/kong/kong/README.md
View File

@ -451,6 +451,11 @@ documentation on Service
DNS](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/)
for more detail.
If you use multiple Helm releases to manage different data plane configurations
attached to the same control plane, setting the `deployment.hostname` field
will help you keep track of which is which in the `/clustering/data-plane`
endpoint.
### Cert Manager Integration
By default, Kong will create self-signed certificates on start for its TLS
@ -508,9 +513,9 @@ event you need to recover from unintended CRD deletion.
### InitContainers
The chart is able to deploy initcontainers along with Kong. This can be very
The chart is able to deploy initContainers along with Kong. This can be very
useful when there's a requirement for custom initialization. The
`deployment.initcontainers` field in values.yaml takes an array of objects that
`deployment.initContainers` field in values.yaml takes an array of objects that
get appended as-is to the existing `spec.template.initContainers` array in the
kong deployment resource.
@ -853,6 +858,7 @@ On the Gateway release side, set either `admin.tls.client.secretName` to the nam
| deployment.minReadySeconds | Minimum number of seconds for which newly created pods should be ready without any of its container crashing, for it to be considered available. | |
| deployment.initContainers | Create initContainers. Please go to Kubernetes doc for the spec of the initContainers | |
| deployment.daemonset | Use a DaemonSet instead of a Deployment | `false` |
| deployment.hostname | Set the Deployment's `.spec.template.hostname`. Kong reports this as its hostname. | |
| deployment.hostNetwork | Enable hostNetwork, which binds to the ports to the host | `false` |
| deployment.userDefinedVolumes | Create volumes. Please go to Kubernetes doc for the spec of the volumes | |
| deployment.userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | |

3
charts/kong/kong/templates/deployment.yaml
View File

@ -63,6 +63,9 @@ spec:
{{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
{{- end }}
spec:
{{- if .Values.deployment.hostname }}
hostname: {{ .Values.deployment.hostname }}
{{- end }}
{{- if .Values.deployment.hostNetwork }}
hostNetwork: true
{{- end }}

7
charts/kong/kong/values.yaml
View File

@ -60,6 +60,11 @@ deployment:
# Use a DaemonSet controller instead of a Deployment controller
daemonset: false
hostNetwork: false
# Set the Deployment's spec.template.hostname field.
# This propagates to Kong API endpoints that report
# the hostname, such as the admin API root and hybrid mode
# /clustering/data-planes endpoint
hostname: ""
# kong_prefix empty dir size
prefixDir:
sizeLimit: 256Mi
@ -976,7 +981,7 @@ serviceMonitor:
# If you wish to gather metrics from a Kong instance with the proxy disabled (such as a hybrid control plane), see:
# https://github.com/Kong/charts/blob/main/charts/kong/README.md#prometheus-operator-integration
enabled: false
# interval: 10s
# interval: 30s
# Specifies namespace, where ServiceMonitor should be installed
# namespace: monitoring
# labels:

4
charts/kubecost/cost-analyzer/Chart.yaml
View File

@ -7,7 +7,7 @@ annotations:
catalog.cattle.io/featured: "1"
catalog.cattle.io/release-name: cost-analyzer
apiVersion: v2
appVersion: 1.107.0
appVersion: 1.107.1
dependencies:
- condition: global.grafana.enabled
name: grafana
@ -25,4 +25,4 @@ description: A Helm chart that sets up Kubecost, Prometheus, and Grafana to moni
cloud costs.
icon: https://partner-charts.rancher.io/assets/logos/kubecost.png
name: cost-analyzer
version: 1.107.0
version: 1.107.1

54
charts/kubecost/cost-analyzer/README.md
View File

@ -99,3 +99,57 @@ Adjusting the log format changes the format in which the logs are output making
|--------|----------------------------------------------------------------------------------------------------------------------------|
| `JSON` | `{"level":"info","time":"2006-01-02T15:04:05.999999999Z07:00","message":"Starting cost-model (git commit \"1.91.0-rc.0\")"}` |
| `pretty` | `2006-01-02T15:04:05.999999999Z07:00 INF Starting cost-model (git commit "1.91.0-rc.0")` |
## Testing
To perform local testing do next:
- install locally [kind](https://github.com/kubernetes-sigs/kind) according to documentation.
- install locally [ct](https://github.com/helm/chart-testing) according to documentation.
- create local cluster using `kind` \
use image version from https://github.com/kubernetes-sigs/kind/releases e.g. `kindest/node:v1.25.11@sha256:227fa11ce74ea76a0474eeefb84cb75d8dad1b08638371ecf0e86259b35be0c8`
```shell
kind create cluster --image kindest/node:v1.25.11@sha256:227fa11ce74ea76a0474eeefb84cb75d8dad1b08638371ecf0e86259b35be0c8
```
- perform ct execution
```shell
ct install --chart-dirs="." --charts="."
```
- perform ct StatefulSet execution
```shell
# create multiple nodes kind config
cat > kind-config.yaml <<EOF
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: worker
- role: worker
EOF
# creaet kind cluster with kind config
kind create cluster --name kubecost-statefulset --config kind-config.yaml --image kindest/node:v1.25.11@sha256:227fa11ce74ea76a0474eeefb84cb75d8dad1b08638371ecf0e86259b35be0c8
# deploy an object storage for our testing purpose (https://min.io/docs/minio/kubernetes/upstream/index.html)
curl --silent https://raw.githubusercontent.com/minio/docs/master/source/extra/examples/minio-dev.yaml | sed -e "s/kubealpha.local/kubecost-statefulset-worker/" -e "s%minio server /data%mkdir -p /data/kubecost; minio server /data%" | kubectl apply -f -
# create a headless service to the minio S3 API port
kubectl create service clusterip -n minio-dev minio --tcp=9000:9000 --clusterip="None"
# create our testing namespace
kubectl create namespace kubecost-statefulset
# create the bucket config
cat > etlBucketConfigSecret.yaml <<EOF
type: s3
config:
bucket: kubecost
endpoint: minio.minio-dev:9000
insecure: true
access_key: minioadmin
secret_key: minioadmin
EOF
# create the secret with the object-store.yaml
kubectl create secret generic -n kubecost-statefulset object-store --from-file=object-store.yaml=etlBucketConfigSecret.yaml
# start our chart-testing
ct install --namespace kubecost-statefulset --chart-dirs="." --charts="." --helm-extra-set-args="--set=global.prometheus.enabled=true --set=global.grafana.enabled=true --set=kubecostDeployment.leaderFollower.enabled=true --set=kubecostDeployment.statefulSet.enabled=true --set=kubecostDeployment.replicas=2 --set=kubecostModel.etlBucketConfigSecret=object-store"
# cleanup
kind delete cluster --name kubecost-statefulset
```

17
charts/kubecost/cost-analyzer/templates/_helpers.tpl
View File

@ -242,6 +242,23 @@ app: aggregator
{{ include "etlUtils.selectorLabels" . }}
{{- end -}}
{{/*
Create the networkcosts common labels. Note that because this is a daemonset, we don't want app.kubernetes.io/instance: to take the release name, which allows the scrape config to be static.
*/}}
{{- define "networkcosts.commonLabels" -}}
app.kubernetes.io/instance: kubecost
app.kubernetes.io/name: network-costs
helm.sh/chart: {{ include "cost-analyzer.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app: {{ template "cost-analyzer.networkCostsName" . }}
{{- end -}}
{{- define "networkcosts.selectorLabels" -}}
app: {{ template "cost-analyzer.networkCostsName" . }}
{{- end }}
{{/*
{{- end -}}
{{/*
Create the selector labels.
*/}}

2
charts/kubecost/cost-analyzer/templates/cost-analyzer-db-pvc-template.yaml
View File

@ -3,6 +3,7 @@
{{- if not .Values.persistentVolume.dbExistingClaim -}}
{{- if .Values.persistentVolume.enabled -}}
{{- if .Values.persistentVolume.dbPVEnabled -}}
{{- if not (and .Values.kubecostDeployment.statefulSet.enabled .Values.kubecostDeployment.leaderFollower.enabled) -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
@ -35,3 +36,4 @@ spec:
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}

48
charts/kubecost/cost-analyzer/templates/cost-analyzer-deployment-template.yaml
View File

