From a6317e9bc8199295b5e00d653512d5d090283765 Mon Sep 17 00:00:00 2001 From: Samuel Attwood Date: Wed, 23 Mar 2022 00:57:28 -0400 Subject: [PATCH] Adding assets, charts, and index.yaml --- assets/federatorai/federatorai-5.0.0.tgz | Bin 0 -> 15737 bytes assets/gluu/gluu-5.0.302.tgz | Bin 0 -> 111456 bytes assets/k10/k10-4.5.1100.tgz | Bin 0 -> 113826 bytes .../federatorai/federatorai/5.0.0/.helmignore | 22 + .../federatorai/federatorai/5.0.0/Chart.yaml | 26 + .../federatorai/federatorai/5.0.0/README.md | 109 + .../federatorai/5.0.0/app-readme.md | 48 + .../5.0.0/crds/02-alamedaservice.crd.yaml | 3597 +++++++++++++++++ charts/federatorai/federatorai/5.0.0/logo.png | Bin 0 -> 2838 bytes .../federatorai/5.0.0/questions.yaml | 89 + .../federatorai/5.0.0/requirements.yaml | 0 .../5.0.0/templates/01-serviceaccount.yaml | 5 + .../03-federatorai-operator.deployment.yaml | 97 + .../5.0.0/templates/04-clusterrole.yaml | 209 + .../templates/05-clusterrolebinding.yaml | 12 + .../federatorai/5.0.0/templates/06-role.yaml | 46 + .../5.0.0/templates/07-rolebinding.yaml | 13 + .../5.0.0/templates/08-service.yaml | 14 + .../5.0.0/templates/09-secret.yaml | 7 + .../5.0.0/templates/10-mutatingwebhook.yaml | 27 + .../5.0.0/templates/11-validatingwebhook.yaml | 27 + .../federatorai/5.0.0/templates/NOTES.txt | 3 + .../federatorai/5.0.0/templates/_helpers.tpl | 45 + .../5.0.0/templates/alamedaservice.yaml | 95 + .../federatorai/federatorai/5.0.0/values.yaml | 43 + charts/gluu/gluu/5.0.302/Chart.yaml | 103 + charts/gluu/gluu/5.0.302/README.md | 606 +++ charts/gluu/gluu/5.0.302/app-readme.md | 35 + .../gluu/5.0.302/charts/admin-ui/.helmignore | 21 + .../gluu/5.0.302/charts/admin-ui/Chart.yaml | 20 + .../gluu/5.0.302/charts/admin-ui/README.md | 58 + .../charts/admin-ui/templates/_helpers.tpl | 68 + .../templates/admin-ui-destination-rules.yaml | 23 + .../templates/admin-ui-virtual-services.yaml | 33 + .../charts/admin-ui/templates/deployment.yml | 133 + .../charts/admin-ui/templates/hpa.yaml | 38 + .../charts/admin-ui/templates/service.yml | 30 + .../templates/user-custom-secret-envs.yaml | 22 + .../gluu/5.0.302/charts/admin-ui/values.yaml | 82 + .../auth-server-key-rotation/.helmignore | 21 + .../auth-server-key-rotation/Chart.yaml | 18 + .../charts/auth-server-key-rotation/README.md | 48 + .../templates/_helpers.tpl | 68 + .../templates/cronjobs.yaml | 96 + .../templates/service.yaml | 25 + .../templates/user-custom-secret-envs.yaml | 21 + .../auth-server-key-rotation/values.yaml | 48 + .../5.0.302/charts/auth-server/.helmignore | 21 + .../5.0.302/charts/auth-server/Chart.yaml | 22 + .../gluu/5.0.302/charts/auth-server/README.md | 60 + .../charts/auth-server/templates/_helpers.tpl | 68 + .../auth-server-destination-rules.yaml | 23 + .../auth-server-virtual-services.yaml | 117 + .../auth-server/templates/deployment.yml | 224 + .../charts/auth-server/templates/hpa.yaml | 38 + .../charts/auth-server/templates/service.yml | 30 + .../templates/user-custom-secret-envs.yaml | 22 + .../5.0.302/charts/auth-server/values.yaml | 87 + .../gluu/gluu/5.0.302/charts/casa/.helmignore | 22 + .../gluu/gluu/5.0.302/charts/casa/Chart.yaml | 22 + .../gluu/gluu/5.0.302/charts/casa/README.md | 65 + .../charts/casa/templates/_helpers.tpl | 79 + .../templates/casa-destination-rules.yaml | 23 + .../casa/templates/casa-virtual-services.yaml | 34 + .../charts/casa/templates/deployment.yaml | 138 + .../5.0.302/charts/casa/templates/hpa.yaml | 38 + .../charts/casa/templates/service.yaml | 31 + .../templates/user-custom-secret-envs.yaml | 22 + .../gluu/gluu/5.0.302/charts/casa/values.yaml | 98 + .../5.0.302/charts/client-api/.helmignore | 21 + .../gluu/5.0.302/charts/client-api/Chart.yaml | 23 + .../gluu/5.0.302/charts/client-api/README.md | 61 + .../charts/client-api/templates/_helpers.tpl | 68 + .../client-api-destination-rules.yaml | 23 + .../client-api/templates/deployment.yaml | 137 + .../charts/client-api/templates/hpa.yaml | 38 + .../client-api/templates/networkpolicy.yaml | 39 + .../charts/client-api/templates/service.yaml | 30 + .../templates/user-custom-secret-envs.yaml | 22 + .../5.0.302/charts/client-api/values.yaml | 87 + .../charts/cn-istio-ingress/.helmignore | 22 + .../charts/cn-istio-ingress/Chart.yaml | 19 + .../5.0.302/charts/cn-istio-ingress/README.md | 25 + .../cn-istio-ingress/templates/_helpers.tpl | 63 + .../cn-istio-ingress/templates/gateway.yaml | 36 + .../charts/cn-istio-ingress/values.yaml | 4 + .../5.0.302/charts/config-api/.helmignore | 21 + .../gluu/5.0.302/charts/config-api/Chart.yaml | 22 + .../gluu/5.0.302/charts/config-api/README.md | 64 + .../charts/config-api/templates/_helpers.tpl | 68 + .../config-api-destination-rules.yaml | 23 + .../config-api/templates/deployment.yaml | 164 + .../charts/config-api/templates/hpa.yaml | 38 + .../charts/config-api/templates/service.yaml | 30 + .../5.0.302/charts/config-api/values.yaml | 96 + .../gluu/5.0.302/charts/config/.helmignore | 22 + .../gluu/5.0.302/charts/config/Chart.yaml | 21 + .../gluu/gluu/5.0.302/charts/config/README.md | 103 + .../charts/config/templates/_helpers.tpl | 100 + .../config/templates/admin-ui-secrets.yaml | 20 + .../config/templates/clusterrolebinding.yaml | 46 + .../charts/config/templates/configmaps.yaml | 407 ++ .../config/templates/load-init-config.yml | 103 + .../charts/config/templates/ob-secrets.yaml | 71 + .../charts/config/templates/rolebinding.yaml | 24 + .../charts/config/templates/roles.yaml | 20 + .../charts/config/templates/secrets.yaml | 101 + .../charts/config/templates/service.yaml | 27 + .../templates/upgrade-ldap-101-jans.yaml | 1777 ++++++++ .../config/templates/user-custom-envs.yaml | 65 + .../gluu/5.0.302/charts/config/values.yaml | 158 + .../gluu/5.0.302/charts/fido2/.helmignore | 21 + .../gluu/gluu/5.0.302/charts/fido2/Chart.yaml | 22 + .../gluu/gluu/5.0.302/charts/fido2/README.md | 61 + .../charts/fido2/templates/_helpers.tpl | 68 + .../charts/fido2/templates/deployment.yml | 136 + .../templates/fido2-destination-rules.yaml | 23 + .../templates/fido2-virtual-services.yaml | 36 + .../5.0.302/charts/fido2/templates/hpa.yaml | 38 + .../charts/fido2/templates/service.yml | 30 + .../templates/user-custom-secret-envs.yaml | 22 + .../gluu/5.0.302/charts/fido2/values.yaml | 85 + .../5.0.302/charts/nginx-ingress/.helmignore | 21 + .../5.0.302/charts/nginx-ingress/Chart.yaml | 20 + .../5.0.302/charts/nginx-ingress/README.md | 73 + .../nginx-ingress/templates/_helpers.tpl | 32 + .../templates/admin-ui-ingress.yaml | 55 + .../auth-server-protected-ingress.yaml | 115 + .../nginx-ingress/templates/casa-ingress.yaml | 54 + .../nginx-ingress/templates/ingress.yaml | 687 ++++ .../5.0.302/charts/nginx-ingress/values.yaml | 99 + .../gluu/5.0.302/charts/opendj/.helmignore | 21 + .../gluu/5.0.302/charts/opendj/Chart.yaml | 22 + .../gluu/gluu/5.0.302/charts/opendj/README.md | 78 + .../charts/opendj/templates/_helpers.tpl | 68 + .../charts/opendj/templates/configmaps.yaml | 20 + .../charts/opendj/templates/cronjobs.yaml | 100 + .../5.0.302/charts/opendj/templates/hpa.yaml | 37 + .../templates/opendj-destination-rules.yaml | 24 + .../charts/opendj/templates/secrets.yaml | 19 + .../charts/opendj/templates/service.yaml | 113 + .../charts/opendj/templates/statefulset.yaml | 167 + .../charts/opendj/templates/storageclass.yaml | 58 + .../templates/user-custom-secret-envs.yaml | 21 + .../gluu/5.0.302/charts/opendj/values.yaml | 156 + .../5.0.302/charts/oxpassport/.helmignore | 21 + .../gluu/5.0.302/charts/oxpassport/Chart.yaml | 21 + .../gluu/5.0.302/charts/oxpassport/README.md | 66 + .../charts/oxpassport/templates/_helpers.tpl | 68 + .../oxpassport/templates/deployment.yaml | 147 + .../charts/oxpassport/templates/hpa.yaml | 37 + .../oxpassport-destination-rules.yaml | 22 + .../oxpassport-virtual-services.yaml | 33 + .../charts/oxpassport/templates/service.yaml | 30 + .../templates/user-custom-secret-envs.yaml | 21 + .../5.0.302/charts/oxpassport/values.yaml | 97 + .../5.0.302/charts/oxshibboleth/.helmignore | 21 + .../5.0.302/charts/oxshibboleth/Chart.yaml | 20 + .../5.0.302/charts/oxshibboleth/README.md | 67 + .../oxshibboleth/templates/_helpers.tpl | 68 + .../charts/oxshibboleth/templates/hpa.yaml | 38 + .../oxshibboleth-destination-rules.yaml | 23 + .../oxshibboleth-virtual-services.yaml | 36 + .../oxshibboleth/templates/service.yaml | 34 + .../oxshibboleth/templates/statefulset.yaml | 133 + .../templates/user-custom-secret-envs.yaml | 22 + .../5.0.302/charts/oxshibboleth/values.yaml | 96 + .../5.0.302/charts/persistence/.helmignore | 22 + .../5.0.302/charts/persistence/Chart.yaml | 18 + .../gluu/5.0.302/charts/persistence/README.md | 51 + .../charts/persistence/templates/_helpers.tpl | 79 + .../charts/persistence/templates/jobs.yml | 96 + .../charts/persistence/templates/service.yaml | 27 + .../templates/user-custom-secret-envs.yaml | 21 + .../5.0.302/charts/persistence/values.yaml | 48 + .../gluu/gluu/5.0.302/charts/scim/.helmignore | 21 + .../gluu/gluu/5.0.302/charts/scim/Chart.yaml | 20 + .../gluu/gluu/5.0.302/charts/scim/README.md | 60 + .../charts/scim/templates/_helpers.tpl | 68 + .../charts/scim/templates/deployment.yml | 134 + .../5.0.302/charts/scim/templates/hpa.yaml | 38 + .../templates/scim-destination-rules.yaml | 23 + .../scim/templates/scim-virtual-services.yaml | 46 + .../5.0.302/charts/scim/templates/service.yml | 30 + .../templates/user-custom-secret-envs.yaml | 22 + .../gluu/gluu/5.0.302/charts/scim/values.yaml | 84 + charts/gluu/gluu/5.0.302/get_helm.sh | 326 ++ .../gluu/gluu/5.0.302/openbanking-values.yaml | 621 +++ charts/gluu/gluu/5.0.302/questions.yaml | 1287 ++++++ .../gluu/gluu/5.0.302/templates/_helpers.tpl | 32 + charts/gluu/gluu/5.0.302/values.schema.json | 3068 ++++++++++++++ charts/gluu/gluu/5.0.302/values.yaml | 1527 +++++++ charts/k10/k10/4.5.1100/Chart.yaml | 15 + charts/k10/k10/4.5.1100/README.md | 227 ++ charts/k10/k10/4.5.1100/app-readme.md | 5 + .../k10/4.5.1100/charts/grafana/.helmignore | 23 + .../k10/4.5.1100/charts/grafana/Chart.yaml | 22 + .../k10/k10/4.5.1100/charts/grafana/README.md | 528 +++ .../charts/grafana/templates/NOTES.txt | 54 + .../charts/grafana/templates/_definitions.tpl | 3 + .../charts/grafana/templates/_helpers.tpl | 235 ++ .../charts/grafana/templates/_pod.tpl | 509 +++ .../charts/grafana/templates/clusterrole.yaml | 27 + .../grafana/templates/clusterrolebinding.yaml | 26 + .../configmap-dashboard-provider.yaml | 31 + .../charts/grafana/templates/configmap.yaml | 99 + .../templates/dashboards-json-configmap.yaml | 37 + .../charts/grafana/templates/deployment.yaml | 52 + .../grafana/templates/headless-service.yaml | 20 + .../charts/grafana/templates/hpa.yaml | 22 + .../templates/image-renderer-deployment.yaml | 117 + .../image-renderer-network-policy.yaml | 78 + .../templates/image-renderer-service.yaml | 32 + .../charts/grafana/templates/ingress.yaml | 80 + .../grafana/templates/networkpolicy.yaml | 18 + .../templates/poddisruptionbudget.yaml | 24 + .../grafana/templates/podsecuritypolicy.yaml | 51 + .../charts/grafana/templates/pvc.yaml | 33 + .../charts/grafana/templates/role.yaml | 34 + .../charts/grafana/templates/rolebinding.yaml | 27 + .../charts/grafana/templates/secret-env.yaml | 16 + .../charts/grafana/templates/secret.yaml | 28 + .../charts/grafana/templates/service.yaml | 58 + .../grafana/templates/serviceaccount.yaml | 15 + .../grafana/templates/servicemonitor.yaml | 42 + .../charts/grafana/templates/statefulset.yaml | 55 + .../k10/4.5.1100/charts/grafana/values.yaml | 3126 ++++++++++++++ .../k10/4.5.1100/charts/prometheus/Chart.yaml | 30 + .../k10/4.5.1100/charts/prometheus/README.md | 224 + .../charts/prometheus/templates/NOTES.txt | 112 + .../prometheus/templates/_definitions.tpl | 3 + .../charts/prometheus/templates/_helpers.tpl | 400 ++ .../templates/alertmanager/clusterrole.yaml | 21 + .../alertmanager/clusterrolebinding.yaml | 20 + .../prometheus/templates/alertmanager/cm.yaml | 19 + .../templates/alertmanager/deploy.yaml | 161 + .../templates/alertmanager/headless-svc.yaml | 31 + .../templates/alertmanager/ingress.yaml | 57 + .../templates/alertmanager/netpol.yaml | 20 + .../templates/alertmanager/pdb.yaml | 14 + .../templates/alertmanager/psp.yaml | 46 + .../templates/alertmanager/pvc.yaml | 39 + .../templates/alertmanager/role.yaml | 24 + .../templates/alertmanager/rolebinding.yaml | 23 + .../templates/alertmanager/service.yaml | 53 + .../alertmanager/serviceaccount.yaml | 11 + .../templates/alertmanager/sts.yaml | 187 + .../templates/node-exporter/daemonset.yaml | 146 + .../templates/node-exporter/psp.yaml | 55 + .../templates/node-exporter/role.yaml | 17 + .../templates/node-exporter/rolebinding.yaml | 19 + .../node-exporter/serviceaccount.yaml | 11 + .../templates/node-exporter/svc.yaml | 47 + .../templates/pushgateway/clusterrole.yaml | 21 + .../pushgateway/clusterrolebinding.yaml | 16 + .../templates/pushgateway/deploy.yaml | 119 + .../templates/pushgateway/ingress.yaml | 54 + .../templates/pushgateway/netpol.yaml | 20 + .../prometheus/templates/pushgateway/pdb.yaml | 14 + .../prometheus/templates/pushgateway/psp.yaml | 42 + .../prometheus/templates/pushgateway/pvc.yaml | 37 + .../templates/pushgateway/service.yaml | 41 + .../templates/pushgateway/serviceaccount.yaml | 11 + .../templates/server/clusterrole.yaml | 48 + .../templates/server/clusterrolebinding.yaml | 16 + .../prometheus/templates/server/cm.yaml | 82 + .../prometheus/templates/server/deploy.yaml | 261 ++ .../templates/server/headless-svc.yaml | 37 + .../prometheus/templates/server/ingress.yaml | 59 + .../prometheus/templates/server/netpol.yaml | 18 + .../prometheus/templates/server/pdb.yaml | 14 + .../prometheus/templates/server/psp.yaml | 51 + .../prometheus/templates/server/pvc.yaml | 41 + .../templates/server/rolebinding.yaml | 20 + .../prometheus/templates/server/service.yaml | 60 + .../templates/server/serviceaccount.yaml | 13 + .../prometheus/templates/server/sts.yaml | 285 ++ .../prometheus/templates/server/vpa.yaml | 24 + .../4.5.1100/charts/prometheus/values.yaml | 1737 ++++++++ charts/k10/k10/4.5.1100/config.json | 0 charts/k10/k10/4.5.1100/eula.txt | 458 +++ charts/k10/k10/4.5.1100/files/favicon.png | Bin 0 -> 1802 bytes charts/k10/k10/4.5.1100/files/kasten-logo.svg | 24 + charts/k10/k10/4.5.1100/files/styles.css | 113 + charts/k10/k10/4.5.1100/license | 1 + charts/k10/k10/4.5.1100/questions.yaml | 295 ++ charts/k10/k10/4.5.1100/templates/NOTES.txt | 47 + .../k10/4.5.1100/templates/_definitions.tpl | 184 + .../k10/k10/4.5.1100/templates/_helpers.tpl | 647 +++ .../k10/4.5.1100/templates/_k10_container.tpl | 659 +++ .../k10/4.5.1100/templates/_k10_metering.tpl | 261 ++ .../4.5.1100/templates/_k10_serviceimage.tpl | 51 + .../k10/4.5.1100/templates/_k10_template.tpl | 190 + .../4.5.1100/templates/api-tls-secrets.yaml | 13 + .../k10/4.5.1100/templates/apiservice.yaml | 25 + .../k10/4.5.1100/templates/daemonsets.yaml | 26 + .../k10/4.5.1100/templates/deployments.yaml | 30 + .../templates/fluentbit-configmap.yaml | 34 + .../k10/4.5.1100/templates/gateway-ext.yaml | 33 + .../k10/k10/4.5.1100/templates/gateway.yaml | 134 + .../k10/4.5.1100/templates/grafana-scc.yaml | 44 + .../k10/k10/4.5.1100/templates/ingress.yaml | 46 + .../k10/4.5.1100/templates/k10-config.yaml | 228 ++ .../k10/k10/4.5.1100/templates/k10-eula.yaml | 21 + .../4.5.1100/templates/kopia-tls-certs.yaml | 33 + .../k10/k10/4.5.1100/templates/license.yaml | 25 + .../4.5.1100/templates/mutatingwebhook.yaml | 51 + .../k10/4.5.1100/templates/networkpolicy.yaml | 192 + .../templates/prometheus-configmap.yaml | 70 + .../templates/prometheus-service.yaml | 44 + charts/k10/k10/4.5.1100/templates/rbac.yaml | 239 ++ charts/k10/k10/4.5.1100/templates/route.yaml | 36 + charts/k10/k10/4.5.1100/templates/scc.yaml | 43 + .../k10/k10/4.5.1100/templates/secrets.yaml | 242 ++ .../4.5.1100/templates/serviceaccount.yaml | 27 + .../k10/4.5.1100/templates/v0services.yaml | 162 + charts/k10/k10/4.5.1100/triallicense | 1 + charts/k10/k10/4.5.1100/values.schema.json | 1089 +++++ charts/k10/k10/4.5.1100/values.yaml | 456 +++ index.yaml | 157 + 320 files changed, 40367 insertions(+) create mode 100644 assets/federatorai/federatorai-5.0.0.tgz create mode 100644 assets/gluu/gluu-5.0.302.tgz create mode 100644 assets/k10/k10-4.5.1100.tgz create mode 100644 charts/federatorai/federatorai/5.0.0/.helmignore create mode 100644 charts/federatorai/federatorai/5.0.0/Chart.yaml create mode 100644 charts/federatorai/federatorai/5.0.0/README.md create mode 100644 charts/federatorai/federatorai/5.0.0/app-readme.md create mode 100644 charts/federatorai/federatorai/5.0.0/crds/02-alamedaservice.crd.yaml create mode 100644 charts/federatorai/federatorai/5.0.0/logo.png create mode 100644 charts/federatorai/federatorai/5.0.0/questions.yaml create mode 100644 charts/federatorai/federatorai/5.0.0/requirements.yaml create mode 100644 charts/federatorai/federatorai/5.0.0/templates/01-serviceaccount.yaml create mode 100644 charts/federatorai/federatorai/5.0.0/templates/03-federatorai-operator.deployment.yaml create mode 100644 charts/federatorai/federatorai/5.0.0/templates/04-clusterrole.yaml create mode 100644 charts/federatorai/federatorai/5.0.0/templates/05-clusterrolebinding.yaml create mode 100644 charts/federatorai/federatorai/5.0.0/templates/06-role.yaml create mode 100644 charts/federatorai/federatorai/5.0.0/templates/07-rolebinding.yaml create mode 100644 charts/federatorai/federatorai/5.0.0/templates/08-service.yaml create mode 100644 charts/federatorai/federatorai/5.0.0/templates/09-secret.yaml create mode 100644 charts/federatorai/federatorai/5.0.0/templates/10-mutatingwebhook.yaml create mode 100644 charts/federatorai/federatorai/5.0.0/templates/11-validatingwebhook.yaml create mode 100644 charts/federatorai/federatorai/5.0.0/templates/NOTES.txt create mode 100644 charts/federatorai/federatorai/5.0.0/templates/_helpers.tpl create mode 100644 charts/federatorai/federatorai/5.0.0/templates/alamedaservice.yaml create mode 100644 charts/federatorai/federatorai/5.0.0/values.yaml create mode 100644 charts/gluu/gluu/5.0.302/Chart.yaml create mode 100644 charts/gluu/gluu/5.0.302/README.md create mode 100644 charts/gluu/gluu/5.0.302/app-readme.md create mode 100644 charts/gluu/gluu/5.0.302/charts/admin-ui/.helmignore create mode 100644 charts/gluu/gluu/5.0.302/charts/admin-ui/Chart.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/admin-ui/README.md create mode 100644 charts/gluu/gluu/5.0.302/charts/admin-ui/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.0.302/charts/admin-ui/templates/admin-ui-destination-rules.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/admin-ui/templates/admin-ui-virtual-services.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/admin-ui/templates/deployment.yml create mode 100644 charts/gluu/gluu/5.0.302/charts/admin-ui/templates/hpa.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/admin-ui/templates/service.yml create mode 100644 charts/gluu/gluu/5.0.302/charts/admin-ui/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/admin-ui/values.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/.helmignore create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/Chart.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/README.md create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/templates/cronjobs.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/templates/service.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/values.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server/.helmignore create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server/Chart.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server/README.md create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server/templates/auth-server-destination-rules.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server/templates/auth-server-virtual-services.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server/templates/deployment.yml create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server/templates/hpa.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server/templates/service.yml create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/auth-server/values.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/casa/.helmignore create mode 100644 charts/gluu/gluu/5.0.302/charts/casa/Chart.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/casa/README.md create mode 100644 charts/gluu/gluu/5.0.302/charts/casa/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.0.302/charts/casa/templates/casa-destination-rules.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/casa/templates/casa-virtual-services.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/casa/templates/deployment.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/casa/templates/hpa.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/casa/templates/service.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/casa/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/casa/values.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/client-api/.helmignore create mode 100644 charts/gluu/gluu/5.0.302/charts/client-api/Chart.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/client-api/README.md create mode 100644 charts/gluu/gluu/5.0.302/charts/client-api/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.0.302/charts/client-api/templates/client-api-destination-rules.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/client-api/templates/deployment.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/client-api/templates/hpa.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/client-api/templates/networkpolicy.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/client-api/templates/service.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/client-api/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/client-api/values.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/.helmignore create mode 100644 charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/Chart.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/README.md create mode 100644 charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/templates/gateway.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/values.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/config-api/.helmignore create mode 100644 charts/gluu/gluu/5.0.302/charts/config-api/Chart.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/config-api/README.md create mode 100644 charts/gluu/gluu/5.0.302/charts/config-api/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.0.302/charts/config-api/templates/config-api-destination-rules.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/config-api/templates/deployment.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/config-api/templates/hpa.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/config-api/templates/service.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/config-api/values.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/config/.helmignore create mode 100644 charts/gluu/gluu/5.0.302/charts/config/Chart.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/config/README.md create mode 100644 charts/gluu/gluu/5.0.302/charts/config/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.0.302/charts/config/templates/admin-ui-secrets.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/config/templates/clusterrolebinding.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/config/templates/configmaps.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/config/templates/load-init-config.yml create mode 100644 charts/gluu/gluu/5.0.302/charts/config/templates/ob-secrets.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/config/templates/rolebinding.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/config/templates/roles.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/config/templates/secrets.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/config/templates/service.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/config/templates/upgrade-ldap-101-jans.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/config/templates/user-custom-envs.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/config/values.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/fido2/.helmignore create mode 100644 charts/gluu/gluu/5.0.302/charts/fido2/Chart.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/fido2/README.md create mode 100644 charts/gluu/gluu/5.0.302/charts/fido2/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.0.302/charts/fido2/templates/deployment.yml create mode 100644 charts/gluu/gluu/5.0.302/charts/fido2/templates/fido2-destination-rules.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/fido2/templates/fido2-virtual-services.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/fido2/templates/hpa.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/fido2/templates/service.yml create mode 100644 charts/gluu/gluu/5.0.302/charts/fido2/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/fido2/values.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/nginx-ingress/.helmignore create mode 100644 charts/gluu/gluu/5.0.302/charts/nginx-ingress/Chart.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/nginx-ingress/README.md create mode 100644 charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/admin-ui-ingress.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/casa-ingress.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/ingress.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/nginx-ingress/values.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/opendj/.helmignore create mode 100644 charts/gluu/gluu/5.0.302/charts/opendj/Chart.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/opendj/README.md create mode 100644 charts/gluu/gluu/5.0.302/charts/opendj/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.0.302/charts/opendj/templates/configmaps.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/opendj/templates/cronjobs.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/opendj/templates/hpa.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/opendj/templates/opendj-destination-rules.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/opendj/templates/secrets.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/opendj/templates/service.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/opendj/templates/statefulset.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/opendj/templates/storageclass.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/opendj/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/opendj/values.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/oxpassport/.helmignore create mode 100644 charts/gluu/gluu/5.0.302/charts/oxpassport/Chart.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/oxpassport/README.md create mode 100644 charts/gluu/gluu/5.0.302/charts/oxpassport/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.0.302/charts/oxpassport/templates/deployment.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/oxpassport/templates/hpa.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/oxpassport/templates/oxpassport-destination-rules.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/oxpassport/templates/oxpassport-virtual-services.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/oxpassport/templates/service.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/oxpassport/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/oxpassport/values.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/oxshibboleth/.helmignore create mode 100644 charts/gluu/gluu/5.0.302/charts/oxshibboleth/Chart.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/oxshibboleth/README.md create mode 100644 charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/hpa.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/service.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/statefulset.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/oxshibboleth/values.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/persistence/.helmignore create mode 100644 charts/gluu/gluu/5.0.302/charts/persistence/Chart.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/persistence/README.md create mode 100644 charts/gluu/gluu/5.0.302/charts/persistence/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.0.302/charts/persistence/templates/jobs.yml create mode 100644 charts/gluu/gluu/5.0.302/charts/persistence/templates/service.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/persistence/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/persistence/values.