@ -1,7 +1,11 @@
{{- if and (not .Values.agent) (not .Values.cloudAgent) }}
{{- $nginxPort := int .Values.service.port | default 9090 -}}
apiVersion: apps/v1
{{- if and .Values.kubecostDeployment.statefulSet.enabled .Values.kubecostDeployment.leaderFollower.enabled }}
kind: StatefulSet
{{- else }}
kind: Deployment
{{- end }}
metadata:
name: {{ template "cost-analyzer.fullname" . }}
namespace: {{ .Release.Namespace }}
@ -17,6 +21,9 @@ metadata:
spec:
{{- if .Values.kubecostDeployment }}
replicas: {{ .Values.kubecostDeployment.replicas | default 1 }}
{{- end }}
{{- if and .Values.kubecostDeployment.statefulSet.enabled .Values.kubecostDeployment.leaderFollower.enabled }}
serviceName: {{ template "cost-analyzer.serviceName" . }}
{{- end }}
selector:
matchLabels:
@ -264,6 +271,7 @@ spec:
# Extra volume(s)
{{- toYaml .Values.extraVolumes | nindent 8 }}
{{- end }}
{{- if not (and .Values.kubecostDeployment.statefulSet.enabled .Values.kubecostDeployment.leaderFollower.enabled) }}
- name: persistent-configs
{{- if .Values.persistentVolume }}
{{- if .Values.persistentVolume.enabled }}
@ -280,7 +288,8 @@ spec:
persistentVolumeClaim:
claimName: {{ template "cost-analyzer.fullname" . }}
{{- end }}
{{- if and (.Values.kubecostModel.etlToDisk | default true) .Values.persistentVolume.dbPVEnabled }}
{{- end }}
{{- if and (.Values.kubecostModel.etlToDisk | default true) .Values.persistentVolume.dbPVEnabled (not (and .Values.kubecostDeployment.statefulSet.enabled .Values.kubecostDeployment.leaderFollower.enabled)) }}
- name: persistent-db
{{- if .Values.persistentVolume }}
{{- if .Values.persistentVolume.enabled }}
@ -1138,7 +1147,7 @@ spec:
{{- if .Values.kubecostFrontend.securityContext }}
securityContext:
{{- toYaml .Values.kubecostFrontend.securityContext | nindent 12 }}
{{- else if .Values.global.containerSecurityContext }}
{{- else if and .Values.global.containerSecurityContext (gt $nginxPort 1025) }}
securityContext:
{{- toYaml .Values.global.containerSecurityContext | nindent 12 }}
{{- end }}
@ -1212,4 +1221,39 @@ spec:
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if and .Values.kubecostDeployment.statefulSet.enabled .Values.kubecostDeployment.leaderFollower.enabled }}
volumeClaimTemplates:
- metadata:
name: persistent-configs
spec:
accessModes:
- ReadWriteOnce
{{- if .Values.persistentVolume.storageClass }}
storageClassName: {{ .Values.persistentVolume.storageClass }}
{{ end }}
resources:
requests:
{{- if .Values.persistentVolume }}
storage: {{ .Values.persistentVolume.size }}
{{- else }}
storage: 32.0Gi
{{ end }}
{{- if and (.Values.kubecostModel.etlToDisk | default true) .Values.persistentVolume.dbPVEnabled }}
- metadata:
name: persistent-db
spec:
accessModes:
- ReadWriteOnce
{{- if .Values.persistentVolume.dbStorageClass }}
storageClassName: {{ .Values.persistentVolume.dbStorageClass }}
{{ end }}
resources:
requests:
{{- if .Values.persistentVolume }}
storage: {{ .Values.persistentVolume.dbSize }}
{{- else }}
storage: 32.0Gi
{{ end }}
{{- end }}
{{- end }}
{{- end }}

11
charts/kubecost/cost-analyzer/templates/cost-analyzer-network-costs-service-template.yaml
View File

@ -16,11 +16,10 @@ metadata:
{{- end }}
{{- end }}
labels:
{{ unset (include "cost-analyzer.commonLabels" . | fromYaml) "app" | toYaml | nindent 4 }}
app: {{ template "cost-analyzer.networkCostsName" . }}
{{- if .Values.networkCosts.service.labels }}
{{ toYaml .Values.networkCosts.service.labels | indent 4 }}
{{- end }}
{{- include "networkcosts.commonLabels" . | nindent 4 }}
{{- if .Values.networkCosts.service.labels }}
{{ toYaml .Values.networkCosts.service.labels | nindent 4 }}
{{- end }}
spec:
clusterIP: None
ports:
@ -29,7 +28,7 @@ spec:
protocol: TCP
targetPort: {{ .Values.networkCosts.port | default 3001 }}
selector:
app: {{ template "cost-analyzer.networkCostsName" . }}
{{- include "networkcosts.selectorLabels" . | nindent 4 }}
type: ClusterIP
{{- end }}
{{- end }}

14
charts/kubecost/cost-analyzer/templates/cost-analyzer-network-costs-template.yaml
View File

@ -6,10 +6,10 @@ metadata:
name: {{ template "cost-analyzer.networkCostsName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "cost-analyzer.commonLabels" . | nindent 4 }}
{{- if .Values.networkCosts.additionalLabels }}
{{ toYaml .Values.networkCosts.additionalLabels | indent 4 }}
{{- end }}
{{- include "networkcosts.commonLabels" . | nindent 4 }}
{{- if .Values.networkCosts.additionalLabels }}
{{- toYaml .Values.networkCosts.additionalLabels | nindent 4 }}
{{- end }}
spec:
{{- if .Values.networkCosts.updateStrategy }}
updateStrategy:
@ -17,7 +17,7 @@ spec:
{{- end }}
selector:
matchLabels:
app: {{ template "cost-analyzer.networkCostsName" . }}
{{- include "networkcosts.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.networkCosts.annotations }}
@ -25,9 +25,9 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
app: {{ template "cost-analyzer.networkCostsName" . }}
{{- include "networkcosts.commonLabels" . | nindent 8 }}
{{- if .Values.networkCosts.additionalLabels }}
{{ toYaml .Values.networkCosts.additionalLabels | nindent 8 }}
{{- toYaml .Values.networkCosts.additionalLabels | nindent 8 }}
{{- end }}
spec:
{{- if .Values.imagePullSecrets }}

2
charts/kubecost/cost-analyzer/templates/cost-analyzer-pvc-template.yaml
View File

@ -1,6 +1,7 @@
{{- if .Values.persistentVolume -}}
{{- if not .Values.persistentVolume.existingClaim -}}
{{- if .Values.persistentVolume.enabled -}}
{{- if not (and .Values.kubecostDeployment.statefulSet.enabled .Values.kubecostDeployment.leaderFollower.enabled) -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
@ -31,3 +32,4 @@ spec:
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}

18
charts/kubecost/cost-analyzer/templates/tests/basic-health.yaml
View File

@ -7,17 +7,31 @@ metadata:
annotations:
{{- include "kubecost.test.annotations" . | nindent 4 }}
spec:
serviceAccountName: {{ template "cost-analyzer.serviceAccountName" . }}
automountServiceAccountToken: false
restartPolicy: Never
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
containers:
- name: test-kubecost
image: alpine/k8s:1.26.9
securityContext:
privileged: false
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
command:
- /bin/sh
args:
- -c
- >-
svc=$(kubectl -n {{ .Release.Namespace }} get svc -l app.kubernetes.io/name=cost-analyzer -o json | jq -r .items[0].metadata.name);
svc="{{ .Release.Name }}-cost-analyzer";
echo Getting current Kubecost state.;
response=$(curl -sL http://${svc}:9090/model/getConfigs);
code=$(echo ${response} | jq .code);

9
charts/kubecost/cost-analyzer/values.yaml
View File

@ -783,7 +783,7 @@ networkCosts:
enabled: false
podSecurityPolicy:
enabled: false
image: gcr.io/kubecost1/kubecost-network-costs:v0.17.0
image: gcr.io/kubecost1/kubecost-network-costs:v0.17.1
imagePullPolicy: Always
updateStrategy:
type: RollingUpdate
@ -896,9 +896,7 @@ networkCosts:
enabled: false
additionalLabels: {}
# match the default extraScrapeConfig
additionalLabels:
app.kubernetes.io/instance: kubecost
app.kubernetes.io/name: network-costs
additionalLabels: {}
nodeSelector: {}
annotations: {}
healthCheckProbes: {}
@ -921,6 +919,9 @@ networkCosts:
## Used for HA mode in Business & Enterprise tier
##
kubecostDeployment:
# Instead of a kubecost-analyzer Deployment, you can set it to be a StatefulSet as for volumeClaimTemplates usage and real stateful behaviour
statefulSet:
enabled: false
replicas: 1
leaderFollower:
enabled: false