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/scim/.helmignore create mode 100644 charts/gluu/gluu/5.0.302/charts/scim/Chart.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/scim/README.md create mode 100644 charts/gluu/gluu/5.0.302/charts/scim/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.0.302/charts/scim/templates/deployment.yml create mode 100644 charts/gluu/gluu/5.0.302/charts/scim/templates/hpa.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/scim/templates/scim-destination-rules.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/scim/templates/scim-virtual-services.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/scim/templates/service.yml create mode 100644 charts/gluu/gluu/5.0.302/charts/scim/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.0.302/charts/scim/values.yaml create mode 100644 charts/gluu/gluu/5.0.302/get_helm.sh create mode 100644 charts/gluu/gluu/5.0.302/openbanking-values.yaml create mode 100644 charts/gluu/gluu/5.0.302/questions.yaml create mode 100644 charts/gluu/gluu/5.0.302/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.0.302/values.schema.json create mode 100644 charts/gluu/gluu/5.0.302/values.yaml create mode 100644 charts/k10/k10/4.5.1100/Chart.yaml create mode 100644 charts/k10/k10/4.5.1100/README.md create mode 100644 charts/k10/k10/4.5.1100/app-readme.md create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/.helmignore create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/Chart.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/README.md create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/NOTES.txt create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/_definitions.tpl create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/_helpers.tpl create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/_pod.tpl create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/clusterrole.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/clusterrolebinding.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/configmap-dashboard-provider.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/configmap.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/dashboards-json-configmap.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/deployment.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/headless-service.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/hpa.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/image-renderer-deployment.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/image-renderer-network-policy.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/image-renderer-service.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/ingress.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/networkpolicy.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/poddisruptionbudget.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/podsecuritypolicy.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/pvc.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/role.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/rolebinding.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/secret-env.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/secret.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/service.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/serviceaccount.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/servicemonitor.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/templates/statefulset.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/grafana/values.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/Chart.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/README.md create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/NOTES.txt create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/_definitions.tpl create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/_helpers.tpl create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/clusterrole.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/clusterrolebinding.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/cm.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/deploy.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/headless-svc.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/ingress.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/netpol.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/pdb.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/psp.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/pvc.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/role.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/rolebinding.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/service.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/serviceaccount.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/sts.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/daemonset.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/psp.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/role.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/rolebinding.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/serviceaccount.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/svc.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/clusterrole.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/clusterrolebinding.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/deploy.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/ingress.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/netpol.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/pdb.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/psp.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/pvc.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/service.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/serviceaccount.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/server/clusterrole.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/server/clusterrolebinding.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/server/cm.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/server/deploy.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/server/headless-svc.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/server/ingress.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/server/netpol.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/server/pdb.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/server/psp.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/server/pvc.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/server/rolebinding.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/server/service.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/server/serviceaccount.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/server/sts.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/templates/server/vpa.yaml create mode 100644 charts/k10/k10/4.5.1100/charts/prometheus/values.yaml create mode 100644 charts/k10/k10/4.5.1100/config.json create mode 100644 charts/k10/k10/4.5.1100/eula.txt create mode 100644 charts/k10/k10/4.5.1100/files/favicon.png create mode 100644 charts/k10/k10/4.5.1100/files/kasten-logo.svg create mode 100644 charts/k10/k10/4.5.1100/files/styles.css create mode 100644 charts/k10/k10/4.5.1100/license create mode 100644 charts/k10/k10/4.5.1100/questions.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/NOTES.txt create mode 100644 charts/k10/k10/4.5.1100/templates/_definitions.tpl create mode 100644 charts/k10/k10/4.5.1100/templates/_helpers.tpl create mode 100644 charts/k10/k10/4.5.1100/templates/_k10_container.tpl create mode 100644 charts/k10/k10/4.5.1100/templates/_k10_metering.tpl create mode 100644 charts/k10/k10/4.5.1100/templates/_k10_serviceimage.tpl create mode 100644 charts/k10/k10/4.5.1100/templates/_k10_template.tpl create mode 100644 charts/k10/k10/4.5.1100/templates/api-tls-secrets.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/apiservice.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/daemonsets.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/deployments.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/fluentbit-configmap.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/gateway-ext.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/gateway.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/grafana-scc.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/ingress.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/k10-config.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/k10-eula.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/kopia-tls-certs.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/license.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/mutatingwebhook.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/networkpolicy.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/prometheus-configmap.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/prometheus-service.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/rbac.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/route.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/scc.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/secrets.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/serviceaccount.yaml create mode 100644 charts/k10/k10/4.5.1100/templates/v0services.yaml create mode 100644 charts/k10/k10/4.5.1100/triallicense create mode 100644 charts/k10/k10/4.5.1100/values.schema.json create mode 100644 charts/k10/k10/4.5.1100/values.yaml diff --git a/assets/federatorai/federatorai-5.0.0.tgz b/assets/federatorai/federatorai-5.0.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..701eb2583c070e3eda9facf80c0d54bc77258cfd GIT binary patch literal 15737 zcmch;Wl&sC^eqa(Ef9hP2~Kc#CpZKN?(Xg`1Hpm@m%-iLA-H>Rhu|&&28VewzkA>P zSG}tD_0EUh-RJDJy4Q5?-7|IikVYZnz(7A>Iv56H85LGj83k^6Z$2&)4h>c_RW55C zRX%Pd4GnGuO*@luAKnL7dP+|VasY4A!4rkZ(m0iJs0Wlx1eK-R#8aq2 z#>rNkg!VR8MqsIenLdDN3@9c@OI*K_PDjLA#gr2(W`T!O0X6sN3aG5ZS#Cm&wQPqtqCDb{4DhOm%KM=@c%RL7CC=AFCF_Szwba(Y; zi=jfWrqH~y$0DcOuMfsj$E>nI&X+hoOr)ZU3!oqiWnAzIHH#=!c_rr(_ZqZj#z5jo z$POk@Pqr4sCiwITc|4NJ@~0e#QC4n+EN8x96gBT}kP}doLr1JYLRKzcPC^|M-&qj9 z&rf0z`&~}78Jl_p_I3lWf|W$vtcn)iT(58fQ5;U}P%!!YIthB71IO1=RapyUbzDjj z@lx@VBsw(nmo?^c39JXs59*DgDo^kzu2%2yoPpGwpTwAa-aH5|C;!ZrP|I|E8tAM0 zf+JSvq_58!<*hvUTL#AhWz@vrCuR9)ePJmL-T}Orl=mrn*QGKwLX!z@0SV=rHIof~ z;V0`QEOAb8bh4;g30F!L=bcEwHmca!cm)qgb-4zPRI@0u>yu-A|9-&jo_GSh4+$c zc-e7=yt2xl+dGZvPQQ|%C+e@`CwyU<%Ew_84E4M!xG}YkrIgjYzRvN7RU*oBSO zi69KIBtxm4QU}E8u3o>W!acx#ZREHhRuoX_%0%uDVp~X!Wo7tn<}`LP?fHV>x!1Cv zy*{@39O^Njce5eF*M=Lotc=!nF+=6Iy=dv%ca(`#Ib(G^RC2_}2{;XVwdMJM zEWoFtiIS>t-NMSvGIIaI+;Dl>A7mIuot-^V5`b}HB@n(<1$UJRVI|9MsW4v5Lfx3? zf{pyC!)f}d3g5capht+o`@&4#XRzNKam0|=0nzYiVPS+W4@2c2u(YW{-H$hbimEC4 z6Zo7QVXjKpU~gy9sddHczL!zCZZmD@2JT2jzxt6f**Rfg=6auY-Cq8>@AKl4)xMk+ zlT=Dl85oqOQo}p(K|9XH=TKQ8_ESD$Xv49CsMKZI0;Wv3($mjt+kb3mNV4a6 z?2!=pbl|8@{BT(bj7w&}OQ+%r)pTWgdT{;T)KqeWE;(z)y%)O=C$M%OEBEh)qUOYh zNhGR>-waqiYK`DJz`c|yI;b3DfO9*{vJrwDsw+jf1srKEMUx>(G@?JB9f!f(TjCPDGD; zqS`-}14n(W$$^`F^2{10>Z-KO#nr_P!Ip-OHh)>m)PK&hzQeaGH;UF-&4q1EO&wJw zB}vYYe1`6XzN_trExv_(v9*B>A^qgG*)6#7Ztfn_Os3C!M|;J2%OW);Rcrko%;Qnw ze^wXP=NfVwIu^t$>?V$HMCwMLh&wHCar!FXvXl`iUbP~SRrpN~%D#0Pr;-(o3s+g} z%WRnu5|W`T9vtHWX+LPx47$5!+L;)G`Q`{pjSUaNPC4H5;nM=%~? zbON{OZsHpVEW~yZ7OZg6^6h6;YA-v80}4&Dnp3Sm>7;+y3~+OAb_jp?CY4nqwSQ`= zP&VPN`OH@88ldax>1(@|ka9tNv)1mrDj*QMghoGx&8QL*3Y%GAw_z^2t!`48J3>Xk z{d!f*5`s@R{h{KKT|i`hR)6(whj+YCv}M4$&LG_@{`+c?49d>b0L}q|0=X*(Y94{? z-3CjjX$%DOUa#Dj+KKDQ+Cqo@koJj}8geuKd|X*F-3|&h>$j!v_)NFp zc}e3}%Z{I}ZzWVt?9p6YlynDuwylor7&i$*barfVk}XtNOOMb8w!x}AnsuuHUqY?0lQ0WgdIDa{ zR=Rv8J9cV)wy%vs6asy8$Q34kzfeD_D!!`mYzgs)(l)n5Ytj) z6_$`j{+qVpOtYYi|HfaV8jB*B{sX8vOhcK9*dscFw_2-37^$FLCA82xN`Q^1ddI3B z7^!X`pAn2ypgj{E9{q0l7ee+8dIJ-Xl+lD-+MBT1(l9K8CZx7ljxz$mKtAEr@kSH6 zUDi=K3Xt~K@M{u(?Rd{B70VT#NmTN3ljK6qyyYqObe6eVs*mv&4@o-ghv%PSX3xG= z>0dQKI$H@*lQQX{|Jui;FBY#d$ISbSt^oa{~cF+^lR{UzH z%vsUDMfn(Wy`~OMenWWGcs`29022{~vxBg)P|l4 z4;FIicK{VDUc`W6H9|0#6xuylA(Bh8S<7rC`^AxZq{rkaD6T?#_N|uh{8^s6p>64>Quk#jtRsv~lmHFR>-<5Yu z^Ll$o)G7-jY|f;uqY1a#k0;AN%+)++*(uSff`4HU!0i~P!)la+-Rt^5;9{-M4}j(< z$Y%A_alg{rVT}W5TK!}5eJP9Gpgg`tfV8VjrTuL)yb^b)jcPyC;VuGBO;3q+@E%W*GBY649G@L3(M&L@uu~o zl-D9)aTni(pPZ5sV_l zn?kDq7C)UN9F6PU^{fs%3(WM`>2rL!H&J$TyR4IP_6&lH!mUj<>y9N%+zw7QI zIRLClmOFwE57CC2&tWUywHDmL7Qe1_;n!092!JWHq1$-#bepn2MX3lrsU1+Zej~L7 zsWx)I&|$)k@#u3h8sd({72S*pn#( zONSCpm$K}zROOby)C3eGKBT#0YuVt^3^mQxwFXK#M--ya3nUxG7PCAhf)HjaB= zeD~njS?2ZDaHPK`@&LtUy-Fy1#pdG5sB^MK08dt=h1Uv-R9?u+QC7x&j?_(u)iI&B zxo7sI%)*n0r`Tv2m84TJjx!Q$|9xj-Wx1^`^j=67hgt^PHi?Yh90gcJ{gVPa`8(x5 zI}t`nEpnN^4Zr1h3+0BY5C5U;N>ne#k_c69ny92x(S!t_)0vU@+0e2f>CTUc?+O@5 z!u=-8h5t&pa9)Vav8!PFy5H~?C{XjLCTv?pdb461N=MYA`Gz*X$eB_^9q=2hc~;Aj z!xV<6scEuy^3-etXC8{bfK$#F85Wz*g|Hg!RYB*rFWiAzu*-CcJGxpJUG}ed(!?~x zWZXVri`%!b*lsmb+tH63>DCIN!0mRb?I4X%t)b9@mP=vGf_g@e^wzre!}6b>=6vg^ zHTq9#b7^~whOu63bXJ+3y4Z^}26%^)?0v%p7GZUkQM;BQty(t4;l#bOGn@0b>-xN0<}mlJgA&%E@QlSbO?+3{_Zd!x$oUs*Q59W)keK43?GQ&n=X zsz@0M^p~X~SV>z%luBfqM^AK8>K|<=$|rZ83&xd7UlLcxR;uCX1a#`3MC67sWd^ZP-=^K2evP#d^_KR)68``hD#Z)wy%E%UZZgk1WU}@$L`w2Q0}pg*E@^xBbj7L^_W#>pP;t zFZVgnmc|IV?Nl(9JA_rh$s~4Qr8>{yM;iiaO@iW#Tkm7kp!Y-7e!@3Gn(dU)pK?k9 zhDq)Ll>l{4yPQU%Mbc&*f~YMQK*DR0vIlCc^GJxcJJ5U1^q9ZBMZzI@s-|kRu4=NO zPp^VvE7~-?Kepdje?=qB`LS}2wDxAoKkbT#0jX-YEi5zKJl5>ZV&6phi=Dbh3SZ$< zMrx5H0o#C`J4hpR#Y#|S4}BCH0gZY~ZqUg`_e{Q=FTt89iMpK5$Lu22sLCWHDi#~_ z@Yjq*q+C`}3gF8g|5ri4d~;KynQ~m%>z(X+?E1ZZcolnWY}5O2&icZBbgkyZY3Y2d z@+X-b61!7XH41i13c`XIh0TbEcIh=rrOcb|TH%C)6_wrEA!X~=lDcZAH_a{1GHCt~ zAIfE}ESLDO68d>)TpEsmqMn0@&p@7%faZBwhTF;j-o&6r{KF*HS5fP)a-XF4u1(tU z=p=gRx0IIoTX%gKU3%GMsH{zg*bFpeB1x$-o#po8KlYWX;<(6QuOzn1%6viXNFXCd zZ@FWf5kSG_tY(Rm;Os6!a{etAyvX zx@#MDA6ZMt+2d++@K9{E2Y-L!QquHlqE+Ltc7Wf4aoS|x%WWy9O8+4~FwtMCQEkwU zCA(=LS0y zz(F4drCS-?c&__u&++4rWsEG?W3&ARjCiP9wh{BjY~hHN-*%{G+R#h7jSD7@ijwki z9GMlrAgha?sq4o2MXE$5aTS=#?k#^D`ph?Y`GwbchgjkJV_cxCL>)#PZr?vyq4|M` zUZdkAj*fb*$q?+csx1_2+3f}S6uiBNvgp-Arkn9-_ffxyMRjd_vE%+tKMev`oRF9^ zd809+vQcn#9975OFw7BcU-`E>WkohgI3J|gmCNd%T7k7|fBjkh*{r}TM@xNmqU=h`= zrCP+O0V+h}8+hMqf}rL2Sx|wip??v-53XIzlbeiPCIOgCevtK3qe4}SP-1EYF~2b+ zv`?($crvDe>bplMPL70jKE2=UNCGy(<{xHf+6eQ^y#->o7LocwPs`t%FGr|F zIDL=xED=9k|v<_u|^Z#CZ#xnM)X>+tE#aV5{`x znHL7d(UZS+$~>Y?%QqdwiN+^{%;5-mX5D)nP$?{6hs0PfAAeMR{xz*=dtqa3oz2(A zVy~tUYa0I1r1v6Et87jhTiYK<#eiKx4RRQ2#fncIC@Z!9j(1DSmv3TVl={36;L;4| zw3#=`K2Sd*5R4;7we8hX3Ohdn888#0D@vg0x0QFh1IZ=yIX8C|XGa2w*~6VaC@hY{ z#yBk|a_-E3N@<&i7Xl`739p3vs8yC)g$=n5#Ph94}&zvCV0!4S1-JZq!%R9CB1dCMBeuas8T3K3L*J}(d=cKG$Rbs2 zIWF~@KCc%`%#{P4sWIH9`9049EBUXUS_Xe=1Qac5Io=wRFCXgf`WN|YUOy=*`+Knp z9(k#?l%(&*y_H7HF5}C>`}+D4F!XiJReW+OL{1)A#yXfRi*s-qwSU*%g*-RmAh+<$ z)A_mF2!>iq)&gB16CXp@X9Bx~2j@|jQ}0a6ak15|gU5k^Yfbo>N9`b6ji$=?_p|SA zrQEZnfI0T81V`9UX9tRgvDgV=*b(DIQDxc?1oA!JHQ=jJc`Yf6Y2qA=bfbk*dbdaW zg0KQ!jN`FG(MNPjM&T7d&N8RawfBN|3bm!dXJhh*B&mP(G(`&QJJ=Dj%ZH9Q0YD6mxe9&BvJbWD_Lc%SuNs*w z+e`ztn%WB|sUa7u@Ceb=hF+yYNhg^+ScX4#boM7)7S*^eLkzR*W|GSJnz;vec-$d_ z^miZHEDOzzLpJ+ls@y#QGd@x}-sfFQ(QfUy>;Ug3&0Ac`s^9G!Q5s~=mLk^X@lRUw zph|9^!blsC=p#zLx;lfziH;{|OR$a7eN#gJiyy1ihLwU7yQyc^Bf-b7oq1T)^e2>U zyV^CawcKE5WtKiUpn}k?wpxv=%skP1#0-RFS_<6^Y?r13{X4rAq%wj^oocMP!M#?D zoHpk(2fduhFF*G`{5iC5N8Kc;UFo3s<0kvn49n6yXdV%?4X?{y;nSGn@*cLF*VD$c}yPUJmTnacf%A)A#L(x^r6NSr3_&Fta48-9V6V z{v7{@6hjG>NHb61-fdV}Wt&*Hiy@2t2;jZMuP1D;clFo(J&9`>kj5Z+6|M$McBPi3 zzB9b?yX{dHj}rk+5)VieHQ4yYsOV~mOpKGR?o~cTGqs^5`tY)+2@y>nm8D$5Iv$?M zHfO{WFM-^mL7cD$Tn40}qeTmMbrXIZ}ftI9I zM5A}>piiGMH&8V7n|bbO#hsB{!9oU4S74kf{pY0q`OT@Xo+0JH%IV+G8jOEKW^-Ot zB0Y>=-lc678=K+9GVID~o10w`dNi~{`u8s#J0v9;mM%;~SDSj_tX-6u=@k7m1FD5s z+T`!o?y2{ zW6*l?N@BvC2gb${tNbKEo0SL`c13`loC)uHLgvjbv7P;G!^QAKEb-Bs3*VRtKIe~` zY~F|1+mGa8k8a2eqv$mWh2?ZqKg>M>EV_k#=hliDdA^9Sk{;GKmDUpU(N_->{W-0E zo2`2+jYkzIsPg8~9UYtAyiHY3duH4^M=E8zI4!YT!+SDT{INUr%2%}8}MF1zl{AgCdO7Tsmqz_pyAl5%f6!~NjqD&5>}@}8cfV4@pT#U8hxpp zITuB6dv9~FQ-WR=n3ZpwGlD0EB(ePcbE)|dP8RD3F4LILYiBfY}Ut8Vb^}FM9 z`;Gl*>9@#ScjVYDs^|>I{W`HU5yeZJ;nH{OV4i z8->X3#~xfuCIc6i5&wrOrK-}Siw^ivUGS5%Uz!&#MTpH1KS>2!B{#8I*x|H%OizVG z@4Is6u)D?e;M}e!su)~Fvc_6f&!{9ZID$UBMRc73KX0=* zn~* z(lM0d%FZ}Zhh-|GpQc_(^VH0`#5+E)le{)pcNFnjFf=$er?>Suv}idHh@aB-_h$1( ztX3fuZ)d{oQ~T7p(zof}1OjAkz|ke`hx>Wp6O%~U`=e^ z?zG-Y*RZN6WW3%g*_q6>swALi&Wvk!(H}Sd-jKWg@4UMyy>HxP04L#;jGF!B7?|#x zo^L8JP!bNcrd+~omoDFo zE33^hFv8kU7bcBFe2BY+;x)`!T04h*#*sQ|GTSZ$G#Eaf!UKI zhl=nP@G_OZ<&DK_X8@{IK<6fR}t-OLE%Rafrw;EU{k077;na zOoc!Z(`D6vp`~jF9N3%NlJzP{1k!y8f@ew6Fxn)yH2+?8+dCvG}al*;v z4uABVTJ`rUFw5(?+m5Y9ptGSpsk5ck(m*e3|WQ8>T zfR{e2qh-nAXc3_aVfjo}_de9qU#4H=KZyivSMqTjcr-EX&{S&C+N=og*5K~qCp1e6 zC(Ea?x>sWEB8uOA;va~zkx>zoN*RtXw@Pjp9Rr@6O13PJ2oNu6Y_Uy*t^(#9)7kZy zx}7cmT}=>S=%-XjrnEXIhwt8Xp*K+FV9(mdhJ@v-#BBdRfsZ94bTr<&TYs{Z<;SlR}A4LaPh`6P9zq^`K@0a~=x zehn}g4u^`^0!WYyp|Pl@Qikb%AxXDkqInS=eJu4zxL2t3;%0}7RR4xl+l5q3>7vKG z_b;~tEz@3}Wn(|sK7O_y*^*kpY}ct_z-!rbT5F~K{dW0+~JyB{}dIkBjI36|OK$Bi{?(T@i3QX_; zj?tgMudb-_hC=3hN`^sSZ-~&L9H{W0ICTT>|KtDMF8?kV@qbfkWL5R#CR_f|sf*;$ zc_+#VGXo>xiV|oAlMnk7k&H0ViliA*$@YU@hr_~vIxxaQZ7R%94MiA-5%<_oQN zWI$D@!z3N6KPV|)#2*1`(vcMkV!(o#v4cHAf+9VR*ioRI%`gyd9rxyUKQ%}sII0<# z_c`IQF=QahsenwP`4Huh7AM&ZRvbjRCPaBM=6^R}BP>wjtVHu67A+2<92=rsg2=c+ zAO$Ak0EcWQP~v}-OF)!EIZ)wcAj+R$q5M$g5s3er3Zh&zKbdA`bucLx!^P5fr3BCYrzU zZXOdlit|6_*icb+|9u4~b_m#2f)R@`A5jdlT-pDZwgc?{dwmb|OAMd{HDV+b7N_X( z{{s>bV0zL?#Ib6gh;m(qfBUX(Ua_+{qqcvQfl8%b#62|L$*SfvhEJ|u$LN!wEMAh2 zeqHA0tMd87zQH@Xt;px1yvT@>dVc?e@B7vz^*{!d@7aZkmWwHrx%A44`vMA`Nva4NoQ!6PhMEnSJU5Fo@?9GV z0qZ@KYY2K(&r7McOP+6!?#CJml#ka(8i$jh(^1gwVAWnPXulIA{@Gr4r_^S31W93! zATNXS`Wv=)g`0|$`ge%{A_nm7_oh9p9R|%yj%MKOu-WaA|Df{AHM6`9Pa(Y!CF06X?>h=pLBDvifYuIn|s^f`JsoLG^@K ztShkUR`E02*p*JC$TU3DRvmfATvD5VNY&Ci$2Zc6>YG}t8GN%x|Ki2FpsJ19CL(Cv zVR`l3n8@xNk(=ayH!*ZOjBQ(}|GVD-@lX8-ae=HyePprPrVddfTOPY}kN-FSKs>jM z{&U4gwmWY|XrAeVQg(``$}X=$nC$=Sse@nF*w!;5{03d8BMrOpD>E!3VXak9ejB_N zr_oHHBpe=w7Bm(@@Dli{5@&H?O21XJN2je@ZC^Q~% zF#H~&*AZz6p$^*bpq3dH2NI8w|Hb2G9sGAlJVG3R|0f=4A@K+WX^;g%;&B-hiiE}^ zl+z9t!rcgoN1REd$i*V8uYJUN3n=o0tkwwcpk+@XY$BpOFx9K+- zfLOF1NCN&;^&Liv$QTVWfan99z!?~+|1$tsDaZhz9H{U{oVqYCuuy(z0**%f-&BwR zK)UL;s?r*qBu-K1{frUF2?H4~w1km?BZD+C*C3T&!Z6k_g|KmmqJ%KkDKHQV{01Y# zKm$_<&A|BHjId;rbWn%?ne;fwq(ect$S~H;FfVXWBy`fDoVrkM$fU!{+#t>tGbEJu z{j(A+fQ`|hg_ek%gnuAS?`24(^(IIPju69&Gj}FXssSEq_1E~rYq-QrqtcJ~HCKvkj;1i}a@6uFi+P6g#$c?acQSV83k^297sD|1!F zWhYv~{X!HZyn?JG5)3cSzcYc-a3quc+<#|!@-U&-dkSD74nS(CJ;44uGlp_yB|INJ z!bS2eP}&t0>cEFkT$9ayT~gCi@QCpr8Nxe3$Q-}HK#;5N^}hr`Iq{&}6;m32XMTG( zIwU03Yg4#X2`1M8CwiK)V2WYWG{~SOq7h-BHB2!?zY(F=9jrVYD@G3|%p8n-13c8~ zy)%O7XZ=tAvMEZSwIVFk;s5CGf#`>UfT~0x2m~@RC=#k4%DM6m$_>$P1XNlLT39 z5QqO+ZE}#+1_hzQ=R#%}<{bq2-)e($GC{eatF1`=$80GobR&iA^pM???ElhE|BsdE zX(}b55|_4ljdF%0c)IGdm&PX(A5H(7JaaDnR?GYIn$x=l`(LfhzA_u2MRd~he6@>6EAvtJkk|ZM=y`k`FFWf-s4_Qc50h4IhV75dbgWp(`3ZC_u36cfKM>C>OZPP* zRYp0Spp}*mvBZQ*LZk4j0n12a5|hBrOaT}13nON;$)~CO%`w>4H6$(ipv8_^(;KyY zKv|*6)SAl5!XZurO>{x=(9qM+SZ`-%h+>&Vvc{VskR9;$`2Fo%16iX^P<_Au9!R8- zEnEw1ROf&fv6uN;!OKJQQBz?KcLgoTpbD;h*(D!UwdH%4B$3X|adL@ys>ImToS&Op zk%5ypkMv4PjSA&{f0J^aI*3iLQq4?Ap8yx++s680ze1qmO@CQmdRAR(l~R(?w^n_9 zfugiDppgt_AN>8B!Q>}yZZ~n7_Ttm5M>wOxS3{{b3w%4%5P-^=cK-v zF!Q9c@Z2@Fd%UlpD!ew=2xq{lt*>d`X)rg`9VLzI;=Eq|_cWog_!yHyd##dQgU@70 z(74sO2^^!}=66~|T^WwjBVPCvn8s*@iZ>yWm|!(=W=+hbhr>znC3Dp9lObZ5DshJ- z<&UJ4zWOwhMdWuuqMU>=++3WsfPxvT?d}*1cZL7YIqRjt6F6G_^{^!Dm~t%?i5C9q zzJYVH>(}a70$+H{MYIKya}M1OxS*a@Q8HG~7X5cYJ?S<6j~--L4;t;>imqf=Hwztr zSkL$H?`ZiNd=<%R&yGZm7TSV(N`fHPHYgAe1O9D=2zg)$@g36G=>@;H92wR!HJhze z#fJqNrfwkyEM!03Y;SrD_&(EHuoOmh&MGM~d}>n*_w;AKiz?exL-x!2a3QxX|C+by z^8&|gz)TWw0jY8Gn)GxS?6paRwC6FS_NFNM`Csu7=(SlA}?+o?) zj`m+`NV@-(Rgj)^R$BxY9o;{L(`f45W`TBw!j;~yb3aA6kHW>GX8s%5W?@|Qdw62; z#jAYNXl%X-UN}|Mf0`YBeMxGVMXKUAQ@hP;&*C{F*822~rQKp|0L<^D@mBz!_*upE zu5pHCsZys6BGXg&ej}Y`xVz=#ch4H;Qcai9{088p^)AcuQkSjuIm~s_=P7r?Fu-`M zpylFr-~-KFrWX)Li}z%#c`0_8j=#;_<|!ZC_Hd!9p`iSbA-wGU(j6kSd-z&h16pjj z!&pyza9X_RWC~yRp8^xVre0-j`R*afH6Dy>ei3|lRyd?-v^s3vYQx^Y?^pilA+#rb zIN232CJpdS%XEJ(%^JoW@g15LFyFy#xOjQPRRRyg0SG`AYu%@JM4$^$hyOpDzq@Sr z=YUh^+lc*+;uL1#?KJJg=9jIYSMHakBPd_+5g5P%HI^I1`Kf|J&@%g-*T$0>Z zrCvTAQYwW3-Vzm*nz}mIt`2dTO&Hfy{PoGJTTFIYQlH2IQYXXiOFEMn$jP0B+Glt?s z_(+?=;FHa@yKcQ*9+B6xP20QG@6S0a$M_<()+GS&Qy-7g>Tl!K#(O0+y{kpT?#}xV zB>YRy*EW`0cxFCuA}IjR(5n~ICMoRfK)?j@bm8=_8{pBu-kil9OGvchw=~uy!e?jx zJp4<^_qmblGPC0XXm0zK#^1JE?HOwiz6l|!wsu_gzS!~vPX{Z#PU`#STXH!1E&Hj= zC0SoCIb;I)UADIt^{*Cy9ggj{Jp?uGFE0za2kTB7UulH?y=@%`;_>?QZ`^e8do6TV z`vl+tt`@fZ^L%%DW&pfbAuItd7Zby9Gt%!xUUaWp)upBInf(}@o`s3ByK6m6?v^!a z>{jmwCNu8V*6-#zd5GC=HuVh+K*5y!$?Etd{7zTDC;?tHUDIK~_g$)9CE&=Ob~t7c zn@gcDmz~DftEu^_9w)DZp-LjlSJq@#r!(pP%vo^O6D==}E$DDX7ELR7=Qoi_Z- zK%{JcHJkL}_kF#gV8+0dxGdb&)aFLRa-Dz&e zD>(|!Q`V<#!IqIq=Pr+t%StEJ{Kx06-4FE5|5js(n7tp~w)A}_$Vrvn+)hGUb~6$# zGn)_M6fQgGueV=D_uP_vuiBQ=K6Vp(s(^!triHoQnvfqTPTpHp(P>9oVZ%o`zr~6M&e01>NuXs(3HDK5Dwz)X$ zP;q4y zAJ$|!95cY1^WXN@ro9C{Z7Q(09#-=80ls%BAD4cIT%2Wo?|2?MY+56gQ+zpz^5Sr`$g#XDvHO2g-$8pY5vBqqyDPTck8GVbVUbw z^nM@MbneN5?1Tj1x{I9-crjL*{JdLIvWVFI-|yFAbSD$>nu+@WgEWck^^q;2C>THCesc;=QFV{kvaXi=&^a4sdeB;1I7GbCnIs`3?3?s(2 z0`5dEHY@Jqz9k5B-ajiTw?(Si0KnmWO6Jp3xTeIf zUGRdWjMt>i(|DODPYZX<+r2Q+bX35fjuVh7=CX_a7T0U9lA-OR`}A=R*NeraE@sw- z&jAqAwy&+@oA31b?H<^5V_>evTKBh6Dw1LMVKPqw>1)>UvVm0Y%h;nhg^WmN}#;4_?(Y?tr`(Dxk+;6yYJrw21 z{4n~|wXd(L=Vp9(cjZn!hty~OnoC!z#@lV< z^Py7rb$JEgZsMyc__AdwMkmYrW{pOn{n6*&h-J-6!sgyq=cq*B4&^?`x6WZ5idoD9QXM z-oMow_k^z_3t5*ul{%Zx4+2{T&mL}fsapoFu10r?m)Evi25b%sG+fVi{4aI1`qw8l z%x$+O?WdM)hr%R&`=D^Z^HA_GX-bFHLXqR0LCawTht=&vFkXP=BSG7MZTj@oO5@z# zE!_0m_U`@$K;+xY!tw=+W13H)u!Ozisa2=F&LzNaGWhzOcIuH-H)g&h9r_ArKfZL) zqoL|X;g3f{adFj;6X53Xy)AD+-mriCBTYu%g7aS5h@5Rl+cqRtCq-@)Kcv!BSddU_ zAaicen;TCMX<;ScxEk|^v&z}1CD+Sf%PL@zH%kk}x*=2*;b{HCuilxB=By2|L19q% z_Mk>wRNIr%F&9}l>a1pZ*=lA}N|LuraFFL*oUToz@sm;6pvj}?K-Hi@t-p(qsBzs#a`=r902CrD>S@>H zRyNElvK>nu#@96JvzTcA>fh*V?=JMEjHAyTZc-TCI59kfQfwktRb@UhX~0RZbfy~Q_}x>;Zb70F-cawqs*u^A#sUk0RDK(GD0rNV~dU+kUb? zUhC$WIilP;^fpt_w-lwB3tdy}Ghq~V>&6gx>Mgf!TdimUCZwP literal 0 HcmV?d00001 diff --git a/assets/gluu/gluu-5.0.302.tgz b/assets/gluu/gluu-5.0.302.tgz new file mode 100644 index 0000000000000000000000000000000000000000..75334b062d07bac833387ffd7c40675cfdff2961 GIT binary patch literal 111456 zcmV*7KytqyiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMYcf7>>)Fx-D%e+oS6d48L8Em^)K+v=R%KC11cYJFQvZg#in zNgxuEP?G=yfVR~t-~IjJ#*0K!q$E3bLhUw|NMJBC00uLI!C>r#;m+X%GSQks-}~x5 zKJ9k9{qo>I{cX3~^M7CLzx>-*y9ax_2m3D$+Peo|wRiV+U%dPZwC@F*xlhOiWM8${ zZfl;nC-Q-WPyq#|gm<<8fK1>Kbi^bawlLjsCXkE~?||7B001<>Rp3H_0Q7F*lxLKu zL_kb zIAjXBrfIwwY*d35W2wq5$1*Bb0BnR^x>pEBl_-Ef14P{4(;%c68X*^H;&*hB&I<|S zor`W#^#jB><^mB172=U7*YqfK3wx3~*e`@83oO*18_gbe5aFl;x&d@1sJYi_FBS?I zV#q^KmW!r^0|oTxxaB}0Jfx-)lGQMBJ0O5e5H%DQi@BHw9-KBc6|cQ81cx3CUC?t8 z5m-zCBrfPW4&oe~sxjpwA~Inav}VTqL^+5eFmQ z*=ow6=3=1=j6FJpUQ3Uv79w!yA$JR;M*9{339LD{qe8j=?`$rkntV9Jr21J{i8 zRbcC}w*WU9wX48Ph@b_)X<@e#bl1nE87}g|zE}~in#c=4tpHdBqMSqv0L|1}1s)k= za@WLU%n;`bfKzW*9SwJUf`>!uAu(AT6N#5A!w(?m0c9csx_!0kEP)&@&JW1p`lC3t zkQNQ;`4x91I-=Eck(%WCy9(^YBC!BGz0j-z9dm(cD;|LcY0^|LDhy2*afjhR16NYs zh;%94BT=7_?-MFpng|i_&d$#5?QKiS^A=^}E$m1j_LY6S<5GvKU#91FM({=!ZDEIQ zU57&yN&dh5wZLG4I076A zfytNymjXfsfTIy|1R#_F$WW@TGl5KOMG%^{sx&X1kTFC=BuSL03xhF(F6t=tTR=8O za|NtQZuIj7S*h!d%`fOUC=e%B6<5!sxZweG>~Ev#o+&A$OGsUzr{%G3XtB&9970`W zimO*q!9OTT{KA3#ZtPw46uDSfoNvuDZ#b9+aeI&vOSM^?5+p-Lx{iN{n1~+U1kNFL zSqC)QE%m>hwz4j0=uC#v;!vd=FXRHTLdpQ}=cJM*Wl37 z3Zw-kdl3rcf@`Gw6#(#XDDAnfClDi0;G1+0JJk0nNj*xz)T{$iRDv-gNZH;obU_95 z&O(2P*!k%AE|J+9pd zPIi%t-94#>-%@7hp0Y5R-?wtjz}Qlv6m+G{1zunEz=*Q6PY2MEl8{M@&zfiwQw8AA z)Ih4}kCfp*sGKhs)a{0XatC_KP@DwNh!HCo1Pe7KJ|>qa@UR1U2kh!c@GkMFoe;H$ z7gtvTd-xB9;ss)koStLU0WaES_&1xtM}lF813X$%4PdSo2#$nqSXYb&pMutRpohsA zTu=`?80o1qL=$*}DeHhgKU!vVUDpT~xzza3Q~EAf;{zaa!-1fRPm-Hhsp%nS$K=Kg zl^h`1HD&P|$gpJRZU-o(NOMnDGl(rhEyO1us;-tpu1h!wBzvY?K>kpyvU5DEaO6*M z3D;xDKu)Zks$Nh220`d~8m2@!(xL}BD?@tWLm=~oQnJc@{OosUJ@C_o;%$y+TiHS2o&b8_jCB~Gb3$YXm1R)o>611&y z!RXNHbWYHx&NUJieJNo(;M?}MZ6naJz|cEF9-Q`(w4!+jyfi`z`-p}jdi+9nD`J?s z(ZfCcbOf;%GBlVl#3$5qJ7BM!O&3GZ#T5yQ>O5M?AejQ_Y8M3bjGn-Om_VWEkdtbN z02BhsW!=iEfVz=ZVFh(5$fq^^n@usnT&~r!ln*fhJt7riB)|wda&2~~A5embqUp64hAq$& zf8oj1O>>AL5i-dxdW{I*20y(S{6+hvaI^)%Ibw=1X-{Gv0q{dEBzNZ;Z*3)a_G-1K9qLo*OR5#S%zD83n2MxFb6B;tUmA8%Csg;l~KnY1iz{n1s_E*zOa+=6dOZKz1l3IL!hT>aC_CXH8vxfZBcrNWp z2srXaO>0iyqM`CYK~GIfMBHY`5mRDMW1=Lzw8|YljikJWDF;Eo&g&Ba3 zBl}8{2{kU-kRl})$0STuWjhuV2-IiO#i(JUE zRCC!71HV^3tm_%5m7vd12|C5D>!Dl75a?d?Bu^*E3jhq1y z9h7amQ9_y86*0m1;NLU^KAeJEN?gRi?PLn<)(Alk;vBMR3-ko=;Wgp_3xFWUh-rbM zqK}hp8tHG^;&@Dyc}-kkh?O{w5ELOpd>h~8#(IR!Ql&>LgpoYHm?&u>@I>w9q3Ic7oBep4)zyypU1ZUQ6-$^ z;9x(WhRWeAwWjv@Yift7xYqzO=p!K&BsnhCnH(JWhbc>79v!Pb)?lxCE!Af}CKpjG^8j(N zySIPvbu@9Xn6|)`f);Z%xYGw>2(NmX-*s&lDViyu`@9oYZv?st0$UGASJz=Z;;V0;%t4>_U* z-uqMj!Fw-t`}e_Eeli&NFWljwOeUz%94MVDh^Y9&L8KNqGyzG(auz{;WIb{c`;7 z;`p-P>kp344v*h&gZG!mN4@_0mg?Bv*}K!@)AP%Jzi)vf-2-agWL1qYQElk66N|+X zs6@)4iMKPBosI-e%>;EmM0b#hWt-5@bEUNP&`8)RXU2%0w~1q_F=pyfH^6H09wH_V zNoPKvL@{y+vv-pyE@BurR1(i2Cazo~)Uj-hgVt8Ttz4dP0GLWF0vt%xfi1H!=?RdZ6FB5{il0WKb?4I8zRU`C0Lq<*7zc07;XM%y@mODdg(vrJn5v1@A#PA$_s z3jd6VGxdK^XkI7+=7mi95SAU7W}`_=0T)c#SDHc_1d515rMePwX|2oJFAq!+HB3CN z5FOD_X%1jYLzW=tst0V^8SoEqNvQybapNt}BfuY=^etJDmxl^vq+q7?;uMXCQcm~Z zyb=TdyY|0-IrALypWxqnzx?p;y|Wwl&5QOw_a>8}?|OqbzqE(#@52B5lm2~fXek>{ za?#p&D#ij67v1S~6}c^Nq1G3PjESlhsj9lPI&B!SixLFJs=n-9NHVL~HYFdS06v05 zxmD(PXNLkM-V{tA2Yaa|r!Ujv2M$$feHAzE-4tv=U9ol?P}xVmW>VB6@gZ!m*2znwDZrqB+G}qxvfj zyLgPnw)z?d0b-8C&O<^Vrk{HB7OAZT`&i99`G!yZA@#rl2jWHX;{S1e+h%Th#Kc_S zp&TlT-e+nldai#YM7#QpjcV+Ma#~rf+V1GePF+BvFF|YlKtV3m2?>0P_#eTJJ0Xdl zK46?eF<{g&OU1o*MlKhM6_r@VT%H&WSl+vZuO#9iIIODuWts- zJXfxm*8$E@Wnn0x>&9r!P13blwSbr!uPSSVZv9t%a`c_Fp?(9>f{PCPDu#TAnS{BIO(<+p192nPY!bC7p zC=3jdN6A=n=7DH8NcP;0dEGSFH3e;Qc!QcYaTIZz#-3>kIycUE00}{?#CS9QV3U$X zDOp@lX1hP>l89AD9qD80>!v{OsM0ht7|wOPeyEP|69@I&#M$=67LTlTxWT3^%v94k zTs=FQf3NuT&WxRVWxlCs^2H=oW9_(7Z&NckZH!8ExOQC`39p?%-qhqw1YE$WF(=^k z-Uq)fm7M-2wT9{ljcp@2m6bUnX*E7JMKC7Wj7`%%)`!GK+Eg=HdsK1r$9g3rt@pu+ zm(Z-ml2}G0<&g7W!l2m$Do1@v{OgE2y~%6#d|ed%bfJJ?#Hg>NVGg{9Uj-!D7mDmm z&8K)eJcW61-#pc}{mK(8)A7B^bi+hI$IQA+pbtIy78#Q>`HH3d!eTK0yxCOI7DqoV zD7`Ikg5V7TkXu)mAzIP|pCIYI=fdE(xmyK zm!zNI4Fpujd^G>{ug)pFyX>CE(F+Ewd<=c_xC0u0d(mnqp!N@Yr&5&?NTr7XK6Mc| z?_LdloDGiqgW1(-*UCEw`xjBcQ>xPNsFF!=0dnwYss)mof3Ybd^&sV1IXUWHfM?Qf zq9e<^ZKcz10|z=2v<)~GXj>op-3DrHfqBwNrAMDofi*}c zlv>s`$-dDRL)1Hova+L2VGv+4?pP#Z4qPG^bI?abV1hjGn$a+5fpew3OV}ER3g4gC`!SjdIaZd%|x z(0g*5$Ao)>sGTfKq7&iTo8KRF&yKn$=V!-yQ|9pGsy{fs+&qi4Yd>yo9$k+sFk4og-9ZR_o`FFix*L7Jkxam-uz-$VnabIQ! zR2M%~0`{tJp&a`V#~v4(>&f*o!CdG(VIdEt4pgFz{4|=`5mqY(MI{o5f4Zl9ef)-I>M|2b{y1v75brmx6(8~0bi*GItq9l8dfSa40HpWh+TIQYL1|h!hz=VC2q&s10*Wb zW79~>oIFV2+4;qD)q#1rkifHU|G5n!tApb~9UT7!2FIr_h^d3)zl`AcrRN&wP63+3 zeJUSLJY;s{e>b}(fAfE%Cn&I zyy_jDgS}Q8Jd@w{o+s3o`GgEyK;lB?YRt7l!PQYe2FE5Zqp#07+R%ao1SEe`;$f1A zKEMPFsh9wt4zY*K#uUF6G)P4Zwzl-eUA6X8Yd>F>_7h)e_a!Mlk2a-)8M29yG9RL? zI!ycYZ?TwI@vWZPBQ!Ro_8Or8V3FJf)KdxC3zC|1{eL0hrdlcsGnM_hs`jRvx_7-z zHM7H~d`WtSm?@tqPelelN+hbd2U6=)6tzmXpweB$M;evWN^gRBQ;Q4qyjTO9AkWwL zBJtLiF1gle#jkbrn~O%6=nZ?b2N!arl#Yl$FWegN^^dcb~Yy6VmXVzmR)C5g)3|nhqL*+K4lZ;{;R~%+hjLLoUeMo+*hj-j9jB>3V1ibKci^} z+{K^e5P+{jsy*sNJ2!IxUtte*zz!0QlF`cZq;CRw7vgs?!0)cnw4fn5K|@FAeWN7! z3;jZG%9cYq39AV61n6S)4ZwF2U_rZl0-3&&D&3vxaRsKwaEh>xz!u}Kfi2;_A6+oH zfPH-TWCaS+@QSENfiI>c2CAr$vps#AK-LtDOO&65p_u3`g!DwrO5VOixFnlbvPCB* zvZ0emqa}0%m7rRfv~sL&&FUZk9vzQ$A|$oB5^buuCN>Kb1a2qDDyMWDuNw@xYBx`p zm4Z$cQ5lEm2&lshnApvjWDJ?PklF@Yz#ur$XrwHLD5ZAGqhn*qoA>hR2^|mAvkqwV z2S?{ugGPRBg;l!piG0)njo#U-^Hfc#@4Ykj$2+D|BBMndWU(X;uX-oPCE+BoF<^4B ziRgHjjB8lHCh@WmseEurq|(r;;r7n8(Y{4U9+^Vbkxj$T!8!rHBKDpOgLhmib6jAD zFA^aO^aT`r1=O>ECn-q6E`hgB`o4&weqIv41dt>u5sWqPfT4>;6<(lVK7D`L-+S>AT=w_BJph;e7rT4lSUovbPma}- z3-#neJ-Lui-an6JJ0Aaxro00hD?zG6Kq5Qb91Y#wcQ3$YzuP?T9$zG|J0?zqU8+oD zZpB+j-CjZ8O+$&ZZ##^V-|5h-RoRNJ4vAKFrM;?Cg@;O$ULV%!zUf<=wWTjX?dx(n zsuR=Qa$x?Dwy=x&wFV=98bIcBn~4%NuJv~(mr=}~u5005W8!AQodf$bCT_<>Z1DMmR+X8_DXH_qWu8flwmAww6+N)u6riWrNc z5%x4xokUKH1tA*oZi&J(2O}v!lOX2hr{mGk&71OgWI3u?!3D!X>`jh5y^19!dxr`F zOL`BCGaPYothSPTb%Y@$0*a7KRu^0iS&f11VpRQ3yd*!-2ivqr8`qaRTfAD6B1B(ks4LU&Q3es_;0V2R$ zDGSh@Ic8!Po!@V-xk??R!x%9E{eBnx0zK@;A;aW+czh@Ny2?+t*Zhj%l0znF;Tq2UlOH8D3Oqoeh((PMG z1J!<+oH|hj)g=;{LOi5uiXDT>&uIEHc5`u&&Djg2fy2Z)!+C4&Lh7QKm18CT%2o1FTEGv7}94fb*JKJ@s8^Kms>A$>;3II$Ei z5qnbZtRYJ1ar1g=wCiiU>UMF5=3LQSIpxyHwnax`Te;p;qDuZ4~I5u?SU*_)?`)tIk|7S&0QlxA^4O8b!w9G**w7tTA!b}hP?pj zbTI0-9QW4b38>3~RK`6Tx+ZYScqG(;TI>KEs7dD~j@0uOI5&0DRaCYPXtU_rsGXA^ z^scl*Q;ju)C^W)XjW$Q%8zfBtIdB&aP3sf+YD|WKtHRhPIwdz(PQj!Nr-*`~puQwP zou=Oc0P|NLTyhzm^pAaza+RXFrc5%(UU!u$4^(pwWG3_Of_TaIMwf$c!_=(AvqFw@ z6&t7vnXn~k@fm@LT*ah`@^~8V%W5{bOQSXy?gZw;Xw`O-{!Ln?ddFV@&P><}f_cT=tG0Vk}ZUZEoDh(P2c`E;yS{@BGZqa7BUS^Vz zxJ>{fr4>U_GOJmlX$dh|CzS^(BMYZSihNKBVU;EA z$?MR{yCG@MGKaBWCM+(hoi>A2<>GK3S!jb!noMx32BOUa+jJmWG5mD{(H5X@G7zm4 z@YMp*6zFvW(dL1aa?hyh#zH#uAm=uFjnbIS8g5Qhr1T#rWDF7EO`{7fiY2wZ|C5`v zh~{`g;>Ie-6DN>(0wq0j)g2o;KI!-_fP^a%97!GZ8o2`+P>+r=iVvWwU}v4N&wy$I z7Y)O4EUjWJjF26fgm*Rp-?a)vvcCdKz4#Z;2!XQiMDkan6?Kr(9G;){&R&E5`T1EY2L3oN0LsF!2-zSW zV}G@Dz+n)mqY^NuBq~&7L<~BU4TXS< zsE^^U#DNiJXsGUHL!7G=2~B?6`kfp1tbTcF-{o-Sl_>|Jf)$yw&`>6i$~05Ns)bh8 zo?M|1_cErId|WuOWC6QBUX4>R=u8$B0xsf>thhEiZqaar$=ICSiGJlUA$nht1yQ|B z4irEwqCcv(HWN7Z0}nNC(Xi=a?