4
charts/kuma/kuma/Chart.yaml
View File

@ -4,7 +4,7 @@ annotations:
catalog.cattle.io/namespace: kuma-system
catalog.cattle.io/release-name: kuma
apiVersion: v2
appVersion: 2.4.4
appVersion: 2.5.0
description: A Helm chart for the Kuma Control Plane
home: https://github.com/kumahq/kuma
icon: https://kuma.io/assets/images/brand/kuma-logo-new.svg
@ -20,4 +20,4 @@ maintainers:
name: nickolaev
name: kuma
type: application
version: 2.4.4
version: 2.5.0

29
charts/kuma/kuma/README.md
View File

@ -2,7 +2,7 @@
A Helm chart for the Kuma Control Plane
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.4.4](https://img.shields.io/badge/Version-2.4.4-informational?style=flat-square) ![AppVersion: 2.4.4](https://img.shields.io/badge/AppVersion-2.4.4-informational?style=flat-square)
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.5.0](https://img.shields.io/badge/Version-2.5.0-informational?style=flat-square) ![AppVersion: 2.5.0](https://img.shields.io/badge/AppVersion-2.5.0-informational?style=flat-square)
**Homepage:** <https://github.com/kumahq/kuma>
@ -17,6 +17,7 @@ A Helm chart for the Kuma Control Plane
| installCrdsOnUpgrade.enabled | bool | `true` | Whether install new CRDs before upgrade (if any were introduced with the new version of Kuma) |
| installCrdsOnUpgrade.imagePullSecrets | list | `[]` | The `imagePullSecrets` to attach to the Service Account running CRD installation. This field will be deprecated in a future release, please use .global.imagePullSecrets |
| noHelmHooks | bool | `false` | Whether to disable all helm hooks |
| restartOnSecretChange | bool | `true` | Whether to restart control-plane by calculating a new checksum for the secret |
| controlPlane.environment | string | `"kubernetes"` | Environment that control plane is run in, useful when running universal global control plane on k8s |
| controlPlane.extraLabels | object | `{}` | Labels to add to resources in addition to default labels |
| controlPlane.logLevel | string | `"info"` | Kuma CP log level: one of off,info,debug |
@ -25,7 +26,9 @@ A Helm chart for the Kuma Control Plane
| controlPlane.zone | string | `nil` | Kuma CP zone, if running multizone |
| controlPlane.kdsGlobalAddress | string | `""` | Only used in `zone` mode |
| controlPlane.replicas | int | `1` | Number of replicas of the Kuma CP. Ignored when autoscaling is enabled |
| controlPlane.podAnnotations | object | `{}` | Control Plane Pod Annotations |
| controlPlane.minReadySeconds | int | `0` | Minimum number of seconds for which a newly created pod should be ready for it to be considered available. |
| controlPlane.deploymentAnnotations | object | `{}` | Annotations applied only to the `Deployment` resource |
| controlPlane.podAnnotations | object | `{}` | Annotations applied only to the `Pod` resource |
| controlPlane.autoscaling.enabled | bool | `false` | Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster |
| controlPlane.autoscaling.minReplicas | int | `2` | The minimum CP pods to allow |
| controlPlane.autoscaling.maxReplicas | int | `5` | The max CP pods to scale to |
@ -50,9 +53,11 @@ A Helm chart for the Kuma Control Plane
| controlPlane.ingress.annotations | object | `{}` | Map of ingress annotations. |
| controlPlane.ingress.path | string | `"/"` | Ingress path. |
| controlPlane.ingress.pathType | string | `"ImplementationSpecific"` | Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix) |
| controlPlane.ingress.servicePort | int | `5681` | Port from kuma-cp to use to expose API and GUI. Switch to 5682 to expose TLS port |
| controlPlane.globalZoneSyncService.enabled | bool | `true` | Whether to create a k8s service for the global zone sync service. It will only be created when enabled and deploying the global control plane. |
| controlPlane.globalZoneSyncService.type | string | `"LoadBalancer"` | Service type of the Global-zone sync |
| controlPlane.globalZoneSyncService.loadBalancerIP | string | `nil` | Optionally specify IP to be used by cloud provider when configuring load balancer |
| controlPlane.globalZoneSyncService.loadBalancerSourceRanges | list | `[]` | Optionally specify allowed source ranges that can access the load balancer |
| controlPlane.globalZoneSyncService.annotations | object | `{}` | Additional annotations to put on the Global Zone Sync Service |
| controlPlane.globalZoneSyncService.nodePort | int | `30685` | Port on which Global Zone Sync Service is exposed on Node for service of type NodePort |
| controlPlane.globalZoneSyncService.port | int | `5685` | Port on which Global Zone Sync Service is exposed |
@ -75,6 +80,7 @@ A Helm chart for the Kuma Control Plane
| controlPlane.tls.kdsZoneClient.create | bool | `false` | Whether to create the TLS secret in helm. |
| controlPlane.tls.kdsZoneClient.cert | string | `""` | CA bundle that was used to sign the certificate of KDS Global Server. |
| controlPlane.tls.kdsZoneClient.skipVerify | bool | `false` | If true, TLS cert of the server is not verified. |
| controlPlane.serviceAccountAnnotations | object | `{}` | Annotations to add for Control Plane's Service Account |
| controlPlane.image.pullPolicy | string | `"IfNotPresent"` | Kuma CP ImagePullPolicy |
| controlPlane.image.repository | string | `"kuma-cp"` | Kuma CP image repository |
| controlPlane.image.tag | string | `nil` | Kuma CP Image tag. When not specified, the value is copied from global.tag |
@ -120,6 +126,7 @@ A Helm chart for the Kuma Control Plane
| ingress.extraLabels | object | `{}` | Labels to add to resources, in addition to default labels |
| ingress.drainTime | string | `"30s"` | Time for which old listener will still be active as draining |
| ingress.replicas | int | `1` | Number of replicas of the Ingress. Ignored when autoscaling is enabled. |
| ingress.logLevel | string | `"info"` | Log level for ingress (available values: off|info|debug) |
| ingress.resources | object | `{"limits":{"cpu":"1000m","memory":"512Mi"},"requests":{"cpu":"50m","memory":"64Mi"}}` | Define the resources to allocate to mesh ingress |
| ingress.lifecycle | object | `{}` | Pod lifecycle settings (useful for adding a preStop hook, when using AWS ALB or NLB) |
| ingress.terminationGracePeriodSeconds | int | `40` | Number of seconds to wait before force killing the pod. Make sure to update this if you add a preStop hook. |
@ -144,10 +151,13 @@ A Helm chart for the Kuma Control Plane
| ingress.topologySpreadConstraints | string | `nil` | Topology spread constraints rule for the Kuma Mesh Ingress pods. This is rendered as a template, so you can use variables to generate match labels. |
| ingress.podSecurityContext | object | `{"runAsGroup":5678,"runAsNonRoot":true,"runAsUser":5678}` | Security context at the pod level for ingress |
| ingress.containerSecurityContext | object | `{"readOnlyRootFilesystem":true}` | Security context at the container level for ingress |
| ingress.serviceAccountAnnotations | object | `{}` | Annotations to add for Control Plane's Service Account |
| ingress.automountServiceAccountToken | bool | `true` | Whether to automountServiceAccountToken for cp. Optionally set to false |
| egress.enabled | bool | `false` | If true, it deploys Egress for cross cluster communication |
| egress.extraLabels | object | `{}` | Labels to add to resources, in addition to the default labels. |
| egress.drainTime | string | `"30s"` | Time for which old listener will still be active as draining |
| egress.replicas | int | `1` | Number of replicas of the Egress. Ignored when autoscaling is enabled. |
| egress.logLevel | string | `"info"` | Log level for egress (available values: off|info|debug) |
| egress.autoscaling.enabled | bool | `false` | Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster |
| egress.autoscaling.minReplicas | int | `2` | The minimum CP pods to allow |
| egress.autoscaling.maxReplicas | int | `5` | The max CP pods to scale to |
@ -173,11 +183,13 @@ A Helm chart for the Kuma Control Plane
| egress.topologySpreadConstraints | string | `nil` | Topology spread constraints rule for the Kuma Egress pods. This is rendered as a template, so you can use variables to generate match labels. |
| egress.podSecurityContext | object | `{"runAsGroup":5678,"runAsNonRoot":true,"runAsUser":5678}` | Security context at the pod level for egress |
| egress.containerSecurityContext | object | `{"readOnlyRootFilesystem":true}` | Security context at the container level for egress |
| egress.serviceAccountAnnotations | object | `{}` | Annotations to add for Control Plane's Service Account |
| egress.automountServiceAccountToken | bool | `true` | Whether to automountServiceAccountToken for cp. Optionally set to false |
| kumactl.image.repository | string | `"kumactl"` | The kumactl image repository |
| kumactl.image.tag | string | `nil` | The kumactl image tag. When not specified, the value is copied from global.tag |
| kubectl.image.registry | string | `"kumahq"` | The kubectl image registry |
| kubectl.image.repository | string | `"kubectl"` | The kubectl image repository |
| kubectl.image.tag | string | `"v1.20.15"` | The kubectl image tag |
| kubectl.image.registry | string | `"docker.io"` | The kubectl image registry |
| kubectl.image.repository | string | `"bitnami/kubectl"` | The kubectl image repository |
| kubectl.image.tag | string | `"1.27.5"` | The kubectl image tag |
| hooks.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for the HELM hooks |
| hooks.tolerations | list | `[]` | Tolerations for the HELM hooks |
| hooks.podSecurityContext | object | `{"runAsNonRoot":true}` | Security context at the pod level for crd/webhook/ns |
@ -192,12 +204,7 @@ A Helm chart for the Kuma Control Plane
| experimental.ebpf.cgroupPath | string | `"/sys/fs/cgroup"` | Host's cgroup2 path |
| experimental.ebpf.tcAttachIface | string | `""` | Name of the network interface which TC programs should be attached to, we'll try to automatically determine it if empty |
| experimental.ebpf.programsSourcePath | string | `"/kuma/ebpf"` | Path where compiled eBPF programs which will be installed can be found |
| experimental.deltaKds | bool | `false` | If true, it uses new API for resource synchronization |
| legacy.transparentProxy | bool | `false` | If true, use the legacy transparent proxy engine |
| legacy.cni.enabled | bool | `false` | If true, it installs legacy version of the CNI |
| legacy.cni.image.registry | string | `"docker.io/kumahq"` | CNI v1 image registry |
| legacy.cni.image.repository | string | `"install-cni"` | CNI v1 image repository |
| legacy.cni.image.tag | string | `"0.0.10"` | CNI v1 image tag |
| experimental.deltaKds | bool | `true` | If false, it uses legacy API for resource synchronization |
| postgres.port | string | `"5432"` | Postgres port, password should be provided as a secret reference in "controlPlane.secrets" with the Env value "KUMA_STORE_POSTGRES_PASSWORD". Example: controlPlane: secrets: - Secret: postgres-postgresql Key: postgresql-password Env: KUMA_STORE_POSTGRES_PASSWORD |
| postgres.tls.mode | string | `"disable"` | Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull" |
| postgres.tls.disableSSLSNI | bool | `false` | Whether to disable SNI the postgres `sslsni` option. |