$8^=rnZUbK|V{OBGtJPRn22e0qiBbiE6IT9tZmw zQ${|Xn=*6Dv^G&!nKLo$OvV%fF5*iJw*psGYjNhjok+=#K;91n@=32u^HORJsRq~X zMQ?%Nx!{s079wX}nD-YIbhI?wOzIEwp%$?q0=o8G7-5%YEgyTM;?-kswBq7n0cWor z1z-!8j=j-FIFYrIs^`UW!R-I8!jA;>OpX+TE><-n$Q5|gO=O^(pD{2rW@CJAHfMMw zp;Y5X3_5#js0eVOEfc}5zzlWtC&7j2FpvC_Hy93OrHV2Fa+ob1GGP@;2FPIr3e|m@ zlw@{$qStpA;^Jm^N5z28@zdN_f!u+7xoFxZAP2Un2_|24Xr!B5I#8B2TW;W_TdmII z(pDV=%^Sq-<~ly9(fmUE7(V zcvg=$(djmG{EvgdMIRh?6|rigEy_0{ya*;6|D3 zjZiWhda|CmT^rnD7wKEf<%~MPhalBBG zJqkS!IMfe342gqcr}fP~7=}XcS(`0kwG$GzWwQvLLUtVn-~^I!2*(IKJL;dF-0VGX zyh_sY=y4=KKwXoe_2b9ppMQe? zYN>1gc#4h|M{Lx!D0W?!^)+@MKbrBJ`C8o^rdy4cr_O%+yMyE{gNpq47^PIe6}hRH zSiq;mv3g;2TX@vAI@S4~7rVok7vrC=c2EEFw-;xJ|2ZGLeodYB$;ICJtNjl*uU_)s z?|z*A^YGu-f1hhUK=IXENCgb5{Z!jh+|UI|gt#=dmbJj(cC(P`iWPU$>{3Cm`rrdh9gNum$8ylf{J5Kt-|D*nnQ(UsiV1}6Dn>b^3G#H|flD$8^$zT~tz)YpmcCVK#L zfL#?u!R>Jmfn}sWLqvh@{h(2v|24B zoala3PgY3AeH$Z#%O1>Nm#=bbOdtW2Sb!1y9#I#cx3_Xb0*z?BF?n|IA6o3n zFCFmWHQv$*bInv1PS8}_`*vm%>Y@u89Z?5Se%*tEg9H1(Xu%yYIJ_{=w1RYzE-Il* zt#K*v-TiOBD+xR*YJv0R&|mJqEDPNhmC)rpSPJ~x?@FT{6_vo{>|YA}Z{Ho1#XKq+ zy6XVHIw}BemyJ(yyGxZU=X>oHuXm}I=R9gA!-&bv5N^%WWIF7xRf0j@+1VLmF$sq) zhx$9Oy)b+gYmP2;t`Rdrd}rv<;f}WPc698W&5f;EY6a7RtmDUb$O#29(Nj|~p=3Xa zr-_%kLyqN|3CN1qe^V>^y#s?FACXPv;|5>^u@^Elm@vdA)N^GgRLx2LfIX0v=Ug~J zUqXsAou@@lCaYc+F(o^9dpTCsIn6)AoaW}}tw3x9bx@=|jnevEX*kyN#HoWN^Qbx% zOr&x$q@nz)az2P@Yb$*^rgqoV?wT*jU6XNM>w#Q01so)SplW@$nx>W0M2@2M z-3oeE;?Ul*t61i49#O3$-{#p>`Qn;d zCHjI@qQvP}b6Z$6_?5P#BMttd50HZ1(FGWV#L*Cq9+W;~TWdnKCiF#VLRlxiKfNw= z|Bk0B*9z~h>UgSlukh|Fj;Dnz0QajFVK-P@)%7UapbAu3(^0XUtLr%TM|yqVaILj0 zXe~d{p-Ks5cD8^E1vGvdIf86Jc$99fZ$d8=x{~yKoa7-t;JR zlb2XM^u@Sqt;Wf9a=*e_yuaE~oYO?kO1z)F5ZA)^GZe;sl^#t^l|$Kh(J)QaI6i-FK8V~CxCjaSF(SW*5UH|*Hvz>`Rms!CHzX< zzMk&saSx9CjqswjdTT{1sc3ywe^&gc zV{bP)&X_wB985eIRr#$je}i_&K(5+2^o_h5W6X%RzC zvFm#17BZxA=?DrY$O{0BZ-NQQoR6bj&0kiM46g5dbGrOJ8!8vOm;h& z0y}vKauDZ`P37DGKD=z0`i47dCN-x zIlraM)rmjH`m!`7ntRDM4TS$L5zTQbBRoJm08mZzR)3qB87SrWO9ZGQ=U4rHZ z(ukl8VB+E%?1s>bZ~IFKJ1z62K*3{z++<#W3?d9;^+l^0@AZK-iOv813Y&j)oB#Rk zum81#ID3Id2@3NDln;Zz9ML2B6jh5r^BA=i6Q~tqwKF4MK`IuGTBL5@hl`uD145Fic4B!mjn(B~D&qs~U zui38w06FcN>Y0-zWM0z}o?APU|K!B-6y5}Pmu7<4S6YAn(gLy3$mpINmqPMCtpHRM2jRru02c=^*Cr5U?2TK zNu@4|=n=N^<|NVU)4}X&a5y_Y9L$c72ea-7h-ANqsY zFa5#na4?wt)E~^chl5%7crfet2eY&OV0PLY%zl*5`-9nq{O@cqJC)`8gV}L^FzZQJ zmxI~i*%NtUKuaa{TV%__E*Y501|ckGH|)@lmhek`lgm_U`of^!)PQEpVj$ z1f|np2Twq74bF^y|BElL@RG>ibk* zMraM;=-Li-cHHQOX1hV}(t(8KvssB!QJlm)O5D%88BQh4v(J!UKVahag04+su>!Y- zSltS(02of_9YAn9fdb$_=ZDfa&6q4oaiTB@BAb7ZgKw05Wl}DA+G>K}42fIHuJx{K zHR)8W4&^dS$;F?ebOW(wUXok$JBJZ~`CGIXuMk%@<7UT7)uBQ|XChbJA42CEi3^5C z_^t}&fvO>CcPuC{RIu!LnIJDPcMNhQ%_5<14*)|XZV@8D#Uth5Q4s`~QDX9s$&sgW zjzqh6DlXAD@4-@NnKKidEJ_vhcQ)}@E3kEBh2NAo>wXN|h+ zbOJfpOEo#Ap&Tf(Ljw<*J2*24)01w3#}kXw?$VB5!P1MmCCB%b*%$G|36kot4iAu{ zPbFW?(~hIsQbPv1i?9?U0ue1`5_h#mEH4WhZzVeMVSO%s^2B)X)w*Ibe5u=c9dZ#z+z+OKijkd6hYY)bCRU~eO92z`>Yqnv zHk?N7AYw65$y@?%%{`cq=-eMFxW~Lo$nwRUW7UTF=z~jE zGeHsyPIcDLjpVhv;giZ-eT}>hSk+PE%tWf1TmDMB6U`R1-6&QQlTi_rn3d8t^-?p$6agxbK{+AD zid|1rVw`w!wM~w`U-f```?mSp^KVuW92%t~vyZScCoF(Z&yoa3sxd?l z*Q7lCMW4AT&lFuPI;)fLv*;iRdtpH==+d5e4+_L}ZhNz;>ysqj6hQA5PC4KLPK}=o zPM^Ts{NHE4wwvGmHq(?<9HNUoB8jQybJL~cbFHQmFadT1>j!4-O!voFN7I>nu`2bg zsc-(+0O!b8@%TGrGdhN}EiNVu^3v9YN(-cFROpP9BB3MVbm*0d#Bx#eQypj?G3x6~ zEZOiLyn8li-bpm>Q93;ZvGfF{*E;fUv5(i6cbRc`t4Kdg1ayoL%mn(_WMKuypSUon zV8z?CuXCnx3!ET$gObP466w3&=cz&O6BNGpTo}CHyf)PAR22EA@a_`&=9q3-zNp;v ziK~Zxf;SN88=OG%U;pYzpxx8>?C%C=-P^bBpY83vkI&w|ZOQMu+j}3Me?Qx8x8;-e z_s_qt7*FD0-&_`kDLJKX`LLYB-l@H@OcL%>7lHHc)!@h3;J81SU7dC}NOu}=H5wD+ zP)>kT7zDD}vUHl;r_{QuM1Smv;_ya?rmD;JpHZSVd(EWSR$iBF;6P`BwgJZiZR;}$ z+dyf_TrN-l9mNU=YQH{jfit}cgn4rBQwtfPqPo#&ByHMdQ!Y8@v`=S~v+kKecqS>G zNeX9*+8Gy6U@ovzt*0)Li+LXrfeG?nGa8oOY*#gbtqN4#7C2Wf8A-q9Q-&{BRa_8H z{o}Ji@9g;GeG43F7hxC)xJ)onG*b$UiU2Cj@XCzh-hhQ%a6wt=X=@nOKhZbHsk$w2 zZmyqu%;Z*y71LBkr-D?>*!%vVdv?@4IX^poFDKyp!;`E2;P~=E`?$=c>i^iiJUTv_ z#rVz)sxvz-SD026)_u*rtIHFmvZ%xEW~29iLgxLW^FQ*@Kkk=ptHe?l)6Y?#muA5a zlzIpfdpJhU7fgTx^dQ4!sN1jZMTi5I^zX6+$Mvk9t74bzrG#ls_!>=lD|KZ{39UA< zi(>8+;R=-eEbR&>cb#5+`x6KpG<5H+_`|W`gwoR22WB?_e#8fLUp{ z&p%5)SUj>462Yd2**f0hE|M$^9CfMLRb)ITVt4Pu!F_Zi9S?v*zv`*2l8g z{IyPM2M2S(pirUDp)}}MpeeJ96k<)i5m`)vN;i{5!rI4r;#4waM{q%Qn$4SJ?{+H9 zMFC5z=F3v!+ygDGJX)&FMQQ#PMDWiG9BEy^^yxi3QYSXey{(aVE0M#l^cXI8oR6|` z&cT{_uK^oFVgpZfXwSXMkCG?$m|VNd^IYpdi%hS&(r>mCqNGb@2uNiRypQvQI^sKj zwk~O)WHY9i6NE+YGnTL@{ZwAlX*7$afkiek@Y>Dq{2XzhKLw}y8ank@-2f*tDL4t6RM5y?L-ScKn z#{_vka3+wgifd{HKyP?2HV!6ZY15Up47!fMH&7rBx+gyXTX_wiOEp=Pmq}?;+%Tza zt2(pPwd5+@gsi^fVy^FTjP^)m%kk1gW!aY$B5JGXmv*XLl z^UK+r?&aC6clPRhc69v1)$7^dvU|9U_*|MNLIkUHuB`XY=!Nf?&M=0aLMI!7t9EiW zy-%#O6K^$CpI%KvKaBihKD9{y|JO6K9yk*QM~#XND%zQx*LWr z78?);3eHpM@f6Xk_j*k8BklC1UW=+ejI4y!X$l{W1H+*D>AV*bfh)YO>q2cdK2E2_ z(y^240L#yAoksex45m3Jl0+X^^nt@D`JE2UKzl%k;w|qB%HTLJW8Qp(y1GCEaKR`X z>i|fAM<(}A_f6kk&avhu$1_ZKXPEBI#=+ijj~(d~*fsjBld zNvOcZ{CaJg`ev`--N|KtcEOO3LtlNjFZ%r>_4~>b44NNRsQwv~5&;OBB1`QxCT=FR zYZ9vu#JJ1Q&&hS3Zg7pn#5OVAMqI!#vX4rbW^aaXUU((QUtdgR;`~tl>S$Q3qOK+~ z4L%V~HA!w&MRktaFGNRmJQ`+-(zPX$KwKQFZCt;?!LZcq#3OqJr9Lt!c^$;p=0z9U zsjXv^JX4+PO>WOVppLO{dT99?m8bxQ(78rL1s|}G=tG$*w~FV&U>0SOndwtVGycJw z(Z)#ET`vu zczh@N`YMl~Zm;;$*^ZQuhM>ipWX}rmn)2*`rNQOl80Le{OkI*_s5&*!NJ{|zURClr})_U7JvAT z@4a4M3ikyR*fEUx8BKr2C9KsHXObL| z+BZ(QIdK1INH&S^lDFzGq^{0|UI|J4!(6i5bi!SofSE%rSSIiW73AGDnxaYKrAugs znWL$N9T*)2*+uT>?2=caH>e_+{>n zNWvd_`!?rXSGu`1#)Fp4o7z5$ko__TNKF1y-#)X$Vx{dfRrx9Ho+YTQynB`+_Q`IZ zWsf!;oAh93jC6CW4>>jSqKK}*3&)s%Co%?O;#V7ixwJphA-RMP-O$A=MHd%vL&ae} zvGHK}u)#qQv*D2rjpfp6tC|iq`ru}U56+zl52daAA%q?tVdMgr`Vi|hH1mm|mFa~E z7tr&P4iB3?%I5jCN9y$z9{Kn88+0JA{m!l`%jVr?x^L0(fgR4~3swNO+3#5F=i z#3}+=ReUO%prx{^xQ&T?q%t*kwybv=RMGwAodnG$`;m5iiRHBT_1rQucF=`eDWv@M z;c-qhvhmJsA{;qzn>JO;EO479%clCy`O+w5%wK(Q$z_yovxKWMQ}6>{rwF%sO}$|+ z0Q#l?^;@pycDE^@E(eqV6^h8Ud)EY30ChOf0XR_lhL=bi%3I*v)Ja!S8NQ*tnA=__ ze)5ApzM{}ndWk_40!@udSmOwMgS;u=4kU}$7U~?Q%6A$Du1ab%L103;;QGG8#P*pY z3WkFEk^q%2GrwaqSG&co5tu%{&6s31AU&8BqCj!Nfy~@by-evV!H`V0SmsnqZc~ng zF%;+)P9s&@hoo4LGYBvyjvXRYGFLiSsK&R6EolzxA z2se2@)lR0~V@U3vsZvcob_{|&Bsz(*w921qzn z8Z?8#Q+FaMHO)}7{7UD|P5dNEC3JbI&m^mGz{4P*OmYM=)Un)~CCFYk*e3(zGKD^2 zoIR1jo51+th5wz39i&V&Iv|f*pd7mv>!C92FA8BOMQm^gfA1laixP#RIucqREKPN9uCC zCvS5^`9ixWJAtHTPgCMm(|Mv1aZ;#gZ>6 z_uxFikF>j&nz5Cy^-x=mhaSv!2hZQ`5tjzs+)O;8%zE<7JqIa=w-Yjki14O5(q}kb z;_vx44S^4*=J4tiI3X9*2SI%40_4VvelNE!LC>SNIvLjST>uHscKM{6s~(afT>N8@ zWzW+E3b$?B?w+=7+wPvWZJX1!ZQHhO+nTm-&+q@d@!q&!YFAd}K0D&%j+3Wytz23H z*M4A&1qXuGJIsKXfeYHeV9~zCT%wN2);j=62yex|cag8WbUx3MI$qx3lZcVPo46uFXb1ahKw{3f22L2%-A<3k z#eg`wxMLe3tWMAI}M|uTTRY)v><*p@I@#3-9c0Yg0 zW*YH9arJTMug>B>;MdI(OUO_>UP7!I#vQ9=OPI=AafP`wcl+P3b zy+ejH%}Xov5D1P=W>LZde2=HU3<&Pj!`=Vu0-CxFV`tZy8$JK)@ODEgrVB$r#IaPt%-Z1UHhUt6A@f zX)#4tfjJbqWO1e{tDkHtay|lOSQf`s?}X1&Vy84bevU(!e~Y#9eVi#^>IH?yMPxh_ zokI(w2swKmr%?cZLJ95_;T3U}PZz7I`)Ru!N2_`fV~`U(-l85cEarXRS=(s&cx^C6 zCItHO{wb7Ywb;65`+i?+w6sj^e7#*>Z6v?Gebm_QGoxqxxW2*<@u=cdH;FeVyiXtz4@(PeS80{*>y5q3V^W558sjNdMEyF)<-7sh=TWv z1|e9ssdA!ON;PYsWEN0wT260x06oQtVo$NRg4tdq*m1KL6?aeyOvvCSXBG>GMf(C4>;=9;03v&vWM}b_QYS`R0t#xRU4LY*_a9Gt6ZRb15)j37z zKx75AKhH;~gQGUVF#*wGu8%w#L0_#>$j8Gh%Oe1uzkx-iOE2^Q=e*Nd)Fw+QRz75B zAG0qXbxdV9Fi+V)DJ*qnQX>PnF%u{ob>4lD+UOcX8|5}^c1Os#vvp7)uXGs=azY(a zT*m32`fz_A{k#JE@=dKsWffx5gj|-8tm6|-qsm3%rLomjaVJQ<`W7wme{J_ppE9BR zxM_}(p}M1>1~v2tXZW_YsUPBP>_P@EqLArF!@{TvzNslWtt5|RJ@#j3s)#~Wq)8AS zYll{Ff-_pYRMLCQt{zBw2*BdoLj`gnrue@n@+{6`>oCZ{WYvmHva|BA2Ti)>Fj3KA z?1cv-2;++(Lx9HXa;;Q~jq3M#IqDviy&g2muTf+Xl&CUHywgvAhw=-%Rs8*3Wo+v} zPDPy;I(CFBBg4B*s^ekJzF8;^~iUOjTP;RAp?U+?7zY zLiyI{(?z?@p)q$A&sY<=yGBP7dD|1oNnhDN^WQ9?t}ag9Gu~3}uff=QLg%XRm4xoR z!<9t!|2eE=8$~K!Nql*U+FeP|dU*9@A5J=k$Ba~E_SZZyY}91jGo#wQABM&{Jz6_jVDQ( z_BL2e5H5A~RHwJ%^nS?H5KUQW2$j;LHG;Ct@Y88_p4z|Oro+{8|L=9G%-U#j^sFR&0*fr*PE%+i&}4 zngHjzFx9NNsK7|Su1{%qq&4U++Z+QK@KzxH7?F58ff??1Z)6UVi+HFtFE7`~YnXrEA3!NrE z#AEuSpPipOJv2Pip~GG)f1+ki>(S{hcmGp`x~XGNLuG98UGvdd=+W+-BFF6OBwTT{ zj#w#v`H4P?o>e~UP)ehA#(oo}?*9#FMe8WvKf$+-5Q|A!qld4oqMDelEHa&?LxzmI z{;dHy8@JBpP3ph4wSd-oi*N{`O^gCS18~^8WHJ_bN|&*si#Hf4IGno4!hp#%_-c4p zTo_y4MfG%%uA79Uy_Hy!FTIkK{KIYHEyjUG=&OE0#L3vE)x8(OzgD62jSL}{9u7;Q zz5XAo@W{dpT!gKc^lk@RMF2mpETF#0W9<$Zdh2o{4ElA0-KC|2{|WyVmtB)wr0%ZpufAL{yV( z^%WOsJJAlmyH3$!kk3J+-{SKa9eiM7!{ z4{4%&Rp)e)F!#Z8vFZ!EA>IdYa&LYK6FstahfqRV8yD9>2eu>cN6YkW*aruFKp>GN zrL*hNqYmAelxqjo@gc99E}wAi;Ng_{yEMFa)aVf`3V>mKzf^ueo4ON!LZDgaIOyB~ ziW2}2-9b3?DEhv3Fft26H{mpR&|Ko%lE756x7c0=gJ06F^e2P{xVO!FgnfwitIP;f zehSal2M556vNsZm(JXT(M=ANCpns)A(>~CJ3Pelp9%Tc3xeDNE&DW={Ncoo`n-wxx zi^ADD{#rJYt1{p}3S2=xYD*9Aj`Z#3!^3s(M^iXAe__c?*os?q16PO;s;rksR3zdQ zL#rndvsJ5RU$;)L6SKe3M2;~ONrHi$A%7j^Ywc@R3=;Sc$tM=sQ_Pis%;g-^5n>VS ze|@PF=`gc8hedw2n}kUra`hZ02szJ}Ps(LAQo)wVYO082K~kI{{Gb|padthM+ClUVpx*|a{JEBqYH~_zm76O6Vq8S{y(kqi(9^f9j&?&0SI zue85<1tg@k7k>JldksX`9C45q#qWpE;2q=!orw$rG)O}k(|e~KAOi22$-w`|kQTxH zg*Xc5Tj3Lc_MMH1p+hHW>b;ZSC$V=rq5e2vr0x>M{bl1Rn{NTbg&E0KL?SS2^Qd~ zg*nQxkf1)oBe~E$@W2!H;(2TbVcHyCq zoh#?1A8Nx>tE9dHyaC|-0PJb#lfg-6l7+66Qgv^z?9RX<>8v|BV+yk3&hYcAE>!ud z^TY5-Un~e`i=i(!oW5FdHk?kWZH(rkt0-QwKfzMOb=4ioB0noXn0`FqyzZn@ao%+Q zZ*3&$qV@h~C7R0@$o`~>y!}b|qW-^&Wuk@L!wFM>rJU1)TiVREf0K%b>+j99jP_#6 z5cQp<#Mg=s7oeQoy;u)%X}p;b!9Pk}MfyF}T}8Ej${vdaHKIDUm1kqmWr97F02ec$ zpkpp%g3FbcGN67oyUGyMs@YKg+sxZmrU&?$v20XF_*3fHQvEn<(ET|7FLBvY3CG}X z6$|n?nAzB95r$~k(inYFb=1XB91p3+upEZ?O6rfG!gC##H~BS^!R!Sz)N(I+@95vIP`;|6H_WXBS%cPGmno1g4> zw#>V=Uh+=j)$R;oa^+h6Io-6wAzJpt<;zRl`otv`gRcQW=33iRHaqcibZdlboBU`p z8qk;eyuYh>yHDgZq=Rt<`3wAm54#G(@nYZ2YDE{k?-+4OL;%lmFzJ$>wSxx63! zf7AfsbuaO~K-aMca(9s(0N2#6nl{qOufx5*J{(W5?E*jHcE$Y=pJEdYeV<9SG9l0X zen?S1oAE`>(KkTi+N3NJf&rY!qr#RGiI$S#;gCSEp^Zj$U}nQ~g%qGwLMlQMd&_jQ z(1>cJGqwnZt0MYfAkg8!y4Mvot1B(Rfuc-cAz>BWmWyzh0YHElO$<;xwotr5vjfC` zv;hM73Affg0-2pubVpf90C8aAfQ#nF%VK(G_7E5XK=#uY5k<2n0FA_{n@5+rc_;fC z_LS@PPAlmq3>Z~I7Vei-Z9y>Rp(B9y<%tN$v>m1S1_bq9c!cK-T#h1uQU8K%&{U7F zm{0F342r)q8WjIZ(8@(=;lUGnqYHLFxjEuu_BR~_fh}?_<0zySYc0-J6{Xit4MQ~h z(A)m#>0|(xY0)wcJMxx;?Gnxzmv9Kg7)c!cQvS363#UEmBm7(cu8L}Qs2Fe5`1KWO zZdRNLH7k&Nw*qF?X{k(frzDm4c3;M8@!7+DjhBVj;`QvaPNDt%tlR7g|8%_ky@h_& z#9HKb75cY!S`>6OMpad<=wbv^9}r9@ z!Cbe6LC_TMq9C!0@)8+XUS!z%6!JptVmNodf_=mc?L9p;lVZ;0TYbb-Rn_!>l^|3k zK{0eUu>hNpay}70^}=W~z)v=t;vr zJjS-0SyKCl|7!bB5>UoGo9HP{J1hC9Z z5!_vz_O6yzUBCk1&G+4N#@6z-O~sZ~PfDY%C^kL;5x1skv&qz;Y4RI!kF^98pp&_LO zsR^HSP}?76Nw)9UpCajmr9W6$YY!cFRQ0-s7qaPOhHnb{6YF;b*Qy+Mf=;yx!&(6! z@mf-#IYC95x9a0Bhe%=Ej@5!G~FJEH`H& zXZ(BSHp~j&b)HdC!wnD&^KWB zK)lbjD^|fA0nb~mY)Sor{>i6NeeM?sOAkG zw4oq~d-vAZi`fWI&16qMI&i^3BAVEgr+b*Agblwk{}ldwdBL0HS9_v$^IlTg$che! zUyPqnAEnGoN#(1W#7xLmDTdX8>lGGY@UMG?&{12Dfh)+YP#uxa)nW%tEzR+GOr-cc zBOpuf)d`(~uKuP3nhT8eg#y;cO&fPRDr&%B zV3^k)u9gaTRiCtk9rfqjpE9MA7jifA!Bd@sbdCl!vfa;Rf+)SOwOxSaGkGI~>z~Zs;US3wmJYo~pw9dMQJIyoebljOc?Urr z!sKn3=>wus9{!P;5fsoSE$Lvia>>8?l?0__+(Lv$3n9g75cf8AOV|Q?%xXxRb)`l* z3@m6{dihzc0AC2v6%{90w$ss(?{ynJ6EQP#I_E`M$Sl4NyF`_I0>nz^I9^=F0Jd_l z9o}CDm`YBE!A?l`0ZDP-d8+D|m_>y#VT~%^<>ot!y;f?18r4oL&=ti z4R*0)1V~DjHlK}PrN<|~>Q%SFK=iAFTToiGBW?L+cBx?*CzjXg>c5kPrdz?QDxM8xj+@>nD<=%J@rKvE0^Wv*l_-~2h?doGve%SDxdTis&b_Et|qs(-d5~~VZAcH1WdDjqw0KCs!$&vqYF%s-t)vu_Ve-G9o-G)_#dq*mheLukLc8Ac z62wec@x|E?)u5=VbyNl^emhnmYg~GYi4dr&4^H%Z*>&j)Oap>1 z{`55n{{C|ILKfGsCH)1zmrxn8IZK82`qQ4o_#9JM>T4YUnw!eZ39GUJaaA0@Uhj@7 zo-4_Q`VeKcGI@h%jg=;;rD6OWeVh^!U`+B8H0^t;pbz=!NK@F?k~{75PXxOk9=fW- zWKrc*rQ~l5F-m>2APgdhG?sQ?69CR=VcGRm z`Gb7dY|S|@Z>r%Joa&rOC^ffA6Q7N8>ea3C^99D%U*k!?u1fcZWvoD7zpO4eZc(Go zg|FiG{3L6W84HkW(JxQj?kKIfsO>~V@5#05sZu8;HPRXq&><}`6*c3dnGYDn?{2D;fQSblg^B=DVgQ?)`+y0*r$$ur+1>JVYFn;42_4Bm8ne=ZTS(!nMM`gjj{;c zSI%CZYq09ZJ#v7P?p#i`aNhGL3K}EM52U7z6} zz>XvB$si6aL(4b`9RA&X-DVb(E3Nphe2T(2XdN&{cA>WQU=UJ3GTeO-wZ2TC@n&SWsC6gAEvdN zjD*f$_ruM{juwv%WDm7k2jT(ra*JZ`1tJ(_Fwpc=9Qd_Xtbi_~g%cAV!And_znnQ} zAM_6<+}K5ngoFjfAPOzVAuopkJ*DNBUWE{mu*@~2Y?Ccy>^p$GHEM|C&0TjX^Rbm3 zl|kr?liCs=)U;$4%KkHz5qwwD;ALo~+UTnUpjsDT2p~6!CQGQhMI@`X)2V|q&?9!i zUJ+N$`j`7py@1c%zWTIowymjB$24RwDq9x5kIweylOx`eluJ%Ug0>C52V9Y$(nmK+ z9IQ1kU9933p6oKMDXOh7!+299)9qMOG|L0ceJg-uvayG}5s7KvI9t*Jd(p2=LGhy7 z@xW((mwUm$XCofEW=B3&r_Je-+QJj99yw1=A)N{vsfvMc^w@i?@lDYZ27c|!>nnV( ztyLR#_0iX@AB{obFV$af^z!|FIFgNEoCQ}JuCwn)FIz)*#yu zlK>A880^KdvP8%0Ws)PTbBc`rCx*9T9Oh`Q%F;atiV|N#iR&p&jb%D3h7J>To3++B zMQJ*Z{z!tYT&xsFfk7@b-y=tgjs?dcB52AOg!75;_5J@7G57jw^J6;)Y5(A=^;my>ntk0~DABNS}%c zV{-UA4u;G**(wn4#TEQ!Cv4%YVk*a%`(bN$XK!YM&*%OAX)o#dYv>q$BVo+${I%r9 zcN52^JL3Bj*fT454xZb=5ksyiVB_4%gjXxU{i7#S&sJ2o`I`Vv!f9Ay@x1h`=0&@S zYW}AclrD`v$V-_Fnz6?LS53vpe%ET|Q306zKG%dllpXM9R*kL(4?Ct^&l2YE9OT!F-lBzrFvxvLbGu${ zj%9`C%LlI0!eZMmTDsI56vSx@uD9(-$`UB9QE9zzvP#?v~J zka*yPnJ*}xvSBsvGb@ZD$}%^+rrST>r;lZ)NidNrJpHfsYK5yMB1)VpY32If&AmW8 za7poxT)cp<5jd{!aMyTT%|U*IjIw|_bZqO)D#=f(G-YcOnap;DySKjw6lrS#%zxyU zRA@(a$&gjTh`C7x&l%@M{X6~6+v@659l|RbEy%FVR0csxXy$r_-KS zaQPRm>UMGY$BdZJ|Y7pQa@Gu7xPV@Mk`fRuejJaX0O$^H}H0e(j8 zjG?U)mm9vo_fC);(#;bVc{G=tls?UAZ(V3}$Y*z`8~@FdV8EL(Z(W=dpUsmq_M8Fl zZ2ZsdtrNZE@wXENwXDf50hh?)?czw1XJ<1_s1PsKkhw*#%*U&$i&o`Bm(Fe6aO|DNVEis(+{;`<>&NuZ@@WMec7ObOpWoq7Nm^)+_@KrH{Ttb zBEhx{S~QQSK5{7_jIg688y6ob--Qt8hAv=aq!;sL<7Gi)*iq|d{sR}@YBG0Zzil;v zq~!Rj;^hX!d=}%t=RZ)rI3@;M=x5O&kRlacU*TODj~R_Z%8amzdTZE$Qi>>1>s+J? zjhzAd1*0P;?l;VfZJ@WX@@PjP?qn8WYRpSj=!6Vnj__NcG^6mmtfm`il2K|0nPLjj zj;*O<5fhmlX{?xO0tZy+48>wR32Ao*A!Pj_44QkPA8Y114m&4wiWI$+12E6%!@Sxl zSH*}+h9r6ADZ9Af7Yh|V8T8b2(q^SP3nhKs{s^8Ip{TuiYYtTkwB_J&^nl31lihZGs5%@L+!p5P;@PoUP% ziY;|1WLo2|OBw$~AfD?20n7dvW_=AXP`T%Kw*Ce%?dc>v#QDJlCxq07#FYafK=fEK zQw_<@z|1#roTT?+#cAXd6`~wgIa)6|q@Vhj^fzSUI09NOZ;I(Lvcm>^PLS~4&83`58RxX@G12)+W3At7wx0zivYI>+jGh?{z8V!&Q?M+F*K? z($pPrB>Ra2wj`3SKh`j^;B%p3Ne264yX5faM5t+NsiB%BD>2fQQ+wEh!s> zbSo&aFNx!r9cL9vJFlN(^yb2?hjxo0$eM%`k-4lL0ckI`zt(o0ZVmxoG!V#PfdZ8n zr)8h^!u%Oq*F`_oa9($uzDRxFjsb5&SB)MZVbdDnXF)+yBw>1tC&}6A{UIGBX8HHL zYs^ps3mRZl?dJ&+JwAcULeGoMs5bgfD9WCLyy%j7LHo+@B? zcgml}NX|v(L&^7VdU8PKcJ$@dG}Bwzww{Th)}PALfqsHSRLgJTDY%Rwp_ z4{|pG$xk`HzCLz=Xr4GROjDZ{5whAv;(wCszfLr`5Y2Krf*1`EU%R3tcE;y(LZi+W z9p<}R5mr?YYtIl3@x6O7qiE0MgPDl-5~2V|f2ZYD>{Gh1 zxj@gzc(0pf{X~Iz*uRZVKA`)RY^L*SoX**5ONX+euyy&SaPu1y%ISzfqZLOD)lVeS z7Il|K$)W;lbU(O>na0gGWdXuRvD{A{Q8E&@K3zRVyFVlv-IJ;qW@whBV6ys$ql6}TV3n0kdC)| zTYC+7ob7Xqxbey=zvQpp#!Tf%?5p&L_HOS$TuF1)IyMdxil|#9HM^XOi>PCgi2%W0 zTeKJETAK|szYuBZ*+kefxrZ+D9u%6%!9b2Olov&yh5J#T=2oZRQ3qCwc~?kemB-Ke zZ5c9lx(_49tG2%@@lX$+Jc*M7db6o59c+z9N$i$JgB!DI#sk!;6P=-6qfGXF;Bk^7 z<2=DMd5vS#qaveL4={>*b!LQq;C$EUQ_AWC_oUlu>CrhndcJUR!N^Z)4|>dozIc<2 zl<(BPX|fyi{27bY+)mVe6eTgO)<=>nne?PO%d&PK1NRYe zvz{qXZp5d4B8mz7&h`zEh3C6)WZvY!IKcLl_^+HdCPMg0XQu{2%YE4J5I)N*>KLGwldU+MJUVx|5^$@ML;ap4nRW>#@2^mV z-TS7Da`-)B_+%N^lb1jhgVSN~POVd{2>o^cS zljJv_ggnSm0Ao`ITIa9vP&K2bVrRRVdxQ?Vh%tqAuVK)%e%y&#{GZq5%6jDEyXsMu zzPL|@3s5N$@|;0Hqgi#84RiRcxqd|^j6-cY))h@lgyI4v^_~&s&fjy`SoU*RIASm*kzD+C8Jrpqnn&(FPer;9GDfX z7eMvaEzCnR8u+h^q=0IVleA-%fcoaANBu#^>eJ4^M5*d-=jkC@%71d|%Fqkxn(9vC zHR!i86fzq2vGwa9u9EY52#(foSNdqDLd;~HhpXsaKSU^+g(b!g-d!p`@gZvnNHEcAZ6|OLv+dvZBgSLn9U)Mr{bm{^NAENpV75P;SV%$drjMjz-?PDq=QmW)1o=^_s z?t7>QS3Y9}(pL^8ba?SP*M=lL*!-8;(?}RNpqhMe)1;n3E+2If<(y09-~J;qj# z!1Tu0NGEh(Uq~ymZ;)sl{H2{wb%TsFfb^Z2*P39Sm3{rHWBtm2<47K{k$iv( zi3Vam^Xx3hP@l#8So&Ug@fF5YzCvf{biKNc#DJFQ7D8Di13^LM?B>H8e~(2_c3a= zhz?+4IeKA-iK;j!0MYTRb*luEK=b1~QfW(48z}dXoliIU+-ZJn{pz9H-7q9?~Mp9=Dh4I!6g!K4q5f)(m?rE<0MmO zb1h*Gcv9+J*XH1j$MS5HzjD+cifj-s_oy7HVZXuKj(G2JhhOl(PG>B4i z#bz`ODlS~y4pBE$9w9!-)HgSC=z~noR*vNCQ{=urPLpAvxbr{Tbaln=EnHkQ^!rLF zEljiYCsb$w6yd&H%)upn4A=X4awkSvcno4g;-dK{BH*5D`40B{P1 zI2(zRp|1;^uUH5GR_>q_nE5Oh}jMCgZQEY0xK00IJ2S62kJ^i?(8=I>+t1e*AL#TCKX*pJ_Q!c@Vo z<9b)v&}k!a+@4-&o^KM(F5X1)B09oCyE(STJx6ey^WOD31a&O37Eb4(o9{d26IT4l zFO`Tx;%CSNmf8X}Vcd6xtL5Y4)TD|y9id03b@o`{L-PmD|=9o#}4-CI^@nQT+6bevYH!xmalm z6l{M5>uGLhK{ic2L?&$1Qr{e6k(3icHQH`r-lLMUa)p|fAndZJA#j4u;bxa1tqIcd zewUaIH{koG?J>GnzK@Xo=EIss=!6rZnGaip4*6ne@h%lS$?>$UpI`BIKcC-@R7%}m+Ogk$@D%jEsWH8Yg+$qBc8@B0G@S$i_ohQ^s#T63 zJfZn1CS3RVa1nL4D-fs;BJO<)n|d>o3Uo$?*`Z^~GmVB4$=c;wSae#zsdT1I$|XK} z)w8Qm28obQENk90mRy0X4_OcEa8|MQcH5EPcXeNUAZz|<8`Gv~*KyI^%+g{z{Giwq zHAK5=`pA_UZa^2UaouIbc81J9akH@;)(II84%dn(4QX8UbizZNLYTR{c`KoVoF#K( zjj93{U35>N7GN`SsKUnd+c|6XtJg$55xze1xNhGpTIh$Q@YQ}eY|!gF(S!N|=MD=c ziDwNj77t~vY&^Hnt=T{ez!pP<4C0fLJX)#X=4-%^xswJ*o|2B}Otc#F<+?J4e8;VD zp3{}(bFl(=>+&^(W%@;oJ_HyPL;-=2!5ps6ot;W#h=Zhj(Ayv+I=`$BQ4#Q~Gxr?= z%m?Ge+tTp@j4IfO!q=}J6hMy>6rnf%kM!cKD3drc4h9z{GYHp|0OFlzxnC^yp$`=S zhONNju`mSIA84%|X9%TJKUp-M%B=GXgxTkjso0JmD@XF}D*Ty)4MA@s);MYNJbv1kQy-@__fYaV#VFdo0 zNhMC@zVjVcKadZWkPd=O35fqo%vmDn@=ost+akG`8c9TH3Ji3mlJCpqI!VygM$g8W z&EYLWZS#c?Mq#cR39cBu|EG|+r6==x2c&>N@CyS>Km>k*8UJSbuqjTV1$A6x$aB0j z>9CW#z>@fuh(z%)w^od%Yry3k)lsxqaGD}~=%bQD$9DQ~cP`J+dUweT2p&AgD?$SQ zDP6mLw8Sp#S;?7?LyogG*8uxkjyseTmP6##d5&)_|ECf;)Vv}#qjM7YDXy(`1|xTS zKj?8+IkyQ}K}4B#;a_3ZDu7YO%Q>w8UO$71f z;3LQ4cwrFGj3LzomeB#59I2!5cCYr7wv8Bf7&tlVsL*igAjbKZ-DNdo7vJMh1k^VR z{bi-n@;W+vW_2kO8%9J6R_bFLgPe8}1zlEu^B#maq;))#+>W0}M2gyFh=rlLjtT63 z#2w_>IGNS0%uWqrE)1eA`A277DdT#K`BUwpIN6J3Y*^>RXgkJXQFcxlVix(Ov5)wR z@vTzr(pDGt;F9>ORNc#~z3A;;!VLa>=5)T(Fk_QgTk}*{l;!Y~F_ObiXv0=WU1&`Fvj4bNIN+95>HL zb*(QxWiFn64iTL^<$XNccuDoNuUn#2+51Pne<##riq`$Ak~Lhz1gJBa2g!OFL2 zz*oK!1G)42T2=i>tt04{ZYcSUQE>Ws_V)`P~G_r>7==-Q7QI*AZ*r`Dk~!JATPId=qkS`8bW*dT$Cz;trOrlJZQ_=5;h zP)1TnN^z@nUum%UmR0XR5H6!$7gn5} zP^u#h?ONO`c4sBYrWi+g2mYvN`jWOj(2rE;2N)|Z)4+(A7(o7d>A*81MW0~M3(;vx zwpkl3AFv$;7}u%Fl6=CTvF_qp~uy8FA`E=SxmmpE_vF$;(H%sBRWF^$RjOnkkat0p>IpB|53yn0b~Q_Mh~Y zTY|rZcz*-q2tTC5dpbNV0VT2uE&9D6d|s{}9^CvqbnGw$2n6HxyKpL~LTw?1_OIrk zR;;&Ee#-ChVkQSF8IJOF;+sebI%glW*d7sTWxFUi7m*ICKxWfxnJqpFZ^^q?n-zXY zIG4N?`VM0}1Nm0R$~G@gESSwoi|JA7W9J@>DF@C|N8%h{ z7N`n*6O(j>#_!44=mOU(y z1k;8>s}6dyhXV>luC%hO_TC?pReE$`lOS>8Ob^4{gds~{KLJLC6FTi!v!)zlv<2K^ zb(nAkLv6w;&i4f%^0<8l(o$>nOPaRVdw;j)30lfzIh3MY2Q@6)wp>&p7W?4DEl3Er za@%WVT}^eMQO}5ym!&6h%2T5EC)cPi!v|S4KyJo0%o^Gg=##OBi|X7+mP2Pc@z7xn z79e(+J8L3h4j@UPL`_d0SDeskmB*A9zTBW|4Wx`5+{`q?eSI!P4s7?t$nJC-Umt(n zJN+=oH&_XME1Szy58yc9SMpy+BXRXikr7#;oXCtHx_~5B;^a*J9wzSlxf3 z+Zo(`Mi{9)=d>4M-HNW@T*U1#DXpAK)$sK3dVhj&_fz5gP%Uv@=dwvt@ycXw(*c(! zo2`VIU!Gp6Ip&X-p%L#yTAavAx##cNbT1Pa3$F=yc&um>A0xwx&m5!@*X#1&g(qJ- zbm>C%gcju7_!SJoVA^ivTknj%>P;8fVfzk>z^Q*t3UZ_Q(fw;DCGOWoJadQq8Lir& zFSTB}uV+L1A7A4G(WF^vY##YVcPFj7RV2moigpZb8Ey%li}d%9Yl#OL&?IT zpgERDh#xFBB<$0hGds+Z=$md`#=})dE!%6v<6K!)`;&2od-3EV46GVIkd!gP8^6s8 z>kS2*R$`#O#$}cs?L04M8U;w<=1l#~8IZGg&KM`(8|RN9H`(dg^{)Q6#e3R4Z@!@4 zJAT)In%kEAq$n|xJqS<}&yd|rp{WADu6AXqodyBXaSbr463!$6Dg`&m>|2zKq_w8#TI8pI_&Qw=usu+F6=F1yG&gIRJLulA)BEr437kBPqX z68pwA%&lnZ&Kbm#p-py!-KU+z0NB>71nR&hGPRai;=rS^qY+CBQhdepw?uhfKfthk zJh?z0cXB_qdHhWdRe=V`#N#}Qh0+HIo+)4nRTZps*LFF0>YT6R#e-Z46naX%0KNvs zs$AhIg?lG6BGF-1R1^bhg4=1URr}p?%mLe(m)qadn8xZhhKDsfp)5pHC)K}mahcSG zx7w-U`rX?IY-qxK%8Izw222U&*if!?G|`{%(e7py0)NY@^nwk<4H!05N^{vP+TNTaEAQFh@2D{&qYW%H7udM1yQJ2 zw5`&`qB(EG2@oDL6{igc-T`z+bElrDQQ{$@?je(QSB&`Ioii*fN|ffn8Ap^9SyPlK z=IQ$Y4g96b+pM*sDgPe;$3Qs0aa&1Z6@@Vy8D~bo0wj+UJd`uR1r}r!`&^1i!E_=N z2kprf7BVl%jAF7er^!nY=5mFMnD4V|z5KBdB$}d=z5TuJV6T1HJ=iN)h95s#gTfdJ z$J^WX$B*c-^CR|S!m~tHSi|V{RxVj66~xfix>8Xw(yv`q5-c_X=C31N%~R#N(hpnZ z@Ym)wep5rXaxSXS%*O zvOP^TpIi=>`|&tPtjtSMcq7isv2oP+jvL0=WurjDTpXXNqC@o%6b`u@TM8WskG55`H-b=~#O=l{yZO`6}V+2u|72_t3s zTYYBew|WMymeFkx(uo%udbE?VZ|{DE)6`jgU#QB%v+O**lUMtz+^O-Z`h=-yx-yTp z&OIwgG{P#2he?0u{0{QRIFdPYDfW@ip!`T6?W7@#<^MwEIH6-Qii@`le~;eSvOyO0$mU@*^~z?GYR>n}=Eqry zcQyrD=b`HSiWZ_}NU@w?M9jsvWcKV4*j*j}f z$7mD>uG$KgeQTvK|6(lMQk*}djcehvtd*Muv6P)_f%wua-7M-$*t$6Y_h9W>BiyIG zTRP0b7HWl>i?`5h@w+e)OQSf$l{OvIqJMT2OKLdsKo{I-S2<^bM3QD1=q1W;Joo zCkc!;_>7m|GJn1K_2xr4>+guppWAh>x45bAV*Dd|5;N4T$jcA4hv7W!Nu{f;3$OQe zm>N>0Z>A&==;@%>KX_)UU!iShGuez^inf}=^|Ps|fX8zBsp-0eVhUZqEZ@CBd10S@ z(sAX!dVqX?dVLQ3f(pIWyP+nZR7#wyyIZhVrL?P}my7w|AL=|>z#FfUIA;CGMbhfr z$2CMX@+!kL^{*Enmsb=I;0={H%=@)8j4dp4a`Bc7d1oU)c4X1GALNy9&k< zu5MMZRTo_h3e{RuB`10Cn=ji6A%xddOw5DhMQXWbhSv{c^n}Um->7&?sV4U6pA{1O`uX%;gsOWkURE z+hZ}z+rYUiz z-s;EL+}zxJ`TRNj@8;%a{(pBicfR_st>@cY&v#xt-`slsUz=OoFJ8R-FSNOOREqz_ zT;S-xHt#%Ep13dMzekTyKM)b~Vu+(#JI%)0sYGgtT+3A0mPgkpBB}&8GVW+L64y8) z=;@oI!QdI_SLXd0oHsfR+0?S}``v?Q4jN!QSl2RsJp)sAbJ=uCB6#3-O@=CY85>fc zARH!1&Ny;$00rkGX$as9B@&aElPFi5Z9PSg2Fi$5>Cytv*s&gQsmhPGw$_81#9&*v zQq1YBZ=|!f)g&yu{CvMoA&~Z*A?-qetkCoYEu7{()luz)WfR;*j%< zLLUpsJm7M_d*CQo0OmazqJc@1SAZdBY)G_`rcO8Wpi#Lse4ky*6G^QI0|y4m&!qfY z8ut26O&>{LK&oj?c$G2;rtb*K?QA=ndSWE@{atxd2T~VNKc2}Yq&!rf$qXpFJUu(; zKGSU=JXOJwe=Y9sQXSv)caP9nK(9!|v5&R`54};V;py4-n`fql9B4ywS)w1TwHszJ ze7e8eJ=RO&giM)G1;eaGwo9?!?gxrwV}Lw8>F)N=2G7(4_os5Ea3D~?1W~hMr}gQ` zwT~|e;$Vg`oty|=sD(@aAm}^dPmwBi$kC9DSdKTg`PWqzfkQU(m_yb<=W`!VfBkpQ|AGED zCgNP~4~I|gV~l$JZ~Mi|?dN&@Z|C_}f9Zb@@!zBW-iUd$F{Hr;39ir(^U2!UBh+Kz z3}h*IMnFV&;c(^7+M~5cXrH|e6uKgX@2ovSKWh+dD7912Q^T2YsOWYG3qV-@Ck@!n z#>VyawSxg!hehKJUp3?#`~BYD;b5=5?QBAqv%psg??1#eQpNJMt|?D2A73M>f{Y_= zqSF9fM^w;Yyq;*mYmZWmIm0Z29p#w@EI>Fwt?mHz2QBn%chDcKuRTKV`={R>ot>ih z-IJ5<;c0(wfR0X3@91#1f7(Af9H65&sC)P``o4d-yN(DI@@OG9p~}}5LB?ZBJjt^G zAsGbB$)!#L>LTA{93HbP5%4AB@z=VA4`+kD^TFBfQRlU)1+0GE-TU_JZRd3h zGBWDle%w3hzxnyR_uXFa`@z{kwuAmS=)XPeo}QiT4RW2o+uJ`l?;j3MyZig+yZw{S z>lSQ9pSjqV8&bD>d;IqN`0U%0{-GQ`jE4~o#?IyNrggiv_FZ>y-a9+lf8BcgRLnwx zT5cTqE%diR+D1@Wqy~Dx4 zLPKinoG*;Y+vB$>jBz+#r2pC@&<(qhJ3*!rh`K7pkvpM+xI!wSYQhnp?dI#3=J%biUs}JOTOFoe+JU|-?Ll`+ekL5dYqy4VM}r*W zSO^AUFxJc}XWr33v+ii{`tehklM7(q#U~M=C%<&!FeFjuwVg z)<4tV!_a;C+$ZKwzVmAH=GQ<^t^(0g)9~MF=eHhzOc1(lp-*TWkr1^%$PY(@+xFv+ za=G8Otm#nw4w)oZGD#SY$#s_L<+Q90r%bU_9Zt$GwT{M29{eSzkUUM`|7aLDRG=+2 z*=8NJ9)C2#`?iJtJ6$_c$R(epWX^sr(6XnFdnxzj^h)V17lu(=YB9(iV7D#wx&jd` z;OF4d4-kt$9bkGv>vbG!mmcT7N{Bn6kxGl3r1j14TVH@B7PIckAT2Y>q5T?80I7h1 z9ZP~M8nIw17jqNp(-S&NzeSxrV{eb&R&t?+51ftzEDs>Qj>h454i_r;AUkGxkRm^q z3l<-M6Eg-kh5|*B@e)xk*Iq;d;m;5Y{Fx<_Sb+8=z;deU$Y7CS9B8Kr z^P~lqtZ46Z^td>(k)lr~5gEO1l?=Ke@Oa~D$N6Qm{pz>B>;L(+ z^#pxFQj2fzp(lL9`TMWX%lu!{`B&Nd*NvxFvfHoDZ~u7Ka{j*Y>(<6t_MZ^!q4w4@ zwQGHwFf9q|2?OC*MpXLs+Jv`tj37 z5DYc#wjk3`&g$#d$B)P{q~G4Qo+TSVE)?BCt&+#5-M2X`jQjzA#^aB=`7LaGrSyTJ zmzji4TP>$sBX1%i;wV6ydX4J&%Yi=azP-)L6V#JzhU!345E$B0ES%f`TP3T+`easy z$F2jPVebv~N%DtMdllkF!7)ZOsK7qg5excsUVEffdu-Y}Yc^!P0$|Q|`-4+uFt;U- z+mDY1Z7_};fg@-9hooco=>6gTQFr$oY|})R5#eY*daD0ApbOZ+L^ir-2)b<3dcjJ^NQTr$O?^&kToBsaZ>(=88lpG%Lhs0w}TMH>Q z@4K2=a)LAHx5^d1ayh01^MLQ8)?=F`E!39UZU(znp+{y|tB0Xo86b^?DhSi|2Pr%A zL+8<}XrBz6N3LM^!0J_Mg)Rs(_^!MC;$^Zxjl(FrnAaY`a)tyk$8T*lL9XT@GZ!}2 z(oX=6s4x3J^+-qpm^T(kl|-7mQf%59)H7ohS$m<84sEeh0qB_xr?>Xvx~MkK5>hQ* z>g5m2)c;n@1gT{9wbjbr)~5%@#RYE(WI1WmOOHmV9a2XLw|lvU$@g#j zht^;li3mxICaow&B*YN12M$)H1lvd<8VFY6Oap11*zd@-F_we3%->d@0=3%4%np|p zA&~>mfnlw1Gx1BTa@msqIhigD>E7g z-*u6uy?~F$h>C=tV&P64)E%-&ZqO3LE|tUqaWbq=_lmwM$Q+N~@BKVb7Y}eSzop{4 zc!=PJei-4vok$_0-6)u6%@O2a?m}m-dS_he8kE)zwKF@g7l8Kd7^?tBf{rlUHIqmU zqwgI69~Fc11nPGrZkmL)%2km{#q7GcBr|?4aS!m6ylzQ8q#u>paSm-V_DF=U9rZEh zByw3Gq=lI^Pb9J%k3VJxxLx`n{FuY#R-bJjGqUQobiiegyScDS@iGfhvoIXXZ&G}{ zE<)5_oN+jAWx7n*lz22M=`s#t)i@Eu?J3&)YI75iNxR-=0dnDyC_4AZ6?Mt$R^m;! zCj@RcDp^wnMg5kLJr2jH-5$!FirVcDF_jE$Tl8dbMC~?(=#fV3-u}iAnLz|d&5j$e zwhoqVYaXL^@~<2c8=31Bz=_-dPRVe(=WStYEN-oD7>#;E83=dY5f%!!Dg;*nZf6~t zN-ftatCUz38)y*-E5hjx$Y?B9wZj);-wLK+1sL546^(->uSgWJ=vBsJVU;g9SlV^#a zgl4S7QRu-pk(KU&Ma07nAI&&5Bhth${!008 zu47n@8R`0z1W<%=nuN(xxWKz+(WO)n*DMfvvN#dwA4J>JuUn6wnyc;hRff`MmWJ^^ za6i3OW`Jd;LK<5m76+b#`n+i1BBt+`T2CGycTd0jpC=^?Q{vYqiUD$#%w%#DGR~>o zC$3Mk^*@uDUxOZ+QiWjGbx9}`x2z?CBhpFibTx;+wA-@#r}hN>hT7kJqs$?$jxhP9 z*k1czKeeyWzx0jJx&G~&-;j2&lh|G;eoUwzF@zB+d zv*~Oi7Rgz2u{8LL$OWv;V~_oYfEcry<#u7QfY<`P^Yt1;f=HbjF0{ca6%64kM!njl zta2FejqO)oeYK_`Wqtl$K`eLLc^`i?MeQi#1(NM-U!SV@OIfhC_Glnjs6`aqSOoA6 z4usSiNU&BSqFQM0r~c`hUR4mpCTC+9k0p9~&eockG63RcZA2xMV;sR#HyVVou$I+R zke9P(YuXgZiJ#XxbOT_;Yu6L%6F4p&q4rpyO<;=0lCYsI6Wa15nfoW7+E>rC#6o;R zN5cG}Po76Qz$7P2^?fH`mAj^pSZyVD6t+l288N4?UiF47y9RYovxRCQM1{T%N#!a+ zNXH#LNmlWbgk}>nVc%#EHP^cO+wsJijPWN z(}9pw6QF4F({!{jvJ%>K(3TQh^$B1)=*6avA8EIj${V8wRvkO&m)}xo`P?<|#pJr_ zppUnP8H*+iSVKs^1vxZP6 z5sF+)$JE$T-Coe z;Og>8PozSvTI*x25#)t4xFo}q4*H00ONM^nT!tCUtb~gSy|v6F zC^ay7ORb`DI1zEE^ORF7QMqZZ&vBLP0a6b_mU1qSA-DvGx6Ary=gyjH)LB+pahBIs zocmE%>cJNEl^&G5I^*i?2a4%sT|NT%b6jj@|P+#-UqVJLB2_!7;hB_?7Fp zek?_*1Gg3xu%Y&!4fmKuqJwsJHeXis2=J6-dK}^@Q7TtOkC>CF(CduL%~#V)3f4bZ zknMG`mp) z!<@W)j!57#DalpRI&IZbEf3j9kO0wu8!w&_j1rfKV0ThQu@)KdQsa6;0yOs75c`g5 z+VyZKNF>)U2++(&rNZkb@cN9v)rDe=nMB0{)mEi8i8LF!iVGbyc>hM6PG4>Q{NthT z2LBF!-v061pSKUMy!S6Qf7qT(hEvZ!egEU;aPw9C?;qIfl%ZN}Lew*puLe&F1}a{F zj5W`Nhs0;WSaRlpXxB*gy^j9e*4VWLYjb=>+6rbH2VPt6#7A z!=D0@>|-FiRKcj<4qw7PxNn{+tz_v9R%&l8v)yPQu&Z}nDbR=Bd_~4oY`%IaUpNf% zzqi}yM`@CQVy%vXclZkHyke;R(@&iPd~?!0NL}(8L-{kF>YqEP_0^iIbRcjvGKnc_?03%()os9iH|N_x3Lw)KmHOU>^aL zQZR|)odKiuc})TgWl#hRvnRWzVX%)x6mtQGpo5M=e*=v&iqD zRwV!FsQ+8AggY;HzItVG@LR@wf&+64ASaau3jfuk$H{>E9hJu=MZq%av{V6;Pa1RT z?$DMymt@AZlqm|BDj9N_j-Z~;>bpwgFUXwiDLMn~iAfB@b{p+8>uNZ|5yHVGxAn{L$6434sP-n$66h9Gxvtp zh2DC4#^3-F+O+j%t%$BcPmhkDfuc|qVS}D_2hYq!NE?UruP~Os!dU)~g|VcI|MTez zpDBt3%IGvbq@OQ$NLP(faY{dbs2G;I;#AN|*J(0DhFDBGNR?l*269!>eiqkk;Gy@rgo9s0Um^C;N3ObXLWlFho8ZkL8lp%6X!cgHTY*30+T! zIhxowT}jf$j#Q|GTtPa!kWa3NFIfgR>ohRRyfBy!3GyfpeLOQR9UO-H3XRN3n*{nf zJ{xO2Sbvwl?z8bJ{MJFO!RhYN*=eh~H(-_Ryf1(1pjQ9z%~7VOJVDO&v3(v99beUQ zCWvT|HW4Idrz0Hz(S1KK%9wR_mT!)Dcl^`?`hz5Ocf{fQWIC4kMdLFgHbll9EtJ=cp*+nAdHKqY?P!y z^Rb{yH>4#eaSCpsG=+xPy(9rJI*J1o4FI8tQZ#>Z zS?o@Rn3GSF*)XEsC;q|zWCd6i0&}7@|AKTma}waAKB3PgV@C!fMPL zK@)PR|PI*Qc1Lfmj$_Qcu}zPWjZVLkoRR4yBDGT@bK^-n~CXT&Mnk zXRQzyKpld9y1efH@qYIF`OW)*@4gQX=$`vE{qTx!zbz01C{+?+BQG(L_7jU-C5*cR z;~m9m%0kltrbHrBi-*)+sH;)=p3J_dUL`JaxCjRvq8?mn=PkdS_3)<#Ufs^hj0fs5iMD5AF%8Vy!-It(ltwJfaw@^?QT6d>0xuMF;K%#WH~vrCdtyj<03 zcvt={Bo33Xdfj#TCuD2wb>ZyO>k9R{_SUc6`DWv9yXkf({rSFawP^>b+D%#Hh zxFqb!csz#0QnvDbj^qi14lp){JJta%xrYxWp?~@vfC_T^l!n11)L9{U9hCXL%;0wP zbKR(!IGwU_zs)_2$Ud%c056W!{7&!{sd;0eMV}6RG%sT0veSLE`eUBnKn+wA4P~oF z3PLw6Lfngpr_$r`4%#5X1vfohRBh`*%smljMWX3Wfn32;zvi*j!<5gL8)f)4V?l#v@e4SnKR;b9}{vF(a=4c{6s zX=t5U$neWTd{iTT`35e~QCz$5^PF{?cD2{6=~?L;g9fYd*p`E8?yXgCiF$h#t{*Me zjqhjdl4CF9n+mSKJdWf6FYSMQgJ&{r zfq&FRG=yE}Tk)dYK}WhzwhP3|>wQR)>!bZ|b*)s1Cag7$C^iK&fLPggQqWsMVFE~lUSkuizxuC34vPt?B zzFbcgv_~+Uiz8iTyC7excWE>D=DyU3JR{{ehf8YJNZ+3o%I2U6cu_R>vt^=C@!k#P z->LEtyTpva(^~g5P&$jP2STg1DX%C&B@jB9kD2Snd%U}@zP`B!GWND0zG+uM%$|JP8q zy!&EmL8hxZlBk-28VwDAt6i4VABH|@?KUhe9)0+JvNFU;fOek_vOcb5B<2tsqElp`>;$_I-A( z?o{_~LL6|A!-@3`pNV(MLguqEC28dJl*NHiPx3UVw#uZNN~;tLEoDdgMVonHcL|rL z=C6=3KmCiBT-%y&!v4z|#e`15Nh>Llr~Q<=5xe}FOASEkr6Cp*XcZCH$8>5Uicg5Z zI=`;EiT;*CF|Px72=yLQ@rFfjXv9U21ya|G)(~Phd_spq<`Xel?2KYJ1KCq`HIBSP zCL}$=97EL;|Ghkmtb<7Dpgw1b&N}EG?6*y(fe}%4d;W>e`e;gmcpVYpE;67#1AT(8 zh%y^AHD1M$B|&+=FUAzTGw#lga+JVf*N*9ep%1#3!b(*=1ka!RNoQsVDGL2~OoNJ% z<8T~duTqUkA3#QN0Iq7)0le*#h{fZiA}2Sg*h)uIp_YfBhgK?bYXu##s4ng)ORx)s zp7qmbDh}!$9rO?1qQTM8q1Fauqcgf!rL-6r1|f4pt!)ekE;Vonr3M7PBtZsjsih!S z0`+oF#tZOqsXdW_-mTO5v%D}YKpW0A@%{E?z^;RhGEAVW`k+FO_sZRx&8Vp2Qel*P z;*^4LXGXM}N}o&P?ER8v3MtO@?ica+h6^Xl8~;eyCj>&uE|_+ddWy4;Of2e?)zN#HKPjOpqA0I{HyDHcyQBErSh)&@ifm;krX zsr*<};4H|YX{tkwmStRa$hmBsJ8UzyW=CC|$&I;evT{_7Z>~EYme*#~1=wu}xiiPj z*iD$e$TbA^{ZdQkb6rU^$7j*&iBw-umA>*(sw5CPa6~r;Gtbe;IB5`!91P<5h0k?S zy|#kcK`o}UESVHOJ-FVmlVR#-kjgeCDqM?r$i+5Bd=VVX6SWr9kdePwkPIRN?c$PS zs=~*LSmcpVObmaEyaA(^F2fT5+(E6aJPLG_9RNpm9jJUh_keQIvc2#V zm^{gn)f%SlvYmEsY?IQQL;818h9}m(F_Uzk98i@w?Hu(5FuzV<}J8N%UrXzH2E#_ zcZLb2JWb|64*#tlKEr~VUM2HU`evex|LIJb0!Ei)rV_eZSPOa7uxRYWm&td#mZbCh z^(Am3J56_dFxX1ghtyC5JSEmNR57ZRt|NOY3!}e#|NQ`+o%Eq(D7!wVBd~7@tNC?q z1@m}l?Ibz94Vd4Hl-iJTyOn4HndxXo-x7TObG@2WM5wu)#=f9F4HWs-)ZLAurc?7h znSK7L`CM;5S2PbP`U`M9eaQCb;QwcOxoS^=$r`)d45S1=|0xa5eG-htq=Q~InHP8h zn46257pf09O@E3Px%NaQi@o7A83L+~>XPTRnX|bXqXPe%aKDE4_x6xDJ^D@4%Q#Ah`i!KEvr=_6~nF&+r#IqifJuISYAYQ~d+kab zm@JyrK9)+u-UPckIzE4NFZT9l7WoWYP&_-=O>CibQy9rt$GRgwEHPU?AG(bZp zCTPlr)F-;iBfk_ZLj%E((3pB--QmP3=FsCF^WxG`9 zpEag-ChD<_r6t#|sd&qRm z5WgFEh=~b_kVmFCFjYZe0BaF*2bmxSYr=7e-3f76G~W2#jW%fDksD_srap4!dBZIz z`nkKq=^uHU`T5(@6+WPUfM~HMri3Y1nRMw+{ld@YR-eC1)1l8IKZmvCREANVuQ$Km zEF(m}EGK~=k;M`eM}7uhD@Y^3*dqSyWPcHiL9q0_9M-Vk%aF7N(k>`YqIzyxU9?@w zbx`UR_NjO7PH@CKsP+GT!RpOuNzqIiF8Lh+kR)Dz>F z3>g>Wi14}Mp?3WqYbeR0T5J&;Bo_~%7&JT)w~crODyI>-?e2XVpr#PJv1UJ zB_JigDHSGJYy)j&Zujb2gSAIUN($QrFz3#o+<0NJ=VU7gEV79Kg}oGox;>mnx3J6Z zp+G`;Nafn2OkIRZwv`7B0ZIO}0I9zv4<4cY-R^N2166LBWpwQvzvi43b~an7YpMJ+^^2}aW}8;oDN|S# zuYvKODnA<@&Jk7n9uAd$mJOTse(!9(+<93W1>2Ban!1QgnIKvdE8hQRTI8-&)5L}* z=~c))UdpHJU&`b{D{l>>)y znzfJPD|MR<5T3FC3>=HQ2z57WMz4N~ru62r2L*$-uvq4_*LxDgSaR*aR2nL{ zwTZzkcTqy*MU$=CL}{*5h|8GENi^zuS0oaYldk7QgLpKeH#rR~B4aQVk_V@qoy}Lz zU-C-(vSK0{+-+*+4oEaY*dUf9LFa&7*$XduZeVw!i8KpLg*=|@?eBF5d+o#S!CqT6 zXd9B+A3t(|1sTP@+({wxblK?J+xEwg=&|!7_G7{uaSh$xw(=n>^Jr->N1B!%i-TOK z-&V=R-}0=7EXhE-lyjPq0Si)>lEo=-(W>OV4%(BPm#j0{d`r$H3=ZcJ^L=)$TudPr zf<)7YoF3F48G*T_Jk|)Kh$t6IpflLYMZS)72#uO6?TwSeUz_7WHY=dJ*)Hsr%#v7| z#|_qrmaqk{%r)Vn!U(#{Vxb&S58jV*Q_CQrA7YYh#q^baBK+YpYnnL^I1zF9Pb86C zM+D3N%Nbm91T2#OqZo=D$05R%6X=tXKx7(0h=EGMV4wiaP+7~U~yJo%Mt zgo5KU7yEV0o^QUGrC_sB_Chf{UaVoZX|-xr9J46Hik+R!mo+4+BXR-iLIb~>CC) zRB4}NI>AyNw5l<$K~F0B#s^mZo}sk)TAgQdb)@r`Qng!j<9@&e4qVdr3NLgT5hq3JSQq(H5S4pKTIl`V zYD#qh8I1+%r+pfdY+PfD5NnQ-6%w1w)&j)trhV>(Sh!12;WnlynNAqKJlVNga9YQ9 zT}XbmP!%{GKLyosHdwSkJ-C#?c9?59k2T#$6OMElxRo>eSS8xI%Zk#NYe-ENQrdJu zk{Wi8dH8$YK&WO# zl|f*90Xke32U4F@uaL|q>*;6F&TObV-N$Ty8@rc897jYsoQnEMPKp#|PY8Vx8(EuZ z2vAL6--P&~E*i#3h?7+5Xh_60Ap!E}2*O-5H<0S`5G$vU4t_-(Pl+{-vD2-BiNl!