101
charts/kuma/kuma/crds/kuma.io_meshloadbalancingstrategies.yaml
View File

@ -374,11 +374,112 @@ spec:
description: LocalityAwareness contains configuration for
locality aware load balancing.
properties:
crossZone:
description: CrossZone defines locality aware load balancing
priorities when dataplane proxies inside local zone
are unavailable
properties:
failover:
description: Failover defines list of load balancing
rules in order of priority
items:
properties:
from:
description: From defines the list of zones
to which the rule applies
properties:
zones:
items:
type: string
type: array
required:
- zones
type: object
to:
description: To defines to which zones the
traffic should be load balanced
properties:
type:
description: Type defines how target zones
will be picked from available zones
enum:
- None
- Only
- Any
- AnyExcept
type: string
zones:
items:
type: string
type: array
required:
- type
type: object
required:
- to
type: object
type: array
failoverThreshold:
description: 'FailoverThreshold defines the percentage
of live destination dataplane proxies below which
load balancing to the next priority starts. Example:
If you configure failoverThreshold to 70, and
you have deployed 10 destination dataplane proxies.
Load balancing to next priority will start when
number of live destination dataplane proxies drops
below 7. Default 50'
properties:
percentage:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- percentage
type: object
type: object
disabled:
description: Disabled allows to disable locality-aware
load balancing. When disabled requests are distributed
across all endpoints regardless of locality.
type: boolean
localZone:
description: LocalZone defines locality aware load balancing
priorities between dataplane proxies inside a zone
properties:
affinityTags:
description: AffinityTags list of tags for local
zone load balancing.
items:
properties:
key:
description: Key defines tag for which affinity
is configured
type: string
weight:
description: 'Weight of the tag used for load
balancing. The bigger the weight the bigger
the priority. Percentage of local traffic
load balanced to tag is computed by dividing
weight by sum of weights from all tags.
For example with two affinity tags first
with weight 80 and second with weight 20,
then 80% of traffic will be redirected to
the first tag, and 20% of traffic will be
redirected to second one. Setting weights
is not mandatory. When weights are not set
control plane will compute default weight
based on list order. Default: If you do
not specify weight we will adjust them so
that 90% traffic goes to first tag, 9% to
next, and 1% to third and so on.'
format: int32
type: integer
required:
- key
type: object
type: array
type: object
type: object
type: object
targetRef:

4
charts/kuma/kuma/templates/NOTES.txt
View File

@ -1,4 +1,6 @@
The Kuma Control Plane has been installed!
{{ .Chart.Name }} has been installed!
Your release is named '{{ .Release.Name }}'.
You can access the control-plane via either the GUI, kubectl, the HTTP API, or the kumactl CLI.
{{- if .Values.noHelmHooks }}