% zPH$2+N}o9_=m^eI*vnJ+`6jL(c;x0Vo}MV1+@8D5oLN)n%hM)32m2mEtc<5FsZ0^5 zD+w%AEvuxfY8^0-q{5d41dX9T)R_%RyO=TM^1uR32@W`-qr4 zBcwKMZgwQ3+zhE2lTb$mg%OhqxjNSp6kvPnyj-xyJvydh9sU`IA&Fd7!bS)Zsb76| zE%8i$RDJ2ny|C}jRf!k_MYiy>#pO_rm0^^;qZ z6EBGY%T{@llSSk5CW0 zlhQ3aSHR1Tg$T~W?rHzWz4PO}lRxxRFu*&ID^I(7{zrfIy(LUDa#UkKO zh)22RxXtsyY4>oqyMJ`JSGxdvX?R%CC6q8-4sw%tf<-!7HlW{w=(V(wgDz4u)P-zs z|7>u&cXHvNp7lr>)FE_Hx1cWU&^SGft%^O8ryYLOBj>ld9y5~2H+wx&5<|Z@H+k-@ zNhLqC&7d0g;%sWTjEb+8fGvtSML%Na<<3{Hs;RAsBD46E;facrEoa2p$-a64$0A`& z`hUfd|4rv#@~3ZBw4$n#HTN$%h(|SmKn;ppzGmeLGD1%@4bW z#q0~Q@6XVO82fZYrIo3kY(v15<&{ecOW1+mrog{;k(zKFlWib^P$B4LJsBuXqYwuo zn)PyToLXmt8delExhh8V6m-aCQ)V|LAGKKqFQzTeKKO-HR^*bc12J7$7@0HHlQ;sred}fqGXC`_9{aM>HKelozfWRy=0V3Jh1#V zA0r47m~s(e0WWG}?EA}+#-ec{px~|cLEM#~qiBo+?HVe+Hn2WwKj0GRd>svz)WDz7*vpG)TMbAxMB129@Z;*W$^p!;6jU zPtH!5b$_hxkxZFHru@wZFEEwKvJv{4yozO7jM%SQr+pPF3|Dt*Sbt_k6*qiKWS)N* z%>7|MghDyiiEF$!A@ew50fKjV|DU~gUys{H_C@D!J_SN~O>8fb-K}fVvom{ZNpeOL zOV+mR%&hUrXQN4UH!a>mkS+IETJLjS<2>2=o#S~o+qD$?%$<8lVZTV{x1%qMXE_vBCjaqQSm7% zkrg{LSh?uQT9LnE_@AG#sI+{w@IT=!3Z&QKuI%q_F#~l$ zO<%U;wNt!=-LsI9er{ScD14$7eNf`}i4!3!4x+h&+v&G7oEvmqdFVMV!cBXe+7>wD zu?%Uwo}ZCHxD76TKD+qmi-x?VT^5?TahD~P&9M_Kb9IWAqEuCNlT$`oV=g(g0)Pr2 z3r0A@4wcRP%sC$;-o7-)>d2vt2RvqAetZ>2kZRjAu0mLh~;S%Ofxv-m!3+IF>bAEm0aHgglOaMQSGJhIQ_GrP60t;Dn{ zmdSjeAx8}na#Z}Eqqv?fE?HAPl@(bV&Xrjspiaf|Cq++_C2M7(1{tbueGnqwv2&5q z7d}o(`OrdO)JAh>mC1*5&&~0LbGPCF!wo$SZ1f-;V8t6&V59oRN(o!FYwSdbSb*mU zV+xe|Ak7oCFg#HW1K*gRaeZ5>ahi8?MUTiU(|f9EHvX8Nh=L99>H4he!R- zz>!sLZ|og`Ue4R9@i2*}3_N&)t(O7Ji=9U*q-u3jo)-2Q1vM{r z_2M>KD@;(yn5{N+b13VnBTvKXx^WZ~B)us(7*8GiUD^C=O{fKjEr{XcV66-hzBFek zk=E=ZsdI_jEE&@2cNqmSvSMVv3$Br`*e_p^c~U5`ItI396TJi#_{xbX&C6bda6B9I zQoNu%`<9`y9ACwH^4nu=#9LO$-GwQ&;4rov?=i_z8RdR0qLdI^ha_#H(~{Rup37Iq zXXho&P3bkTwPnWQhP$=}&OA7&2-c--(K*3ngjNxu#dHV(GXs5Yak?&JllmAVKV%ne zdlKF9e$Bf=XmeU~32j>9ik!?zlgZokwAIRfm)n-_#d;2eiR-4Guh5ToYanly;E?cZPYFt+qNgRZA@(2w(U%8+qN-5Pi!X>XJXsxo%j3p zuK(~q>gt2O>#nDtTDY(ltVUE?#1Pg7u3uofV?(5N+rnmMr!=c1XaCLux;UNAY_&2M z%~^8Wffy-&L3Pc&{LWJ87)OnX=neZbH!haNtjl8Ijs*+`RR87+BvfCwM6&@%f8nbx zkzS3>!f}aLovN`GHJTF6w2DZzweBIQrM5^CwQ1)vybR_nk??S;_e!mUj9ic7atq~? zV516cLYp~;8X;4=R%!jF^$+d7232{~5F3LzEhCQm_y9wt+U$;^aq>150o7)U z?a5ZF*+hw7?*VytN!fYC|5O^GV0VD4*u}bWYf{A@)a(M!zY}n zh;yoIV&(Kzp&D5E4l~bkeFcoXsn~TxvlyC58^d9Yh`f6%EepPe$Q42q>zPE=d< zrxtrij-6uVV|8+Bzhszz^IN7Ts{PwS%iRdTFeRGi0s*9MBuySE#mIug$ zCojz`E6;NwQj5C*tuNh8vuO0ZSL(+D>h_y+RvEh0M5ijM*XF5Ae^PyMHdw*$_I0lI zS4?%5vl)0+tR$2=+>tK)8e3gb%DgN&#Ps6tI(E4m#F?t>KO!Xksvggb4eh>qV?PgZ z+>u)fhf+V(sN=#{?u(kkb;&R?$9IQ;oDO0RL*emqM!?bP0v7D_M`E#h5wazHN;#|BZt*G%S0ZD1D|><9zL9SsV_U2uCrd>tL}H$oQ_4a!WQ`DD$j55@7ln8 ztgg37&9R}Ziq`(C0y==wA^E||%auNF?jhcK;GXAUlOuKh`uQE&*Y^SV8PNX%1Y7~O z3!r@YLVLG9d%ujX6+Z!A--gu!;Xp)lE0iQC}+MrPWf2Bw#q$}uPgD_AE6M9{SD zS`IG4Fm}o5pfV69X~AZ9^!f@(@ULeRDz$ON!6@VL+d%k*x_ye|!I2RG?D1m!7mpBV zhOt*p+=59rleC(B{`z0<9?&0UhOv0mA%bpqIuL($M2x6l;R_pk?3 zL}ZNmX|2^KLVo`6hX+$ZTfD>|_V--)K?99TZ@!L)wOsumGyJ1q%CCp3(8!S{$5z#unw|gM-?VV2K}s+z%_GiRDHZ2zFAR z8X7swC92Bp8e#?0w{4A=*5+tI9Zi6*ELZHj*IkwoD<;*BSPL;44E;fJS17xTgUlZF zp&dOnHb349Ayx79z3f6AMd^?%Dx8oX2aMMjR#qEJ=bE)QTSsl)RGYe&jALWeuSBuM zf9mOhnp_PwtCSRW4W$_4bX#lv#txV`j|Siz6@jqB=mzA*i;?`Gv6q(#qiwN#ZxmBH zZBi>84kAr^FyY1x*%UMuyf@$L4hk0@{{8f^isA>-&*Gt8OWXQ0o0 zMAaVjfIC0c(Qb@gpFy7`llc_o*s7U<}vc=ERV9)48$i*qHMFkTxpkJl{RJ*muwQm!hW znZt)JCj^!oewG<-w5rikxx0z&%IpOwkGt5TvcFrc2>4bWb2XA8*F*!zG;6BvwPzxr z6n_Ydzye638WJ&IIMY6a9^SuqsPeKMkjDZrM7Z*GRL%4&jKd4vV7G9=iAnL-$|>*k zBmva;8Wo0#X+x359})LncrQJy>M4|VoQ7S8_*fXkqmuTiV#bdA+A3bED z&+1cgD6M%CT|EIrWy?SL?40va@$S>*HrANf;`->=;B-ll^iU<^)=}`} zDpHh^aC3?jQL_k>3A*_Q5T$%52@XjSjR?eSv!x@M8#(gR)90hlyb}}Ez0vK7&=4dt zu>p5Y?J&a(KNmll6;#7igWBWlKITSxg&oY_0%v^pa{f%tu=nf?ed@`&~^ap}ibPUAct707To#-QDyD(*= zb5F`nN!R9F3Nprs)v=6fpH%f<%g;rZuM!2(kB03FU)&N7kz{rw|C(h15sy1pB7s8v zUmK^-&mP^6JCykihQ3UIsoRL9C0stn=ws5iadNw+aw`~vr>iUWWSNqrO*<@D&GzvV zji!-BT)S=ZLfK<8iY}yBdeF8yx%P2C5v#2JW<+RjTu6s;mHCbV0ORN4ZGH0X-&Zg< za`FhjoUiF>FS)@3u*`H8M)5?_#msQuPiT`R>$l8Q5pcy2)MgTv3+G+Z8(A#*98T{G zlGTx=*b=Pf#8M=vSt-|v_>>sBYF2AMwqs1$+U4N9-Zq*Y(_ejGe+Q(Q50NiT@Wx6 ztxi3}`pAcHmPx-+ln&1#XlKbjKBvI?a2Jb)j6BStPQB(V?BP1RGFoZR+8rZ-b^GE8 z`GN?xT(#;$%%3ilrL4;=^xGdl=#lgE%m!qP8TK#GA7C2kid<~P{zzG;`&`p|y@tJ^wCQM=@yOb`5F(j0 zBfqcAHH(IT(>{TbNyva8ui$7#l+Nv!k{V?vWV|D}5R`ABoe1V?89i)dC@>;lH?LYw zHTzlSZb2s*md3h{ua@Dv+t+4nl01!&2?`f%o5vQB=dL%K$x* z{)O|S;&IJ<+#ds6H3~l1k_3Ga39gc=U;P$#0q5@Xbt{?d3p{m9OEQgoS^-Pt)(!bN@jUO zLoQPU5swNC+cCvJ1QhOEXY}hsd~J{C-q%O zFCy_>p10miwC{vVb@DeHCx;!5I_Z=e%qIXEY}*JtuJOx+g-j&UkG&Y9lBc5IE6Fhu z(~Icgl3xsQ4xc9gSrOh55gucE^C%#tB4ao52n)LPG>a6T?<_ud4&iur_Ar+jVR2|I zp@hd>g~N53I!=868Ns;;_LQWrbTmrn>hf~AVi!7oPvnb!!+Ojdk1xd)N5&UvZL#xb zGe3>uzf4^$yx*a&G!!DNf5%-5y+CS6(iBz1=sZicjQkaj#$dxIRAG9_{LQiNVAb0? zrRRf!XEHi`1cgrV5|$2<^Ep;)Qz%sUc{h|#K0=Nf2(Z&4qlqxH5LTNK6HxUp3`)F7 zSrjB|{j$GI_x!?&?wc|lUb77(gY&d*osCL{tMQv-$$o44=XviXlnqU4e%Qc~n=wt9 z%eAzbu*-H!8Wb!F7@9~i>De<)uUDUG--$lbS-@pc+t~jJLuiqVx5F6`hn5R5+9PW_ zq7J`N5PLae%BIwcTAFPwESU;@=N1(QC&K#(0|67t}hHa=L4BWw&?Cakb3x81ibRwRT2jS@+*x*-KIp)yp-eE})s)WAQeu za96NSQxVIj@npO7n;{v>WazAMM=&C(4}CZVG8b*J{K$E|Dkc@6vKVLuNx4q@LlGQD{ z5ByK{xTtJ(9~G`v>M8ce#*+GOhwkFGP4+JEW%Z0Gq!*piG6*F&H&GceHX=%G!ewfv zm~dO#Z)*m#O;ELd>NTNkrpTb5)jX6aK{{h*{rJg5si`ii(5J`1i=FHEZoLHDW4(mq z6ixviiv%|K0WIfFf%5!3hy^z8S4SC(d%A1W#7qE|dm7^ou^*Lbxq{kj{f(|9-NYp# zyvLj`4BDq!Igdtm;nPUGP$LfUv2IVjFj>|FzkW27rF}%mJa7CE6CP{bBYaYOJ;bn< zuvwEW-|OyK&@HcZB6j)G91C=f)|<_G5ed^^DiQg5eujRR_$UbdRQPf{SOd#oj#oZV z^@Ca2-?fPLW0oOU_4t5=DRM`og2`FOl7ccBFvr=YanTos;9G=>7g~ctbuqq}LfN89 z+ZNkdX%9-EMCiQq#wlvLhg`F3_J95Z;ppdy1XgfFp$(3W9w5xzbNoNpg!V0Hl-69l)xtl}Tn|?eIM&LJmrMt@?TDjD!JHVt<;4|k8 zVDKXD+STZRj4;Lt`c(W7*~vhq1K7jvplxdGX@=C-AiuJ#v?7EX!3atZ6cFR3$2p9iyUtqe zZ7w&z;7_7^JhPmq{mH1Wc>w3ldx=GjLL8lC-E9qX-!?z&Q7ri3(~;L*h_FvBveDgI zRD%rtX`go;bT)|GZ-2h9-6%+4cmDX^_~z8FxUmgqtg^(paYfJ81aqEwg!+tF%g!gf^fz-xVckUrS^N*hSCJ}R@#_)6|aJ=WOI`SOYT9{ zkyzPSYV`m*OkZ{E` z^26{Hi`5sG)rlo!Pk21kNvTaBYBDsN`205YjKlg1dToqg#Pi*L`;k@d1j^bD-9bD* z?u)1esfTECplV3#7IdUZQh$U7QSN4Phr_WJ5?f5L06FhG=lATwbr>?pK*DS;|JqQW zvtGExb2o@F+-Cb!M;+G}VDfZ&l*(6)4a?ewV##1Fj)*2m+MUAQjWdgK=ENdo%MpNt zK%{8j2G{B#@-;GNB2I~UJ4!4V1)yv}1b=pAlwaMxZ*-0}_j*O^mhBvnUyJ@!W?RJr zsXYA%Y&7Hr@@!r|1#;cd;{d5}P({eaAq$IxPoNy+Vy0nD9v3pv{47=QvNgeP|eP?@;tqJ(IMtA)(zy>xD@zAfGjV)Y^&wkHm-p~G|eASiI{AEac$7!nQKD?#ZJc3ciQtDeZS zu0ze=c8EAX)N@Qw+U~W475H7NGDxFG}7uS@P2sEcsT~ql0E?2FW9}C zUgq<$;J;vrWWpo0YTVg5eGX8})%wsx>?|ALZW!b;gxKIuP#jv*=ag$PS?htEFk`QY zoq@Y(&z3Py2ipABDmJi%*1P5cdlN*7e9$2+JqIb(9hA}(`>+Q?Xc{BL-C!oRF?I$y zfqJo&7|a;hx^zS`dES89^P4Nu6u8llT)s$udA?(B0BS-9eZM-JTWbsjK=+pfd~cog z7TsMAF;ys*Xnr|G_OZRif0OHVOQ$zSMuw#)-EU(o4)=Yem>6bHW!)x_VB+) z!Cv-bF_wwKZ2$t14xYwcTj46y6r^iBN-16tCn*onTj`idi7yrWjp$l~Pav+G0v4o_ zvy6O&e-864UYVGLOF8bq-U_9^o;{;)g*=}<-t#_ohEfbC(y>?6le7FBahG}c80&a; zQA4^@23z$gx3o*}G5hGPm=K~I0v^V$D~ED04j(B&cNuKiF5`3labeeG8O8Gw4- z+1cTtegh&SdGLLwxQaobF8Nmh&)_#Fw~fADRGAGthXAq51it&0z4rHSxrL=A*zB?3e+os~HzAntp%N-EJU{v)d$0d?|){Ch2 zO${FKRvJCaW15)KnghM-3;=^Rsor&c)CU_+^{E;aNEdNlw_>EcN--**N-54T@q?wd z5Mb*XP>8w?2-QRQH7l7vd=nTy1_LV8FT@s}6bmZ!Z;POKRvAq(>3gab0#ar@ZmB^6 z=$4dR36vEv#|)LZu#9nwmY{VLVd5oO1OwXRM1_@KBw^0=pI@l5_||anQ0oND>a? zBU$86n+2Jl6biY>{cZ>t|7xrQgGvz$rUhFE>J;L*qSN&+c4S4{wKVvui!Np)qx|>1 zR;yv6OXG@PYyN3y{*o&ljHy7I3GsfhD@G4Ec~;M^5X1^SxkU&toP;zk?4Yf?iN@J; zK7z>d=pi#2Kp{~2RIA(-#AR{80A+<_2N{`jPJ!vok%UnMUnL45H0Q$;g{8(zPRO_s zX7ENSZAP-Ub8cm^{w!|=uEKsT+X1hyh_P-9ke@yIfWSEZ=U>1dlB&>OZ2>n8sU3uO zt6b3^X-_wye*#b^i$LG#>Q4T28bX53L%gXUj1hy~+JX*MrwS=z)zhwqAl2BAD~5hj z8Q^mMY1(Ha{!Q(Sy-w)B3*4Z&`bI0R++G@TymfYfwHuV_$f*7pI}r12`-%|uWYh0OeOyxu;7}Ze>SC5{(C@D%*o^N>SB8I{`q>F zxc92wYkP1}<7+mTTA|SP=5iq%2|DKh_^;3n=sI_O1++WxhIs|j;mfwIzRT_vprv#? zxZd^CyYrs*cRp0)vSN72e76||n1aD9-NCLj=8z7{6n&t&4~b+qx!hYECU^i`c+r8P z_xguK@^>VbT`($v0#fzZ{lv7%h$sUA1^NPGocVLhS|DPgxI%=`Kz#vX@QfLOED>Z> zkQ~Ki@{-(mv%QYA3^P312pAvB!TT#+)iBgI2qGkKFiIypurdh*?A|mQ4h7=6J@<3o zw_;x~BREGO`X(dALU~~gYaHU;81tdlqx{PP22lVOt#(^?`H|q$;u~Cd>t(MuIYeeO zOvhw+{SSGApduAU3&de$VS>8ye+G{e;A=BaAY{U9i7Uj$|G9Cz-qv4WTY*6iCX#|( zSjMp<^sCd$^1x|Z_NR50oUdHauV!t$bm?rbGqRe*Z>VFjqVwdhp{d0;%9zDE+1TwO z9y+wXKl9uOjG;tgkxfK22s*Y=6Cr>`%`G&=HnEFPW_FF-7Dk=B-}rX}g>MzMEF8Kl z9)j{}B~GKX@iXwY7}d(t_&^WD2R7cS-HAvMJP^B7xLew45T}crihYph#g)a7?Z^SD zm26wh$WA&`S*xFHN9@707CNG2gQfaZ`=IFyP*5TcCIXW%iq(| zOr;hNGc$%of4Jut2p8k|EQ`{UCM3*z1ZWc7sLnriz^hVlYObs@&v{H=pv;&#k96Hf z<;CLJ?J182h8|ED`hzyJ6JDT`fF<|G_XJDaChcFLVa<)_~yBHBhQ zYP{lS7CNNaa5o5`Em%j>l)WQ~Uz_qzI{9iaj&yn}dUaSWA20kNTw<-;G=naPyRZL* zj_1jyB3xb%e-Cz2?sMd^J^%}|Aiq1rp(bA>EkHqjvE9QuN+zn!1lV8<^u+tK+yKg% z3%qtVBH+LizKaCR&fZe3Q93Wn514z#_Vn(q_ySTFuTLU-G`QC(a$!fa|T{O9W#DpMFo#HFf8(z~>&h(k@wuaxXIW?r%OK|DoF#Ol( zPK=bQA8{#YZ@dVo$Q$EeqG{qt`SK`jM-zwBM*3FKi}=X4RinAw9oo$E?D?@NhJGoA z25y>u%mTgu4!2*kSH{P{mZXZ_2uJ*MQ|XS#D`Brs$)Gn1jP8;T9_movE*LvE+_^_> zg{z8R-$DTKb*H7dJp}SVxZVqAroYJw@v<3dn3&WCKNXgB6eKiC(`QBLt{CZN#V4yD ziYolBtP_DX&_F9vAoOQ35I7^!-vjJQs-XEAReAf@7ZU15)(?-fAYkjCdKZ`n5LzDs z{+B18JfFK?6!E>gUx;mEfwyycT|*_gz;lGJd43==GE($A(D(gw2IxyZt6?GO{{1sZ zVCAsb$H<^}D@fgz*GGKqE~A$e_HWa&UBX2atUZ*-K{TwWpn|xwL2jA3c1A+Y(?O9y z-Q#1vx0^x7jc&KQGGyotpHG?;!OiQPLy;%j0W}Hxmcd+B*Jzk>Ya(Yj^{{6{DE`Ns zNb_U|1tDRQl;VT}{+DQK-#4d<{yMt3_lJMq2hM^%o(|@Hevi}!UHWC{UX1kc5BZb$ z&2z(t=v0yTiVkY0*ejZ!`X^xZhNaEQ*i2%ZB7o8#o}i%JOqePYZ`8f0k`+TjJsxwg zQDxcLoEE(SMLS}CDm=YvtQzj}4_%|5Qbz%a()tC~!q`OcBP7WY0J8w}ThYa5qOft+{rSis}uwQ>AL(NHA zcT51Gyv2BB*{K2Lj_5-q&ykmHclt9R!G-~d+E--vuw=Ulj-xI{$tp)f6c2#zJAbLV zD6}0>Mo|pLjwQ$_vR#KU92NO#7KaWgsQ=s%FR`S{gM*sKmJOPmcWW9cFjQRv$FDXG zW}Zl@zNvxNsLt*crPaWpeQoa=nYISWUhOk+7dQ(KRuE2(mZoEfB;{5hzj2w7(_RyAu|!L+oWs1L-&i8$?zYAF zSNSH)TmgS z4nOLb94@LlP(eW6ZKX*2CA6lbsQuW(t%&@#v=(R!8t51d3~=hyYz00+ZGFzh@t+5I zG2v0z4tQFgf4Y!X>*noTmCeL~_hc;H-&J0jj9RoUi2OSK3cKB;<9#RsY_1{}89*Z$ zHZJOr57r=-o?Yy~sF^_TZv#3#nXd?AeerRg9p#^vPv;&(IZu( z>VZfgFZadGe;JlvZ_Ow&kn@cGN`BJe+TkF02qa6ATE4|lQIKZ0!!Yp}u|vffwB`!JNfsldAH@9$9M z2jV{TJnl&5m%k_?VHE(tupq#gpZLxmVHf!5cBF~HWWiWuP1aNxu&kOMl< zrVqHrG#a=qz)#?IABaAS)zQ?wt9ThAB!F2uB{8VzCA?G-4NP=|&_j97P-@5S&5(afdF|y;wz6e9=2zBb{ z5jA9|a3Y-=(SSA^nEEtwr#g%vx)fPkC>sOjhZPsMo=#o;%{s=b6`ehYI`FjD1k4^= z!i3*{9;o7h!@FM)wz1$VZeM(VzxOEsFD~3}4gV+loQK4sknk%Uq%jhT+7CL^5xB?1 zt4*VDcq1frxTHwo2GdPa*}vQ%L|7&L%WvC}3IjVyHo)Ke?V5FShBb9+elKkgtv=tfPWn7AkZ5AdO^ZkXhpw4EyJDsKFEQQ57 z6wg+kj>YS4`}lcZH-R>JD{~+Gn|=zqs8nNLN>U3DSF_)8|ASIovW0`rN;-rXM~Tu& z<_s!@X%Yq`xuLoYp3`|afQZjSDczTEpSP)l%|PY^wwN|cQ>g*}2yVOw?LH6}yu8c2WDPGl} zXF+ZfLUd9^x&Bf4W0iC^)Qbj%#H`uVTaA^fzidR7C>@BXy))I+OL}GHdb(?|#1obh zkTC*=#7}rkj}p>79ZRB4$z(T$=^*})j>r8S9zl?p@p52}7Au4%wf(IieFMXKQ5lkN zaB~mlu^=wy{tstuAjHMq>HSV3*EsLWJ&_BIP$Q}aMSCVw!m@Z7Q_znSZog{RHH*s4 z|AKx7Ud99FL8Q;iGM6e}XjfL0KnljkFS(T|H8F9+ZYY>EQd$Igi4@~Bj(~_f(aX8qH z8@P6QO^9^`d_?x>{_OwmPO*V3T-n{+iRTI6S(Z-N$ana0&{@|<(9!U(b0*ckSEtq` zz@kf@z9jBb61^L_MiJmO5>oVAprvO+53ntXDiCPs#(a7EJW~Y$`TR)dCD}RziG6<> z_d&~HW>Fm+_&e-Yt*@Bz?wc#4535BpV;5jKI03iZ+!BTrN>snQnn5A&0AVIEl3B8b z?`GSV#%B+nSh81!gwvm^r{}RY7m42WYO`fJN)~lCveC#Qa9T9#pou7awyR)49;rtq z-H1w*SUGf?ly#g+Gcpsm3h6rldt5$*DcPOej6`Wgyt3ehcys7);9}PAN?EE#UgE*N ze*ZCH2&Pe4{Gv7Fut#@>U{lQcLz`Fj{6vrFO_2EKzjIBvtt5D@N*E`lSn;IKdeDYN zkV0d)Gh0UW=xFM@oC!+WNDA>H%U3AYE)ms?GbUjto@lz*3U1=Dcs|Uzrn`@)wV30h zN$f5w6bjHDYF}x`(PP2*Lif14rdynpN-nKicchbfNka(epqa)Jw?gk^)r(IGHSDahPk2;K3Y&e4T&WYuLtSI_Tz352(!^)IFk>w>jLORP}) zqNPLykZVh9UHAUr?+Q4{ha!SX4Qx=e1;!TvW>U7qYqvNrS5!`qUoS5YXJ?QvctzY% zevPX;pR(H|MgBn460L^|Aw-Yoa~uhl#Bnk^0LmIM1IBRRsol=6R{zspQ`RR53MkSL zb;+AkY^&jCJ8;>Bh)(FI@OsxmoLt=7K&70Hz?Lb5;2+o`B^pny0aa?^0gD-`PGpn zW$&3x6nOV5uoTt4RyzC2`EP6~tvy`w0)q+Uicd_r2zD(=r-#x#DN(2ai;Zim!-@#`>dFw2c5eBK(XU36F8o|MOhKdkQI`CJRDkoC89ug#Ru|nY4qeo2M6n?Bg|Eg3m zu5LZoOr3DTWPloUv1uXot>EFC)-K|q`%~>EqsGE0Tcn;}50@r7+B#qO-{pm4=B>_R z=*q5AE%k9o>zBr$n_zVmTAOETsdhGRWh*Djr}By~FwE16)gU*zEjhG1BPFVZfon?= zwUYKP@+W|HxEoaKzINVgkwU|tfCQxbGFAj#HgrDq`KoA1^&}m3Or3v3*T;g4Z3Ait z$}bP|yV|k{IPHHzzyE9`fg}%cy0A#my=fZ+4PJyisR~Y&K6>zTrGgGsk~}aP+Qi(k zE=LZPHrNbxvQK9W-t+ZHzD-^IQ4G@^L4CrMi&$)D_o?rL2vsAo_5OQ?9nhNCd)ogZ zwG>)4grp=gPtP0-N2Z%-H7j8G|U^Q4M# zWt9)kC+VoJTTKn%DjPuOm_&o?G&wX<9OjQ@^;2xewyMSzcj6b*!8DFox&+ zUux?lIZ-{=2AR8Y*E1r!i@BvTB;u$}gv43d-Y$=~v`A#7_TR+uJs9!F|3Ar2O17Vj z5=)3}d|4LdD0*4O6SBH4%l0ICc?h)9-POe55eWgTjnk}5F~bRx)2+yjN;ZxzNC1v2 zsI{w)fg6h@Dfg<2Et-ra0bj^SQ2((DfpgQ}=&~-!>Us9l)-SiJ7RRUQt(|=IdoW~Q zfzg~yuQQU>@`yW_b@ZkED8%d)rw?Zo??l`%ApWQ;_9wfCvEA+tI!+PxZqN7nh9Kh; zUM%^)N+8mXKgTyxoiQT1Bp>i6#ugSm9`GmUTH*h240J)+iHBM$ZDc4=%KN_FIR^g{ zlmDn2!$fz6Ub_kP~YgCG}yd&qBJ{F$P&p`6@!KR9z|=P@?ntUm+A$9J(x)13FLSy}4_&b>hie(a`e z?9u)tga5xIy?|_fUDij%aDMRNELTy7SxI#jkY(G3ba0<*^2wTG zl6FF+Tpsfo1_Y!__l1K2cUNPT{8I1Q>LR0x? zax!kn_qr@=PG(Oii=C6eV(Y9V*|&3ScIb{E1Z^jHg*hBb2RYy$je{_?>n)p(){VdY zdx2g3Crp=EkpeMXY#0*p@>YA?WVEkXehZI^yI6A$*d;eu5ah)fW5*5MF6QOP{bwBT zHvVJSOW$~sbAm8&zz@gsjND;yzY0m>5#^8rWY%dYj2V++uxTb?ee>% z7{OBf<1R%PmWMW0dqH*lf!65Ois5wXq8BZT?(U^u#BTWBpl@Kka}wp5FK^#)*njO$ z1xFnK+!6va7(`rR0_L6`p5^_aXnV2aQN~g?z4_mrB#Uy=^e~^WwvW0DkG$O1%S~IB z{@Ncy;$*#u@Z!I?=;~n)Jv;4>)#OeZ3iEXmjrF_S0Cde@DD#5lAvh;hdhdP01(#;9 ztvkd+c3H$qF;e-g@>noYv>jBIl|p%Q8qKbKipf3=vUrT#Hj!;Fh+B-2-4SPfW>JuJ z&SucoVh~dheNAn}QRrI?Pz%l=BZR)>A``Ep2NA8O!FJ)@WQ7YCK$D*~NTzlt zcSD0L+(4=ET~WYwn5e|;znc`X%bKsY8mIg@rP@btvq+7#xvQ(BE>8A+M6{mmJK{uP z8IYMQmx_`T6UeADlEv6JDQfVNOgz$SZ=fq&(4C5v**#qcqka8bE?t*7v4YL1gs(1_5CTfK0iONYvv5cEkQtFXto+#v6dJHXvoV zm+BX$C$0mtHBitfa2(;~2~|UZ=$mof^~NkCaYSn>&%j}#X1u0@kUlb?scx-voXe7y7^`Wf%OoWdg{2ca>k)P5rvn?i1{#G z)k;%!^?IA1&GyM^Y&g*+byO(qoic=}S*SCHmmin>3)Q#egH=#2=^XbvYBJ+z{<^cy za(mf>o|i}YTi|PbM#NR+lwj_Ai!s{|JW23FkgVl>cfHR1(Bb{tvS)n*#JzZahC2rO z{`w5P`Upf%xLD`km^ZpT&}(UFnI!c>Cj%Z_i#v%7)Tcwt>)AQp1iWP2W zeIrPN6W+NF6#Z#ykl%tl-MN<`%4pyxdv^2ONMu#)SJp5y#%_6GyBrTxu(>2R9|vb2 zk9No5uivw*OvP8&@IV58v2`-66UL5G{~3_o{L8{0X^IgHQ&tbV0n(hV6-+D@EbE^i z1pUb)Y-n;|T3yy^y<0?T?t6awlE+W(X34G-jkb^rG8{kduXZlE)Rx;c?}5Ed`QKRI$`NX+>_3x|6@;+w4g zB!R*~4WDX3{2!{E4!*n8mJxili6D#vMA8b*QUL`Ku*$b`L%so}5wbr39`K#j-8qEh zCBI^Quv)+^)@5}l?Suc_7k$5Ld;>;kh7B_>>k@egBCv_`dDQ#FRxXKzYpo_}MM zgrYXnwmpGH^+>Gnd?Jisb@1tXS$1mieo`MArT}@raAqfCi9|vki@*m2C)}3N)eE{R zxJoi9_y77@neX=bizY5m;lM8vvsfX-cN5s`$KCaUk#f}*qW^{EL=fAvPg?$_V0($a zL%!F!Hx#=8{V1Qe_PC%l%Py1Kt#J}0J){_bx1(^pZP5-5#uuh#sh=kZ9qLeq5NwLb zboo-e6EERQFP1a-iy1uvvd)Gvj8wh>=LU#R`8H=1^Y+Ap2NiN0rpG2?Q2sd2g!wJt z@9*R0Zlm|DwRg!Gj+_f~P{%Rs-@_TP%I(A%CPA9Sl9!TuQB+yl9ey>PcWb9aXt>WcubdrQ>b;8 zIA>D~a=r@zVShm2`3ib zFrvc{i=OTX8>j^3f^*^v%VOYfWC8>N{1=$D)Io9xw4GN0kyE);B#75tQeGlfp5(sb z5uq}lP^aIBC=|dwlBkLe@!&*YlMm=3yRsdsV5b!U_(Aw>u3H)k1nR@(fa@{ImJWGI z8n&B-s{24qAgDl?m=)>n3yYJT>KX}k_K=kB&P&n^;1@yC&LLsRMfezOMI z4|$lB-#WAZ>%beE5R*Ba=MrmNyndb~q+JeBL}5fdYQUF1Ucii`(;%p46BA4tR)yH| zvXM`6m!IZp>cm%V5<6I4DaL2&O~Q}$@jY@#u!q{qSBu1*;ZS}t$B1QBc7B7@hE3v8 z);AR^J?{5mMyP><4)Q@3eTL|A3J9+q=(t6>NQP97 zB%^A)zkcEPdN}NZ8o=RoKr8ZGg!yN^yB@Yk%P19@nU6et)cTM*+k|O=iuU2+rVv2g z<)Snk3|8T>?h;NPQ3lRaj@@}o^)F1x)fu6V=6zfqGOnVGZbn0GHY#{dj&B+HKR?>M z%YiE=t$%cf-Al-oCJp(ep){zq?j{L4OblRZacnka)`e(+*ba8gXN265X-(pTBzD+B zHyV@1LzBl?!;vh<&XOO(o#JOSFBkxV3k8OLD zpP!