106
charts/kuma/kuma/templates/_helpers.tpl
View File

@ -111,6 +111,15 @@ app: {{ include "kuma.name" . }}-control-plane
{{ include "kuma.labels" . }}
{{- end }}
{{/*
control plane deployment annotations
*/}}
{{- define "kuma.cpDeploymentAnnotations" -}}
{{- range $key, $value := $.Values.controlPlane.deploymentAnnotations }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{/*
ingress labels
*/}}
@ -176,42 +185,6 @@ returns: formatted image string
{{- end -}}
{{- define "kuma.defaultEnv" -}}
{{ if (and (eq .Values.controlPlane.environment "universal") (not (eq .Values.controlPlane.mode "global"))) }}
{{ fail "Currently you can only run universal mode on kubernetes in a global mode, this limitation might be lifted in the future" }}
{{ end }}
{{ if not (or (eq .Values.controlPlane.mode "zone") (eq .Values.controlPlane.mode "global") (eq .Values.controlPlane.mode "standalone")) }}
{{ $msg := printf "controlPlane.mode invalid got:'%s' supported values: global,zone,standalone" .Values.controlPlane.mode }}
{{ fail $msg }}
{{ end }}
{{ if eq .Values.controlPlane.mode "zone" }}
{{ if empty .Values.controlPlane.zone }}
{{ fail "Can't have controlPlane.zone to be empty when controlPlane.mode=='zone'" }}
{{ else }}
{{ if gt (len .Values.controlPlane.zone) 253 }}
{{ fail "controlPlane.zone must be no more than 253 characters" }}
{{ else }}
{{ if not (regexMatch "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" .Values.controlPlane.zone) }}
{{ fail "controlPlane.zone must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character" }}
{{ end }}
{{ end }}
{{ end }}
{{ if empty .Values.controlPlane.kdsGlobalAddress }}
{{ fail "controlPlane.kdsGlobalAddress can't be empty when controlPlane.mode=='zone', needs to be the global control-plane address" }}
{{ else }}
{{ $url := urlParse .Values.controlPlane.kdsGlobalAddress }}
{{ if not (or (eq $url.scheme "grpcs") (eq $url.scheme "grpc")) }}
{{ $msg := printf "controlPlane.kdsGlobalAddress must be a url with scheme grpcs:// or grpc:// got:'%s'" .Values.controlPlane.kdsGlobalAddress }}
{{ fail $msg }}
{{ end }}
{{ end }}
{{ else }}
{{ if not (empty .Values.controlPlane.zone) }}
{{ fail "Can't specify a controlPlane.zone when controlPlane.mode!='zone'" }}
{{ end }}
{{ if not (empty .Values.controlPlane.kdsGlobalAddress) }}
{{ fail "Can't specify a controlPlane.kdsGlobalAddress when controlPlane.mode!='zone'" }}
{{ end }}
{{ end }}
env:
{{ include "kuma.parentEnv" . }}
- name: KUMA_ENVIRONMENT
@ -282,16 +255,12 @@ env:
- name: KUMA_EXPERIMENTAL_GATEWAY_API
value: "true"
{{- end }}
{{- if and .Values.cni.enabled (not .Values.legacy.cni.enabled) }}
{{- if .Values.cni.enabled }}
- name: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_ENABLED
value: "true"
- name: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_APP
value: "{{ include "kuma.name" . }}-cni"
{{- end }}
{{- if .Values.legacy.transparentProxy }}
- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_TRANSPARENT_PROXY_V1
value: "true"
{{- end }}
{{- if .Values.experimental.ebpf.enabled }}
- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_ENABLED
value: "true"
@ -306,9 +275,9 @@ env:
- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_PROGRAMS_SOURCE_PATH
value: {{ .Values.experimental.ebpf.programsSourcePath }}
{{- end }}
{{- if .Values.experimental.deltaKds }}
{{- if not .Values.experimental.deltaKds }}
- name: KUMA_EXPERIMENTAL_KDS_DELTA_ENABLED
value: "true"
value: "false"
{{- end }}
{{- if .Values.controlPlane.tls.kdsZoneClient.skipVerify }}
- name: KUMA_MULTIZONE_ZONE_KDS_TLS_SKIP_VERIFY
@ -321,6 +290,15 @@ env:
{{- end }}
{{- define "kuma.universal.defaultEnv" -}}
{{ if eq .Values.controlPlane.mode "zone" }}
{{ if .Values.ingress.enabled }}
{{ fail "Can't have ingress.enabled when running controlPlane.mode=='universal'" }}
{{ end }}
{{ if .Values.egress.enabled }}
{{ fail "Can't have egress.enabled when running controlPlane.mode=='universal'" }}
{{ end }}
{{ end }}
env:
- name: KUMA_GENERAL_WORK_DIR
value: "/tmp/kuma"
@ -332,8 +310,34 @@ env:
value: "{{ .Values.postgres.port }}"
- name: KUMA_DEFAULTS_SKIP_MESH_CREATION
value: {{ .Values.controlPlane.defaults.skipMeshCreation | quote }}
{{ if and (eq .Values.controlPlane.mode "zone") .Values.controlPlane.tls.general.secretName }}
- name: KUMA_GENERAL_TLS_CERT_FILE
value: /var/run/secrets/kuma.io/tls-cert/tls.crt
- name: KUMA_GENERAL_TLS_KEY_FILE
value: /var/run/secrets/kuma.io/tls-cert/tls.key
{{ end }}
- name: KUMA_MODE
value: "global"
value: {{ .Values.controlPlane.mode | quote }}
{{- if eq .Values.controlPlane.mode "zone" }}
- name: KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS
value: {{ .Values.controlPlane.kdsGlobalAddress }}
{{- end }}
{{- if .Values.controlPlane.zone }}
- name: KUMA_MULTIZONE_ZONE_NAME
value: {{ .Values.controlPlane.zone | quote }}
{{- end }}
{{- if and (eq .Values.controlPlane.mode "zone") (or .Values.controlPlane.tls.kdsZoneClient.secretName .Values.controlPlane.tls.kdsZoneClient.create) }}
- name: KUMA_MULTIZONE_ZONE_KDS_ROOT_CA_FILE
value: /var/run/secrets/kuma.io/kds-client-tls-cert/ca.crt
{{- end }}
{{- if not .Values.experimental.deltaKds }}
- name: KUMA_EXPERIMENTAL_KDS_DELTA_ENABLED
value: "false"
{{- end }}
{{- if .Values.controlPlane.tls.kdsZoneClient.skipVerify }}
- name: KUMA_MULTIZONE_ZONE_KDS_TLS_SKIP_VERIFY
value: "true"
{{- end }}
{{- if .Values.controlPlane.tls.apiServer.secretName }}
- name: KUMA_API_SERVER_HTTPS_TLS_CERT_FILE
value: /var/run/secrets/kuma.io/api-server-tls-cert/tls.crt
@ -372,17 +376,3 @@ env:
{{- end }}
{{- end }}
{{- end }}
{{/*
params: { image: { registry?, repository, tag? }, root: $ }
returns: formatted image string
*/}}
{{- define "kubectl.formatImage" -}}
{{- $img := .image }}
{{- $tag := .tag }}
{{- $root := .root }}
{{- $registry := ($img.registry | default $root.Values.kubectl.image.registry) -}}
{{- $repo := ($img.repository | default $root.Values.kubectl.image.repository) -}}
{{- $imageTag := ($tag | default $root.Values.kubectl.image.tag) -}}
{{- printf "%s/%s:%s" $registry $repo $imageTag -}}
{{- end -}}

2
charts/kuma/kuma/templates/cni-configmap.yaml
View File

@ -3,7 +3,7 @@ kind: ConfigMap
apiVersion: v1
metadata:
name: {{ include "kuma.name" . }}-cni-config
namespace: kube-system
namespace: {{ .Values.cni.namespace }}
labels: {{ include "kuma.cniLabels" . | nindent 4 }}
data:
# The CNI network configuration to add to the plugin chain on each node.

12
charts/kuma/kuma/templates/cni-daemonset.yaml
View File

@ -55,9 +55,9 @@ spec:
{{- toYaml .Values.cni.podSecurityContext | trim | nindent 8 }}
containers:
- name: install-cni
{{- if not .Values.legacy.cni.enabled }}
image: {{ include "kuma.formatImage" (dict "image" .Values.cni.image "root" $) | quote }}
imagePullPolicy: {{ .Values.cni.image.imagePullPolicy }}
{{- if not .Values.experimental.ebpf.enabled }}
image: {{ include "kuma.formatImage" (dict "image" .Values.cni.image "root" $) | quote }}
readinessProbe:
initialDelaySeconds: {{ .Values.cni.delayStartupSeconds }}
exec:
@ -66,11 +66,10 @@ spec:
- /tmp/ready
command: [ "sh", "-c", "--" ]
args: [ "sleep {{.Values.cni.delayStartupSeconds}} && exec /install-cni" ]
{{- else if .Values.experimental.ebpf.enabled }}
{{- else }}
{{- with .Values.cni.experimental.imageEbpf }}
image: {{ printf "%s/%s:%s" .registry .repository .tag | quote }}
{{- end }}
imagePullPolicy: {{ .Values.cni.image.imagePullPolicy }}
args:
- /app/mbctl
- --mode=kuma
@ -86,11 +85,6 @@ spec:
- make
- --keep-going
- clean
{{- else }}
image: {{ include "kuma.formatImage" (dict "image" .Values.legacy.cni.image "root" $) | quote }}
imagePullPolicy: {{ .Values.cni.image.imagePullPolicy }}
command: [ "/bin/sh", "-c", "--" ]
args: [ "sleep {{.Values.cni.delayStartupSeconds}} && exec /install-cni.sh" ]
{{- end }}
securityContext:
{{- toYaml .Values.cni.containerSecurityContext | trim | nindent 12 }}

2
charts/kuma/kuma/templates/cni-rbac.yaml
View File

@ -3,7 +3,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kuma.name" . }}-cni
namespace: kube-system
namespace: {{ .Values.cni.namespace }}
labels: {{ include "kuma.cniLabels" . | nindent 4 }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:

66
charts/kuma/kuma/templates/cp-deployment.yaml
View File

@ -14,6 +14,40 @@
{{ end }}
{{ end }}
{{ if not (or (eq .Values.controlPlane.mode "zone") (eq .Values.controlPlane.mode "global") (eq .Values.controlPlane.mode "standalone")) }}
{{ $msg := printf "controlPlane.mode invalid got:'%s' supported values: global,zone,standalone" .Values.controlPlane.mode }}
{{ fail $msg }}
{{ end }}
{{ if eq .Values.controlPlane.mode "zone" }}
{{ if empty .Values.controlPlane.zone }}
{{ fail "Can't have controlPlane.zone to be empty when controlPlane.mode=='zone'" }}
{{ else }}
{{ if gt (len .Values.controlPlane.zone) 253 }}
{{ fail "controlPlane.zone must be no more than 253 characters" }}
{{ else }}
{{ if not (regexMatch "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" .Values.controlPlane.zone) }}
{{ fail "controlPlane.zone must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character" }}
{{ end }}
{{ end }}
{{ end }}
{{ if empty .Values.controlPlane.kdsGlobalAddress }}
{{ fail "controlPlane.kdsGlobalAddress can't be empty when controlPlane.mode=='zone', needs to be the global control-plane address" }}
{{ else }}
{{ $url := urlParse .Values.controlPlane.kdsGlobalAddress }}
{{ if not (or (eq $url.scheme "grpcs") (eq $url.scheme "grpc")) }}
{{ $msg := printf "controlPlane.kdsGlobalAddress must be a url with scheme grpcs:// or grpc:// got:'%s'" .Values.controlPlane.kdsGlobalAddress }}
{{ fail $msg }}
{{ end }}
{{ end }}
{{ else }}
{{ if not (empty .Values.controlPlane.zone) }}
{{ fail "Can't specify a controlPlane.zone when controlPlane.mode!='zone'" }}
{{ end }}
{{ if not (empty .Values.controlPlane.kdsGlobalAddress) }}
{{ fail "Can't specify a controlPlane.kdsGlobalAddress when controlPlane.mode!='zone'" }}
{{ end }}
{{ end }}
{{- $defaultEnv := include "kuma.defaultEnv" . | fromYaml | pluck "env" | first }}
{{- if eq .Values.controlPlane.environment "universal" }}
{{- $defaultEnv = include "kuma.universal.defaultEnv" . | fromYaml | pluck "env" | first }}
@ -35,10 +69,12 @@ metadata:
name: {{ include "kuma.name" . }}-control-plane
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.cpLabels" . | nindent 4 }}
annotations: {{ include "kuma.cpDeploymentAnnotations" . | nindent 4 }}
spec:
{{- if not .Values.controlPlane.autoscaling.enabled }}
replicas: {{ .Values.controlPlane.replicas }}
{{- end }}
minReadySeconds: {{ .Values.controlPlane.minReadySeconds }}
strategy:
rollingUpdate:
maxSurge: 1
@ -51,7 +87,9 @@ spec:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/cp-configmap.yaml") . | sha256sum }}
{{- if .Values.restartOnSecretChange }}
checksum/tls-secrets: {{ include (print $.Template.BasePath "/cp-webhooks-and-secrets.yaml") . | sha256sum }}
{{- end }}
{{- range $key, $value := $.Values.controlPlane.podAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
@ -199,6 +237,22 @@ spec:
mountPath: /var/run/secrets/kuma.io/tls-cert/ca.crt
subPath: ca.crt
readOnly: true
{{- end }}
{{- if and (eq .Values.controlPlane.environment "universal") (eq .Values.controlPlane.mode "zone") }}
{{- if .Values.controlPlane.tls.general.secretName }}
- name: general-tls-cert
mountPath: /var/run/secrets/kuma.io/tls-cert/tls.crt
subPath: tls.crt
readOnly: true
- name: general-tls-cert
mountPath: /var/run/secrets/kuma.io/tls-cert/tls.key
subPath: tls.key
readOnly: true
- name: general-tls-cert{{- if .Values.controlPlane.tls.general.caSecretName }}-ca{{- end }}
mountPath: /var/run/secrets/kuma.io/tls-cert/ca.crt
subPath: ca.crt
readOnly: true
{{- end }}
{{- end }}
- name: {{ include "kuma.name" . }}-control-plane-config
mountPath: /etc/kuma.io/kuma-control-plane
@ -288,6 +342,18 @@ spec:
secret:
secretName: {{ .Values.controlPlane.tls.general.caSecretName }}
{{- end }}
{{- end }}
{{- if and (eq .Values.controlPlane.environment "universal") (eq .Values.controlPlane.mode "zone") }}
{{- if .Values.controlPlane.tls.general.secretName }}
- name: general-tls-cert
secret:
secretName: {{ .Values.controlPlane.tls.general.secretName }}
{{- end }}
{{- if .Values.controlPlane.tls.general.caSecretName }}
- name: general-tls-cert-ca
secret:
secretName: {{ .Values.controlPlane.tls.general.caSecretName }}
{{- end }}
{{- end }}
{{- if .Values.controlPlane.tls.apiServer.secretName }}
- name: api-server-tls-cert

6
charts/kuma/kuma/templates/cp-global-sync-service.yaml
View File

@ -14,6 +14,12 @@ spec:
{{- if .Values.controlPlane.globalZoneSyncService.loadBalancerIP }}
loadBalancerIP: {{ .Values.controlPlane.globalZoneSyncService.loadBalancerIP }}
{{- end }}
{{- if .Values.controlPlane.globalZoneSyncService.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- range .Values.controlPlane.globalZoneSyncService.loadBalancerSourceRanges }}
- {{.}}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.controlPlane.globalZoneSyncService.port }}
appProtocol: {{ .Values.controlPlane.globalZoneSyncService.protocol }}

2
charts/kuma/kuma/templates/cp-ingress.yaml
View File

@ -21,5 +21,5 @@ spec:
service:
name: {{ include "kuma.controlPlane.serviceName" . }}
port:
number: 5681
number: {{ .Values.controlPlane.ingress.servicePort }}
{{- end }}

6
charts/kuma/kuma/templates/cp-rbac.yaml
View File

@ -4,6 +4,10 @@ metadata:
name: {{ include "kuma.name" . }}-control-plane
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.cpLabels" . | nindent 4 }}
{{- with .Values.controlPlane.serviceAccountAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
@ -192,7 +196,6 @@ rules:
- get
- list
- watch
{{- if not .Values.legacy.cni.enabled }}
- apiGroups:
- ""
resources:
@ -206,7 +209,6 @@ rules:
verbs:
- list
{{- end }}
{{- end }}
# validate k8s token before issuing mTLS cert
- apiGroups:
- authentication.k8s.io

44
charts/kuma/kuma/templates/cp-webhooks-and-secrets.yaml
View File

@ -58,6 +58,11 @@ webhooks:
- name: mesh.defaulter.kuma-admission.kuma.io
admissionReviewVersions: ["v1"]
failurePolicy: Fail
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values: ["kube-system"]
clientConfig:
caBundle: {{ $caBundle }}
service:
@ -81,6 +86,11 @@ webhooks:
- name: owner-reference.kuma-admission.kuma.io
admissionReviewVersions: ["v1"]
failurePolicy: Fail
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values: ["kube-system"]
clientConfig:
caBundle: {{ $caBundle }}
service:
@ -120,8 +130,13 @@ webhooks:
admissionReviewVersions: ["v1"]
failurePolicy: {{ .Values.controlPlane.injectorFailurePolicy }}
namespaceSelector:
matchLabels:
kuma.io/sidecar-injection: enabled
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values: ["kube-system"]
- key: kuma.io/sidecar-injection
operator: In
values: ["enabled"]
clientConfig:
caBundle: {{ $caBundle }}
service:
@ -141,6 +156,11 @@ webhooks:
- name: pods-kuma-injector.kuma.io
admissionReviewVersions: ["v1"]
failurePolicy: {{ .Values.controlPlane.injectorFailurePolicy }}
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values: ["kube-system"]
objectSelector:
matchLabels:
kuma.io/sidecar-injection: enabled
@ -163,6 +183,11 @@ webhooks:
- name: kuma-injector.kuma.io
admissionReviewVersions: ["v1"]
failurePolicy: Ignore {{/* Failure policy is hardcoded as Ignore because any other mode will cause CP to be unable to start after all instances are down */}}
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values: ["kube-system"]
clientConfig:
caBundle: {{ $caBundle }}
service:
@ -191,6 +216,11 @@ webhooks:
- name: validator.kuma-admission.kuma.io
admissionReviewVersions: ["v1"]
failurePolicy: Fail
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values: ["kube-system"]
clientConfig:
caBundle: {{ $caBundle }}
service:
@ -235,6 +265,11 @@ webhooks:
- name: service.validator.kuma-admission.kuma.io
admissionReviewVersions: ["v1"]
failurePolicy: Ignore
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values: ["kube-system"]
clientConfig:
caBundle: {{ $caBundle }}
service:
@ -280,6 +315,11 @@ webhooks:
- name: gateway.validator.kuma-admission.kuma.io
admissionReviewVersions: ["v1"]
failurePolicy: Ignore
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values: ["kube-system"]
clientConfig:
caBundle: {{ $caBundle }}
service:

30
charts/kuma/kuma/templates/egress-deployment.yaml
View File

@ -36,6 +36,7 @@ spec:
securityContext:
{{- toYaml .Values.egress.podSecurityContext | trim | nindent 8 }}
serviceAccountName: {{ include "kuma.name" . }}-egress
automountServiceAccountToken: {{ .Values.egress.automountServiceAccountToken }}
{{- with .Values.egress.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 }}
@ -63,8 +64,6 @@ spec:
value: "https://{{ include "kuma.controlPlane.serviceName" . }}.{{ .Release.Namespace }}:5678"
- name: KUMA_CONTROL_PLANE_CA_CERT_FILE
value: /var/run/secrets/kuma.io/cp-ca/ca.crt
- name: KUMA_DATAPLANE_NAME
value: $(POD_NAME).$(POD_NAMESPACE)
- name: KUMA_DATAPLANE_DRAIN_TIME
value: {{ .Values.egress.drainTime }}
- name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH
@ -73,7 +72,7 @@ spec:
value: "egress"
args:
- run
- --log-level=info
- --log-level={{ .Values.egress.logLevel | default "info" }}
ports:
- containerPort: 10002
livenessProbe:
@ -96,12 +95,37 @@ spec:
timeoutSeconds: 3
resources: {{ toYaml .Values.egress.resources | nindent 12 }}
volumeMounts:
{{- if not .Values.egress.automountServiceAccountToken }}
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: serviceaccount-token
readOnly: true
{{- end }}
- name: control-plane-ca
mountPath: /var/run/secrets/kuma.io/cp-ca
readOnly: true
- name: tmp
mountPath: /tmp
volumes:
{{- if not .Values.egress.automountServiceAccountToken }}
- name: serviceaccount-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3600
path: token
- configMap:
name: kube-root-ca.crt
items:
- key: ca.crt
path: ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
{{- end }}
- name: control-plane-ca
secret:
secretName: {{ include "kuma.controlPlane.tls.general.caSecretName" . }}

10
charts/kuma/kuma/templates/egress-rbac.yaml
View File

@ -5,4 +5,14 @@ metadata:
name: {{ include "kuma.name" . }}-egress
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.egressLabels" . | nindent 4 }}
{{- with .Values.egress.serviceAccountAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ . | quote }}
{{- end }}
{{- end }}
{{- end }}

10
charts/kuma/kuma/templates/gateway-class.yaml
View File

@ -1,4 +1,12 @@
{{- if and .Values.experimental.gatewayAPI (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1/GatewayClass") }}
{{- if and .Values.experimental.gatewayAPI (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1/GatewayClass") }}
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: kuma
spec:
controllerName: "gateways.kuma.io/controller"
{{- else if and .Values.experimental.gatewayAPI (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1/GatewayClass") }}
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: GatewayClass

30
charts/kuma/kuma/templates/ingress-deployment.yaml
View File

@ -36,6 +36,7 @@ spec:
securityContext:
{{- toYaml .Values.ingress.podSecurityContext | trim | nindent 8 }}
serviceAccountName: {{ include "kuma.name" . }}-ingress
automountServiceAccountToken: {{ .Values.ingress.automountServiceAccountToken }}
{{- with .Values.ingress.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 }}
@ -64,8 +65,6 @@ spec:
value: "https://{{ include "kuma.controlPlane.serviceName" . }}.{{ .Release.Namespace }}:5678"
- name: KUMA_CONTROL_PLANE_CA_CERT_FILE
value: /var/run/secrets/kuma.io/cp-ca/ca.crt
- name: KUMA_DATAPLANE_NAME
value: $(POD_NAME).$(POD_NAMESPACE)
- name: KUMA_DATAPLANE_DRAIN_TIME
value: {{ .Values.ingress.drainTime }}
- name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH
@ -74,7 +73,7 @@ spec:
value: "ingress"
args:
- run
- --log-level=info
- --log-level={{ .Values.ingress.logLevel | default "info" }}
ports:
- containerPort: 10001
livenessProbe:
@ -100,12 +99,37 @@ spec:
lifecycle: {{ . | toYaml | nindent 12 }}
{{ end }}
volumeMounts:
{{- if not .Values.ingress.automountServiceAccountToken }}
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: serviceaccount-token
readOnly: true
{{- end }}
- name: control-plane-ca
mountPath: /var/run/secrets/kuma.io/cp-ca
readOnly: true
- name: tmp
mountPath: /tmp
volumes:
{{- if not .Values.ingress.automountServiceAccountToken }}
- name: serviceaccount-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3600
path: token
- configMap:
name: kube-root-ca.crt
items:
- key: ca.crt
path: ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
{{- end }}
- name: control-plane-ca
secret:
secretName: {{ include "kuma.controlPlane.tls.general.caSecretName" . }}

4
charts/kuma/kuma/templates/ingress-rbac.yaml
View File

@ -5,6 +5,10 @@ metadata:
name: {{ include "kuma.name" . }}-ingress
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.ingressLabels" . | nindent 4 }}
{{- with .Values.ingress.serviceAccountAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}

2
charts/kuma/kuma/templates/post-delete-cleanup-ebpf-job.yaml
View File

@ -1,4 +1,4 @@
{{- if and (.Values.experimental.ebpf.enabled) (and (not .Values.cni.enabled) (not .Values.noHelmHooks)) }}
{{- if and (.Values.experimental.ebpf.enabled) (and (not .Values.cni.enabled) (not .Values.noHelmHooks) (eq .Values.controlPlane.environment "kubernetes")) }}
{{- $serviceAccountName := printf "%s-cleanup-node-ebpf-job" (include "kuma.name" .) }}
apiVersion: v1
kind: ServiceAccount

2
charts/kuma/kuma/templates/pre-delete-webhooks.yaml
View File

@ -90,7 +90,7 @@ spec:
{{- toYaml .Values.hooks.podSecurityContext | trim | nindent 8 }}
containers:
- name: pre-delete-job
image: {{ include "kubectl.formatImage" (dict "image" .Values.kubectl.image "root" $) | quote }}
image: "{{ .Values.kubectl.image.registry }}/{{ .Values.kubectl.image.repository }}:{{ .Values.kubectl.image.tag }}"
command:
- 'kubectl'
- 'delete'

4
charts/kuma/kuma/templates/pre-install-patch-namespace-job.yaml
View File

@ -1,4 +1,4 @@
{{- if .Values.noHelmHooks }}
{{- if and ( .Values.noHelmHooks ) (eq .Values.controlPlane.environment "kubernetes") }}
{{- $errorMessage := ".Values.noHelmHooks is set. You must manually create and label the system namespace with kuma.io/system-namespace: \"true\" before installing or upgrading the chart" }}
{{- $systemNamespace := (lookup "v1" "Namespace" "" .Release.Namespace) }}
{{- if not $systemNamespace }}
@ -101,7 +101,7 @@ spec:
{{- toYaml .Values.hooks.podSecurityContext | trim | nindent 8 }}
containers:
- name: pre-install-job
image: {{ include "kubectl.formatImage" (dict "image" .Values.kubectl.image "root" $) | quote }}
image: "{{ .Values.kubectl.image.registry }}/{{ .Values.kubectl.image.repository }}:{{ .Values.kubectl.image.tag }}"
securityContext:
{{- toYaml (mergeOverwrite (dict "runAsUser" 65534) .Values.hooks.containerSecurityContext) | trim | nindent 12 }}
resources:

2
charts/kuma/kuma/templates/pre-upgrade-install-crds-job.yaml
View File

@ -123,7 +123,7 @@ spec:
{{- toYaml .Values.hooks.podSecurityContext | trim | nindent 8 }}
containers:
- name: pre-upgrade-job
image: {{ include "kubectl.formatImage" (dict "image" .Values.kubectl.image "root" $) | quote }}
image: "{{ .Values.kubectl.image.registry }}/{{ .Values.kubectl.image.repository }}:{{ .Values.kubectl.image.tag }}"
securityContext:
{{- toYaml (mergeOverwrite (dict "runAsUser" 65534) .Values.hooks.containerSecurityContext) | trim | nindent 12 }}
resources:

64
charts/kuma/kuma/values.yaml
View File

@ -20,6 +20,9 @@ installCrdsOnUpgrade:
# -- Whether to disable all helm hooks
noHelmHooks: false
# -- Whether to restart control-plane by calculating a new checksum for the secret
restartOnSecretChange: true
controlPlane:
# -- Environment that control plane is run in, useful when running universal global control plane on k8s
environment: "kubernetes"
@ -45,7 +48,13 @@ controlPlane:
# -- Number of replicas of the Kuma CP. Ignored when autoscaling is enabled
replicas: 1
# -- Control Plane Pod Annotations
# -- Minimum number of seconds for which a newly created pod should be ready for it to be considered available.
minReadySeconds: 0
# -- Annotations applied only to the `Deployment` resource
deploymentAnnotations: {}
# -- Annotations applied only to the `Pod` resource
podAnnotations: {}
# Horizontal Pod Autoscaling configuration
@ -149,6 +158,8 @@ controlPlane:
path: /
# -- Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
pathType: ImplementationSpecific
# -- Port from kuma-cp to use to expose API and GUI. Switch to 5682 to expose TLS port
servicePort: 5681
globalZoneSyncService:
# -- Whether to create a k8s service for the global zone sync
@ -159,6 +170,8 @@ controlPlane:
type: LoadBalancer
# -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer
loadBalancerIP:
# -- Optionally specify allowed source ranges that can access the load balancer
loadBalancerSourceRanges: []
# -- Additional annotations to put on the Global Zone Sync Service
annotations: { }
# -- Port on which Global Zone Sync Service is exposed on Node for service of type NodePort
@ -241,6 +254,9 @@ controlPlane:
# -- If true, TLS cert of the server is not verified.
skipVerify: false
# -- Annotations to add for Control Plane's Service Account
serviceAccountAnnotations: { }
image:
# -- Kuma CP ImagePullPolicy
pullPolicy: IfNotPresent
@ -392,6 +408,9 @@ ingress:
# -- Number of replicas of the Ingress. Ignored when autoscaling is enabled.
replicas: 1
# -- Log level for ingress (available values: off|info|debug)
logLevel: info
# -- Define the resources to allocate to mesh ingress
resources:
requests:
@ -495,7 +514,12 @@ ingress:
# -- Security context at the container level for ingress
containerSecurityContext:
readOnlyRootFilesystem: true
readOnlyRootFilesystem: true
# -- Annotations to add for Control Plane's Service Account
serviceAccountAnnotations: { }
# -- Whether to automountServiceAccountToken for cp. Optionally set to false
automountServiceAccountToken: true
egress:
# -- If true, it deploys Egress for cross cluster communication
@ -507,6 +531,9 @@ egress:
# -- Number of replicas of the Egress. Ignored when autoscaling is enabled.
replicas: 1
# -- Log level for egress (available values: off|info|debug)
logLevel: info
# Horizontal Pod Autoscaling configuration
autoscaling:
# -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster
@ -599,7 +626,12 @@ egress:
# -- Security context at the container level for egress
containerSecurityContext:
readOnlyRootFilesystem: true
readOnlyRootFilesystem: true
# -- Annotations to add for Control Plane's Service Account
serviceAccountAnnotations: { }
# -- Whether to automountServiceAccountToken for cp. Optionally set to false
automountServiceAccountToken: true
kumactl:
image:
@ -609,15 +641,13 @@ kumactl:
tag:
kubectl:
# kuma image that support v1.20.15 image */ } }
# see: https://hub.docker.com/r/kumahq/kubectl */ } }
image:
# -- The kubectl image registry
registry: kumahq
registry: docker.io
# -- The kubectl image repository
repository: kubectl
repository: bitnami/kubectl
# -- The kubectl image tag
tag: "v1.20.15"
tag: "1.27.5"
hooks:
# -- Node selector for the HELM hooks
nodeSelector:
@ -660,22 +690,8 @@ experimental:
tcAttachIface: ""
# -- Path where compiled eBPF programs which will be installed can be found
programsSourcePath: /kuma/ebpf
# -- If true, it uses new API for resource synchronization
deltaKds: false
legacy:
# -- If true, use the legacy transparent proxy engine
transparentProxy: false
cni:
# -- If true, it installs legacy version of the CNI
enabled: false
image:
# -- CNI v1 image registry
registry: "docker.io/kumahq"
# -- CNI v1 image repository
repository: "install-cni"
# -- CNI v1 image tag
tag: "0.0.10"
# -- If false, it uses legacy API for resource synchronization
deltaKds: true
# Postgres' settings for universal control plane on k8s
postgres:

4
charts/linkerd/linkerd-control-plane/Chart.yaml
View File

@ -5,7 +5,7 @@ annotations:
catalog.cattle.io/kube-version: '>=1.21.0-0'
catalog.cattle.io/release-name: linkerd-control-plane
apiVersion: v2
appVersion: stable-2.14.3
appVersion: stable-2.14.4
dependencies:
- name: partials
repository: file://./charts/partials
@ -25,4 +25,4 @@ name: linkerd-control-plane
sources:
- https://github.com/linkerd/linkerd2/
type: application
version: 1.16.4
version: 1.16.5

4
charts/linkerd/linkerd-control-plane/README.md
View File

@ -3,7 +3,7 @@
Linkerd gives you observability, reliability, and security
for your microservices — with no code change required.
![Version: 1.16.4](https://img.shields.io/badge/Version-1.16.4-informational?style=flat-square)
![Version: 1.16.5](https://img.shields.io/badge/Version-1.16.5-informational?style=flat-square)
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square)
@ -226,6 +226,8 @@ Kubernetes: `>=1.21.0-0`
| proxy.await | bool | `true` | If set, the application container will not start until the proxy is ready |
| proxy.cores | int | `0` | The `cpu.limit` and `cores` should be kept in sync. The value of `cores` must be an integer and should typically be set by rounding up from the limit. E.g. if cpu.limit is '1500m', cores should be 2. |
| proxy.defaultInboundPolicy | string | "all-unauthenticated" | The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated", "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny" |
| proxy.disableInboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the inbound side of the proxy by setting it to a very high value |
| proxy.disableOutboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the outbound side of the proxy by setting it to a very high value |
| proxy.enableExternalProfiles | bool | `false` | Enable service profiles for non-Kubernetes services |
| proxy.image.name | string | `"cr.l5d.io/linkerd/proxy"` | Docker image for the proxy |
| proxy.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy container Docker image |

10
charts/linkerd/linkerd-control-plane/charts/partials/templates/_proxy.tpl
View File

@ -57,6 +57,14 @@ env:
- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
value: {{.Values.proxy.inboundDiscoveryCacheUnusedTimeout | quote}}
{{ end -}}
{{ if .Values.proxy.disableOutboundProtocolDetectTimeout -}}
- name: LINKERD2_PROXY_OUTBOUND_DETECT_TIMEOUT
value: "365d"
{{ end -}}
{{ if .Values.proxy.disableInboundProtocolDetectTimeout -}}
- name: LINKERD2_PROXY_INBOUND_DETECT_TIMEOUT
value: "365d"
{{ end -}}
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:{{.Values.proxy.ports.control}}
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
@ -92,7 +100,7 @@ env:
{{ end -}}
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
- name: _pod_sa
valueFrom:
fieldRef:

Some files were not shown because too many files have changed in this diff Show More