+BzOMgW8C7fmw}$Q?ZLfc1@@ywEzK_JmM23H%Yd4`K@j@{9VhENztMGlIiSCr| zYu7?lHI|JI<0)D;uKfy{;WEQHNlx-F^(2$`7?Zp1h&HzYfRn|e?SMh|JSdLtPpWN= zMUobX2sfSG=Fl@Ugu*=Wya)u>vw4gmAd2ZYtG@p~ZyH`O07jb`0JA$FM$&UXp3PUD z5pnth)#d@#ec$NDZ|JHqS5GggHD0L5;s{=q5C2$mR*x;pSN!UQ_M~Z|Ou~=W?A$WLMu}@`ppfy=Z9XUO|GlT`)V+1<-md+jtGcT{ z^{(1`uk~AtIEFAuej@$1az7($Bp}@m-W!f;T&@&qU&&=vPnL#ngRDqOlk|oRM!8HT z*xYR$d-C2H6>h1WDM=r_m;xqgnLSS&J6SjGzXV!3!6e@|AZ>kP1*MC#8I#+U_EC0t zCC5UV#BFFlQ!Uv3*|#;R(E!U?T#_Lz&e;6;_Y~6xib8KaN?mb>i6*P~3vzP1px!TW z%%NQDlEuAXa}%d19Lkconufw5`lu~oal*sQTF=MgQlN$NR=+iaKMYUbRdq4}j+wfP_lLmm_>!Rez%M53*q^wyjXUXY<#+1*% z2;K4~-aw6~DDW6h6r(WFFrmRIq&SPV1jwOZOuCurCyX)+7|qcDR8S=uYl@8sJ+j2$ z{dTU?%)7FwHC3edV!VQzOBkhKu_q<|B*}MOyS`eC|=vjzF)cS zr7VRO`#vw(ODVy9Y^7{4!9MyX>oA5D4M2OA&{xAV#S4#A8#Ewm+!Asp!+Tc5mj2^?{tN>79`#liBtaqgksh^{>;uR`yEm1?%2CY)%=@kDO>%Tuy5jkh|OSu5(zI1b`f(<@PDiq+=TO^;+DuC79grcaxh;MJorb!K=A#jh= zl_2)gRDmHVcas#9L%~59Sq>?U=d8_9|JBqazcyf?^!PIgwQz#>pGN1TldPc@f2CN9 zV(Mz4#a)zZir#H{&8`k!2qD3CxPTlu{<3S&VJ1KqdP5I7ZdGF&6zJ??e|LLOa31)6 z0)8=YvOjWb-I2vEfDltt^L2Z4Il8x*w-%$gtWNeJNrzyFrLa=m{uFopy&T4xvjVka zan|v`_4@+50MW8`Fa^z0FpT50;MEQb$uB!hzT3QYBv=iew=>) zDL>uy_3`%k9(ybf{CIgf`Pe@^UEiONbQKrK-2(kOy%z8O>FwnxnXcAQCel&fafFWI z2|A$ik{HjM&F_OXS(ba?PNEBl zaMtL>$Ky1(9o)_&8{;4UYk?1ex8dzB=xx1!pQok0>K^s)4Q@j50wR5^Ve%7cM=&a5;l7%;v1v`H z9f06PKv98VLordGp5}egHt#y?V>`8;b$oW#>Mi=LyB}|KbnuUgHrsP z@ZD;bnZIQZK63Kpi?iDX{(^$4-lHi%jNB6K{3}Wh)}PlCCtg!|fX5fA%i#F*ef@M! zjErpkG26@FfX$D1==2rhH8-z#1!pV zv|aL#*fMc{kw&_!IZxY%Z}wc(m10xC&5Vnk5NsMqrAoB%!wAc82mbp@K-^IdR`=uH z(N&??nva>X$dOQ1Q8^F0O9kUFX%B(j_qUZX#HS*YGxqNKfCfxzA*r8!zJXc1kz zEqLIdqsjbyd{dJkT51%sxhuJv>+JmkVJ;Cm=f$KgBS|2WGFNXyp_mEM3%cCjhUsc+S~h3*t` zjSj2UFC0W4e81hH1$O0iPA7(iqN5R?;%uvbJ>eb+VC+7ByZ)exKXdyxeK>#|cUCiB z(%!Z$y^T27Ul6DQE;=_ld_yJ@$lU&hf~VLaio4Mh2r*fldy~qx<;U!|#o8crvbZ>* zhpV*Ropq$6dlr1x#Gh8){Bv`!VsKj^ApLR8YHi5_E%7;V3-N;4M7Ld6yr$uXtzltP80RK+0Ocs#)+H8shdp(-sh(*j*PTrwQJW7RjAQ#ER>H21g=uI*V^U&XfG$Ei{rq$1*%4%T>N zxr;`96a{!dlmwUR?gq=VvY??Z>XjmN(Z=5>oih?PFA!bQ$DGzWEm^VRzJ>9S3MsV2 z;^x5wy1cb@c*_n+lcVaO1Sy(ws^kQvin4+##)unDcPSGgRYq+wl${E#OG>|*iqm2R z1M2u15V*>cqzH;&E7gellpqJxdVl1^kVC5U+~CK=-l~7gZ!?i;SDJ6-dceOY36&S1 ztQ)|!O&-df?u!Rk7j9r|H1GG}ID^iwu`47R8weF185IpIj7p#f_htg{l;QPWYay_n z?NGuH(y}9)!CX4iX^>ut%c6z8O@FNP$;|QUsVdCD@8xw&tl?TwiiX;qpxAjr?;(lo zyD(J8mTpZC?#B9%U%6wMUcqNnwRvS}WAtB`K}s~TI}}XDN_{+J;YA$35Jx;(VIkwk zdWUN&dKGgY@mHJ2W!h$k>}Gb(Aw!Ck-JPcQNvSl98UM0Eu<`=Z*dR6K=7aZ=+af?m zevnV^G^X~>$JW^yg0p0x#>*Vcym1ZmB6KYIZBJNdV)XzkL2gGC}w>X=P%J= z_aQS6$n&#@%gR`Bitd~)Z&w%Rx7(A01M8YVE}4{?E5joJ_2%QWfT7glPv)1;{$K#d zV};s$2a-eO^fdh#AX{`DYb(x1oBq{ZRsAYp7}t8-+tcIq?c(KRb2W2Kjlr!aPyJjU zMCWf*Rofx4`&bZ4dqiM>#3)E(qqxp71fi3Ut;{x*$JJR{^awJ^;=9B_0nXIp_Ca|@ zcae7Jm;%ZCm>v9u&u_`Gl%Dm5fYlCBDHD;(xYeYKnp!oeXaKQ5N|`2To8jy{WO;jJ zpQ;L&Dy0P%%`e?$Rm@`xZLu+WHQl~&abhpAPpA~S!Z1>`6FzipUS5NpSkFGcIgAU+bu&~fsTB3h04X;k)j>>IfMGA0P-I=z zs+eWn9IpO~=Sl`K(i7CD|L>^AyUv*=rZZBh-kiv&U(q>Dnr)=X!WChkwFOD?$~@eS zvfad<_V^-p0WrE^^*Ca^6TNafg+ESmj6{1MkasZZX$76ePw) zNq-J9X~3N7Mr=?6Uq7=A!&C4`TX0D5bKh7fV0q_mp3sx2Xj*A+HnnAa$pvF{Pu#%5 zA_z+`07MJOZ|*YGTdTR%qliOYk}BR^NU#P+^igCViLmqSkx{7db?{i7^3h(Zb@$buf}zoaNTp%LMi6Yw zP7*Z1J5Uw*)g@ET3* zvsyP|BMQ-!)MI12T7}G!y^t%}mmruA9w-hNAO0Au`=J<%@ROo9&pbr1lt|K29yNE!=vP7j=SrR`uJ;QmDdwFg_5H zseR&4>8K|Qc0Dz2Tb9zcG=lOgzbZ3PX5b8<*Kw!t>7$a>6sthVXo6mXl0$0;fqmvj zt%QjXR7EEv3J?jXu#yrrHjjOgXEV`Zo}q_yeaUur^%^#sGp3eO~si z;o}>jax8;D;UF<-kd~Eo)&m>OZQ>o;MMx>Zm*yF|HnVsj+oJKqqSYhdr#!P{sh=s< zt(f+p{`E*KAYh6UOB+c$wXMn&X52wdWZOdiT2x|FArpkH9siZOzaAsNRhnvtN15z^%#5O#5K}6s zsun*|Oul-GIF+d&!e2Q}M=?dTJy=d9nSL=pHfkKALj$GUUGT1o ziSeOp&W3NRI1x~`Va1u;2RZ*SX*LL0CqTIc+#-bk_TR?;h12Qd6pNP!Xlm55px-O* zwGLQ;6E)TBLKrBo8!{fH<>MOpm5w-rGNq)=SMJNV{0`E==3#*tVb<_K^44Al~Opg&vk)fNngNFXI1T-IHhSfJVSPy(nNKpmF&>Dm-yQTZ#8GQS<%NWLMk!x+6;G z)-5@C&fE>aIGj7+3F6VsFtCITKR39w#AWLLNxOqpIC;O$CL=Yh3L$lAZwq0r7eQ(O$gRKSv0^){r3d7$0znXP({;#~b9B6{4`8qG~LQWXZ z-7MG(D`8nNOR<_|nsLXW9>B@-K={gcWB{$!2(s7PxqPF48w=yR7!XZ%91|mG8s0d} zrg1X>?dMVY$KXF$b3vWUl!nazgZ7uA#741(wdpObbLU?BpWjfN19kH7NUD1Dd!ZB(X^r-n^xC&`0Q;nn2;t_cv)yPve!x!1nn3dqr0#h5y-pSz zL3&erKSSKMKxDeM{o@r+_O2g$<39`zhLaZml5)i*41-EA5-|G>dfR=3Yv$3?PodLH zhUubuCy-0BNc{x1QKJyCOp#(HvM6ohTB7$$<`6G-{YUdr^iRZ<60PNOU&&_}nfoSa zuCS_+$huGdX+Qk$@HFMrlMZWdcmj^_nGW-y8&*4O@7DS4rBjIDD;S5}4_HlqTO;q* z_3b5LbT0pFPYj-)unC;rfLiSIf;YhmQ0o###-R_dHI?#WZoYZEw%#(p-zzoNh6%pJ zkgJhKJD8<-u^gY@YN#YK>y(CRBUI+6XO_sY^?iM&t4SD6!Q4W>ZnL*ncliUB(2d&_ zcJPpKU^Q`0X)5@85&CY~1>-&<14(mizy-oafGeMH`WfUA-vSC0J?=1wy8$n>9QlCe z2a0QsD7Z4K#7ps3fFd&T`vDr?Y3W6Nt_b0H8)XGmESeYrCN>7P6At`-k8>a%|G=qQF!WYV7e8M+ zHyeG-l>A_4?*8(1?N)XdA5XmPv&7*1oQ8F3$F1-X6#@|5ua{jLLa@P35Se5RCkQ48 zxbCNhxyIf(i4&!{368e`5pJ2Nrj(ee&RcCG@Hsy*abW1GvdF-ZDeV-}@k#iMctU#I zxC<+41Ol1g)R3mAyrLuoc4KqY-v<#Bp7d$2*O_>w?fz)->bg-K`sF^gdlGnk>#GM8SrvMR zCJ8(4BCC?(53Dns8oBLOh7+`1KmFI(f;GbU3&%%#9fcS@oL+S0J3~c8G(^y+gw4jt zDCIi##w=_VBi?JNA=4MnkYC$C%E`fIwVCunF|&Q8kes-3!M`kSOe-#SvQ3?8t2x^q zk37z4GDxjLlCihi0#(M2C4Y&n{H|~M&^t2k^IHI)#oMkJk1CaGQdtI1J~NNnAqzgK*)04Qa0$T}EF8|S`LB1`&LV9~tG zke=SX<+qpk4j^ZB2+w#veSjOY*DcQW!lj~yV~v2mY@E=MzF>>AD*bub#D8x3-^UpY z+u#`$#56Q)xtZ#I#sYtHlhH+#Ga`;psT%>6LNTz1c5}EZGrgqe?qnP*dA5TrZ=7GY%omb zk>4E6g;jnf-&iduP@pN$676HpnU(&7!f6OrIoK;^OA(%U)0Sny^k^z1MQo7R-lx2A z`>@_Uhd`BqS`Vdi;Oj@Eg*OGiSKv2K2#O{Y;rOlZdsSTS>E#~cNxL2i&Ci-L4Oe&Q z#&=ZS98wm$I)4D<;H3Ocl>7M~nE38s~ zgjuU2vDt2jQ>Qp^o$l`+XD=5YkP?M-ncmj8Ze~AlV?S7jiG$fn&ZBpuNZANzW@=_X z$iu977vKe@mf-E2+)H#RNRnDkJWtEcJtxPf&?U(aeh(9*#6T)958V+JKnbF@^^X|| zN9#ob@a3gzH*hNsd_(z%M!JoC$U3KIh93w6kF2wU@mLVJt}p+^W8z@NzBX%4Rqs%7 zk9zgXOMW@xM>|vdmArQc_WxG=BD`?=`pPp~i(V#()YCFy@03SQ2lr%yGIH21m!28Sb52x&e$%w7G;$5{aAfn-DY*st zVcpV;-LSUJ0Zp%B5zn%k9e>-kA=mibGws+HZxs**y@Pba#t}Arh-AN!}+*&v;{4ezh-wbYoO|<<@Bqs*{t*WfB(5Ipvk+DG3!;jyo^) zvPYMp`Y5+OTP<&B@{>lHQf$`nD0-jO(51GGpfYdRqQ4ozbBVEcP*OhV;TP*H@w$I) zwo@}06QV*OhKvL%og6zw2)+sZ0q0RlA(8S^CU*YEqL0WP$`TybpV&o9b4d4-_*&Gu zkjFvKC|x!vlLj)`l#gBot1%9|?2_lfEb=y^y|d!TI@xi$d7rr$GNsS8XFesTvYzmt zrjJy$J-OLTbt}~Vs7Cez9ulK*S{O>%2UhJDR;{s?r(BB7JhJBMHsY;jBQ=&(6_NkZ z*k)Wfeeu&n!>Xz%b#dKF*^)0F0>=zsenvR&4gg!GqheE^P-OR)mZTY9nR#S|w!6Zs zBe=K)7|zu_h@4d0vQnB7u;hGYYLs7+Jshm*s}%$%5wY=ab?F_KuRLAdUOPO5+gVj# zwSGf*El1U%+Kgzl7V+;@+TQ*b?_4;iVfdYh!M8HiHXfJDImMAa&Iv8isihw2#fN9B zTVLs?w4Dk!Y<-$_6t(rV(nMKJ!I1Gu zi8|<&ce|s+=rBzVU2eRH1>Y&UTd%)U=D>Uec-??mVS0LW1sl!T-r2qM z**_5u*V^xKS|Kp4?x9gspK%FvbN1qZtVD1sFB*>b9}wB1zbWMDhxKc5f& z8PQOVU5MgSV#1t4LF2FJf6i@&2)9StClBK|xU_ae&aw<+bp>c#AJGwp2-Wm674L)4 zT_WX%#vu=EsAhz_CD|TjpA{wZms_$F{XFXVg~ltn{|BjJET3SK1X0I`xw9$Ur2mHZ zQMN=yu0DqTZXovp9rG>gMZ&Z&4R89g!~laA*FBNwV0=D-K$~dZa+g#R)J;xB+E(K+ zjS?IO#&%p-=BC;>k1aM_3MH6}40G4))J)P9llD}sKH-RnRrt}ItPKYM2H!?d039kC z$%E}8?77iU!Ogk;F4whok|+<`zjzYVFjMb}!Sy6>kl^UHz6a9u+DSPdQ@!)SqIR=M zXK)jpHp&)3m+O!zu-vrMSNJ{xFVVh&l-~2$8!!4+3+tZ*R#hC2g6&$Oqk24;UdeIN z3!<_NIAjqs>f*T1TreXsY1}uL4o~8$IGQy{MYMWmZHb!yzQ({y|1dbFgTee z@IRQ4fChMNGhk*j(1QIb^Zb1q`t?Y+UQ--F9Ql`oj2Nh83tV@Xp)3zLzWTN(zJMUBWp7+5HAl8f|l zUN$)5PSl(VWW~*|JWmgMFMdv2g6ik=;U~I1pn6*P4=7bfSqGZ_9ns_N>}-7C_GV@6 zD^S==n!mo43JBCpjNYY_Ztz`9+k%L?J@LS69k=cg$<8g6`zh>SvpYep=@8C=xxAC! zpj4zxi&_Y>ujqo#QAE&fK{L!s=%D{1Wte9kwdmB%L4tC>CpqndAp&12#Ytd%1Y)&V zqlm1+0MkjXt@bFv)2nbeIiJ_sU^UzlU=$WvDQ0ehTdZ2ygPLg_y)((N&pViEH3&11 zWP;wc_K&lEaXvTZcmB@~+UPqndtJ$Rwb8v22$tuVR9ZDyJ42%b^UmGR6x*#Y+ms^! z-&L`l*uWh49V8<5Z5~%<3cE2~*m+$ecuPqwT^{=aMHPAE8 zmH_BV09@7ty8irh&HuFRT%D)^UVb`%T!+5qnB!Oye7d%sbZ?(fIu90ZPdOXuVt%>c zh%X`izlhlTNC$ zx^2yC!82)UYmL7mM>&h~Lw#fWi8l%zh9r4Kvc;G~Gb9h+`25Cr`>52D0M+_`#%1m2 zYUm&A@bFn46^7ZWu?d(vZKFQACg95G2{7aF@<4xvg%^+(&%oI>*hu*BP zeI})}fy~Ny=T8MT9}3W0zK!}4x{XR%19mf!&jft>din}@epy~|JTJX}Pq=S1xHKwb ziOK(ppIm{eX4yVKja5$JG)mxU<##c7w>@t@B)q9&RK6&-&M<+N!(NURZ9yCIr|2Hq z=6A&?HW}gRjcI!xAuHP;J0t{%S#iJ3PqM5Si4>3(ek6(Bf{Mm_F}{ZJ z+JjJ&VA~~m5Ch)-X^#A4g)A5fCngVJk_y%#yDE2AUY^$$Oga-emcc}4zZ13^W86jjQ^Vg#f%go}-k|JP}>(sSkQtK0w|JWwqJi=Lm zqvkVp?n~o0o6!;V-#I(ZODcN%`0{GbX_*44u3)6rL)IT}isss$_ZKFTUOs`@qJwj_&TxBOuZ(A3M<2QucEVeB;ft^?zm;|1RbY@E;Ih>J4b?0(!^U zUIMMZ$L#YX-a?d$Ze< z72noo*QK~U0?WtKF9d&Xplm2Vo0-zB3-s4(I!LFzP^`HZBX|8H$hR1738Eo^dnaFT z2`@x|qk;BS`Nvp+uhMex zxMFQpd+kejur7g4*p*bvR4Bs79erpqxkeYP)>nWse)GEC22rs&MWJw6lMR;4k@gJB zIw;bXoa`B7MV@C=oIHb&<7$bgkix|xir52UKWk=l&C4RESC_Wf)3)(I>T`zcbb}rOld?rZWU3#K7mK~~;_5s{Fa;rnPRhuKKaP-EhRf&8 z`Kh>gzP~*S>bB^%8Kr#*-2X8$-;3-3;RS!F*apS_-DazN1F8VUA7u1eYEcKI;>7=X zCIl^*Ol9>~s0{?Azqx5CmU`#fNsVndtfE3UlJ5r=1TXxGUekvhs9c;J&c|3exTnzC<*Yoy_T9;c3)#i{4rNBV zXM*k-rEosOTDrzjs034uTzR-6Cet+PuWGg1qh!7-7n(|tZSv4GfgPImQZH{l->t^$ ze-48V68bg^t&Uike@rw*m%3m95?mO9??u?Xh8_jwkJ(DZIotcuoHI-Ct}XLnvl2m| zL+B@E1zK@9WK<|MBTbdOVp!MEHAV-dx?Bkxm;;eF+ZoQlIA6(&`Qf2Y&1X$!egNV& zaHXP0H*S-Nb*_)?p6Xy=ej%fP?BIPr5zjkZRznIcx`#^y=EbYz&`{?p`gw%`1=@KO z4)Ct&Y#sQ-ZZS#Xy6q*mmXmDLiIKf33ennIvt9f(E%VDcbFpb2k=8JoHiwzkRBYHH zFH=kh1OlwdDp%_7z3IBzG9Dz znX}${cT#iD``^w_a)Eia_zp_H!AYMID8chlMZ6v~ud_$wb>`8iqZ-|IRThh39u*^~ zrI4{J-yGD4sH#w(sqBA1rV&f1I3>bw8KUNqruoAh4Y{zH+LyUZU=VeW^+d7MbGuT4}4@OKB38k6@B7dum>5$nx zKpVL>uS;(;G&sTqhv>(l@|GGrXT@DKQSf2PY64YkrV=Ch_`zWP%Y{h(HxTNKSdwpT z&K1$4afW<7e8R#;JMVZl>_mgaPtl!M1-Ln9XzAr!70lncO_~|kC_D&Jttkb{5l>>k zEhb(sq7Xr>y0CJVJ;2{`ly)!aFsCTas>OQ6`q5q#b2qUl4iXv0{31P!BP?L*Ikx{P-S?%B!Y-njF;bjEfQyIX$U^4MDHILbm z&f1WIdNv$xY|k8k@uQxx3>jy6iNODAH##L6CzoZDyWCR8OY(*$IbjQN-*G$J84qCQ ztQ|0(D9oY0d(<~G#z(xN5=pS6NnEo8tkn5i-5x4aJc!ZmKH1ycK%NGQt<#SKt<#gv zh1#>qm-t;}$lz2srH+<2tR;z6&8;NC84V=^8Y#&nrQ5n_1JX|7jn1;>rn>Qg*6k-r zx&jTQ(}I!9onS2_gusPF0iU6cGyeOE(XE;2{8;#m3;)(XHX-+nSW8zMX{R*S47`ViHzPx4^*4Jcc z61(KkL~gs9-qWuUu!rw^L*nBC*XZm1a}s2lbhvF4oRR%~H?^s)*l$ zEWTK!k4AO-LO?{eDhP=oWQDxJEa=7tKnE73eo*dV8HuTG5jM#oYKxar5O~+l@^fD! zad&ozMK5KRX15t}UlUNp6c{q#V$1+VXkXrYfg?rT+qe1;eI|F)8DF+nW*&8bP9S&h zhPD(qgyaXavK%S7$Av2&Ys?!jC&*a3-bQCJBfFP&c_M`h9(h~V=l3pVaxGxfNB;Edt(E8fH@+!OJx6j~2GT;YgB`29s>xTAF+>H8cg4;G`w+1h zVDz4pPM{_~OG*2mw%Va)A;yAkk`%n|hkA;I8W1W$^;L1@ty* z`d%E4e7V+cjjRFLpYhJ0eUWZA^*#tm%Bu=LH{6>D16Q4`axtPW(Z*k5c@tuBj-vOU zIHU5(9gB685GWsx2hZ*68)BxEIdSCKF=N@jx`hr1pfwjxgh8Lp!djVs(G4o-wAPMU zK=>a+=n@*xlm1D1HJ7?b$=nhu1}&qM{S9fXDORxAadcJ|^3De&%fDL2G*bhJGU|IfYVj62MT9+?H1t9DGRA)d@ChJoBa^ zV)?!8C^e^rXz(%moj`t{J13wSOL#xL5w{ap2@6 zV<9N6VX;v6B4V8%kOPpZ3CxY&ylnou{>>kn+(`6bF;pUVZ$vA?56SmsgPLkV)0%_BfA)ibSMfgeODgz5t zRX)$EEbRf|1>X|M9;t7)R6CNNK|_Hzg!2cgS=dCd#j2T@*H+kLrSi1@oxh zc9bbqaCtDO0wV&I5kvO^H3|{Z&)M`{k&r)2R_pNg@L?`XTLF*U-7ZtB#B-IoW6vIX ztL18^FFtBt6sljjp`O9JtFIfOC1+k9Bc{sckJ2U%xX7JU$(`Zw1;%2CZ66^Re|>e& zTbVushrYhHraXYYVYM%msTyjfS%?!RS}t}2wlKHXiLHZft%0SVr9EvIFhgj+jLdBhHSvBT3wAGA&z-rTxcEyk5Mln@ z7WQ`a@UW?PT;S~DvS1A$z0_^;%|S)3?er&XJuV zY??a8TRCz_u8+uc%FxN--7Bm#c}6=_9r-}_W%I&<)nSI1b+X5#o|2^1Q z_bKu8we%j4y(RhG&0_c!36KiTAd8 zy2JBwdq3CApHFv>+j}DPlW_ke8KS`h@nQm8o=qR%WL4RV41;5IFErVq%-jaYm}ybb zdI!}g=wl(O1ZcYui+)}SP&$vC_}6Yd%dYm6nT8*L_traZ-^?Vw9l8J?&$ zhKO8TT8{01SR&hYP=sP_HbyS(8r05TyS^P-wG1R1hzG5B?O8+u-5lc<@hDzh)8_^eg_Dc^cg zwe>=eLDi#mQ(?99MUHd<-ESoQJuqu+tJUvlO5MS8g=Z zNA{(B42ax16|@}o<-8n4^A%0kQip|Y^1W#CvmhJL^oc?+N9{@b%?V*gbDs*x&Wgh}S2m4~Q|Nh-fbS)lGzo;~u>Kta7iBMty z86&0n5rwrG&t4O?=`{qK=yP7+IOpNHK-D!CfInmk(k5DlzFgYb`w!~m7}>!&R((Sz z+nv+ZY-cg<_ba*qfDVuwh zp?$V9JU$*b{Ef@iHjDuC&~HZd*kT!VTAD0*nr!}(;Y{0|l-m4vL+|hFe*y|x?XL)2 zKILO;EIDoTTaR+n4*%ppP{N$!LIdG1UYEz-!YY$ z-wI?W*w$jx)CVXf#B7LH9&aM#0snDcS8zy;<||OWBDJ(oyE;b~fZb57xQwQfF>2D}0Z+^cY**mMj)| zwqB-EX~dH*8yPOBYZS$G1^Co#lOt)7yg2~UqAy({kvma9J4$^!A zzy!%I&Vs1+@MC7-zH~PdtXkNE@IBu=T$KSI3(s3HNA|1UEqMboNcS z2j#;t^z20UYE{ePytU23-jSlC-n102e!N~DY>M4~u%3=g$~hZqb~K97(njJ^rNv{o0r*h7SfiT%HL! zX@SkIV2_FSi+I{9GdW|`WKlg3kPJzu#fq?s7BJj#bi7@>?8VjiDAg96f^ajMj^s;V zR$&mxxj^Nl%p7*w37Fi-G5o18U-{3Edk7wB@>C>R#5}Np=mpr zP|}(WjyS8#QOk^iAe=}^MykyeItA$|N>#l#Lgb_Fc_9#6AZ^Q>rwz$64R`3KBe6s$ zSjgK#Gt8S?4Sa)HUyr&QGp@j?=Gsu;<)mK0sw+^AqF=^m<958YHd^IRx{wSzUD*8L z9n{CI_^W4kEmdYyNHO*10bfp`=xpxK@}UtS>LwQj?e_W zw|y|>Je{XX60L+vB-daIMwuaadm9Aa!1e+uV?w!{YUNEc(IePkotv_w8apSq)+A@q8pm*bvSpr1$ABN18n=%dk;QV)b8H;V@+D z^&}71l|6-Buo$TS3&21>zll-xl}w2xf^*fLI(T%?V(+Z-Gz`+v1d*UqD6j{EV5aLO zoAZ%&!~+CkQyzy3_Km~nBt%bJ8Rnlrfv*tg=xjrH6Cpx=u(fr4eO-eg^d_iA*?7x1 z_~Bbe-FD}s->Eih^`vK8Yr&~^i5xu!s$5d7O5BqiN7}$>Dx5(= z-;aCtCNHdQe+a$HDBPS-F1WS(%dQB$25;0~H7?jl{;^s4FR${#Da8exhH`6tt6Boo z^CHHO5B`gT|3fO^zv8wwGTci^?Wz_gV-STZ#5-5+gMpx63kh#aCDr5@L9JG^dRDcO_ffY4NGL&s9geC3QlmAblkPtA$ zqd-Nxf;a<#89_~Zpxe|X|5a`L`(O2czbF`|{AZIRv1yWCxIN)e_G0qfo}lk5e1JEy z)Zah_RKVX1N}Pfz{PC#bsxNZVYg%@W*qS?mUQZ-J$1qXu7G4roC`mZ}+5_+|xYlq$-}rIxo74?L!l ziV|%K5Q;}2Kx9*veF6USjrx&gZuV#KKLyHSMMLEmhE?D}g03x|RWKG%#;D}XUKg?` z`^)m91*kUA8`>mPO{1(ozY55)wRz)Nf;_T~>czZF$;$sBC0JZsN^esELgD6i-C~JG zBl8oQ4Jl-Pmk7jI6pBKD`WiBV$#}EUmZDCeeQie^vHu3>vz~Ol4c(6voqODtN_T6y z`KEI7pY0UoFZ9jz|053%+Bv%+!`ZEz04?zUx8K;`&-nkV?=|<={(m0ga}K9ND7;DP z`0PC$-bQ7xb^&ykDg+)PPrVKhL0>7FcxxmO`vDWoC&)hljix+K$BR~D)1EZ|=FFU> z==n&8rnEgTbLJ+_{^p<$vXK}}twL3jSBx+fX|QHR@JkiVD(lRO?dK?BW5k0mfEet) zit9Shf8=MyO0%@zNorQfof~BmLd|K?L{+oNAf4*+!NhUoHd0`m&f=JKhE(POTF^QG z)uq*cQyLLb9V1ee609Y7X|-hLmL>6Vu}ssl(T|*FT3&u=j%G6cyjVJ?2cTlD9=&qY;Gf{@*MnTPfO5%H?3<{F zVKHk{BG6|CP8N|CKj(-YfJVJu&*q#^(xX%y0Ab(nB64N7q4;%mRCzOkW#%{e?-})3` z5&v%?Bn-)uwupu76Lf{xIy~#2{ms??(BU^m{?Xq8{m)KgXD8?Xx!zpse;(pn(j#x1 zsh#-S;%^p7PCQ^l0k!JJ2=)$=eba%{9*i z(_D6*m-f{BQyg9~(_tKrXZZ#S9Jel0*>XTyG>#CHrN@zNsyK3E>Ch5a(FTXrYV~f` zi-;RuFO+*(C<%V&EtBl*&Y{tysJ%GSPUb9)e9h%ng;L8N`pSq}5sxa~?%X79>B zwiS#NCD*Yf{E ze1-+v!L61KkM)g#-|To+>nr2CyfV%O)iROW^d#{a7ifB5Y^qJbwu3UH9~kpx@C>LK z#TeP6#@=(?I~-BbQ)!a@xpEvRFEk0a@wCNOJ*_APPgI* z@&#Rj8I8a-<`W<&kQ538T@K1Wdo|zuTgd;vP4%O`Mf|_9m(~C5?eDJN|2)WN@&5;7 z{AO{knf{$dW{d))IDX8g_yPD=rSfm^3{)zBp%G%rU54a&o)pnrXI(Is1vl)wCGf9G z8uhR85>$)=xbp7}0Im=lsv=_~WL|)|`uAFLR{4jvVw8XB=dbdwFwXQ*fCQ@id#&_; zMBiNge;3OC#r%J7uhGov|F_ri{~zYNxkl!Oue#PO{?1suqp;zEVKP26v*SFsNo+~~ zFjudY3FSh~(Gu}sVms)HIv23ng-88NMU&HZT_`3Mxsa^isiBezJHcX>X&j4LQAzD_ zE4+3~tJE{d`88#JQ8ne!FI!6{&a1?bk9n?^N}X3t#k+Rv=n&WiWhon9tXETMJ99xw z{AJIZt+Xi~g@{EQvE>>~oN(U+VLFTu$K#7jG~<<<1UQPsq>slx$!diQLpF?vcdLdw z#4BxB`{Rbe1@~x(Ow-D~bTi9|1E6Q% zT=FYr`qGtsm9Zxsx#V_csB5jl4Gc^H2r09TlVbBPIjz>~ZdvL8yt1vYwBzhElVP$r z3Xmr#JGfgzQ7saf+q&-A`kBeMeRKJL6pk76k>2+k^+xq0B)8B8&*lHkokqRh$h`k( z>@;`Q{Qn`oV&f1q@%Cx>;iTf?o#3YaSLkO+tWVhYN`}vCJuV8SH9pyzPNUdSiKrZaO1)B$t*_&%p|Z!R9DpGjQHH82Pu=5TN|xS~?o578xJ=;V(E<4K zH#Ksf8~~5J;obyIwPmCBsjdQN9sohZe4+~P5)GBjRX&$TL#s89902Pl6oTPlBouY> z1F#7iwe8wotx?;N|9iFHsMlml14xMid?yFo;+%RI3gou~BEB=5-eITT2Hz!l>Tu?( zFldl~(^e!VP2+J|i$V~Dh;d5fIy*mZfu6aT1$`uHaig7ooVSj;gWrHJr8F{*lqU#D z(8o}Cv2|Ymx06BZS7+pnoxQzUqp@3SG#m0~(-i%+dfMy0>z;t`-b2ETQ-422!*}4t zjquVmcu}Y8nTv~V{}gOD_V%g`&1UH z0Ly> zizw-)29Dtj3=x<{fxuPe-x`4H31TiDRa6UcO|@k85(M}Xsc<|*$zG87V1yYLRhge( zk53iNuQF&pWq6E9F`^~MiZ^m4b$C+h05Fje^lmSUS>&1S0Y2to0B0bKSV%eI7KN`4 zLSJVP+E?$A3m5v}^zal^0T(z3)Q*T5^8eS$V4_japdyEWLnxpQh$2PDbj6w*Udi!> z2xzEYf^b3weF;c3MGSi{fp5tkPaj#046@GoxQt-V`S^cn9K|R)4H4-ct`0Jq7BbpO z96HwS#a(>F+oO?~u2JC8DFRcs?9)fbwuO!#;1%{L=}vRlFw~(;)i^ls9m!QS(#2N? z7q)o)qj><9!NUZB_-R;d51~5O;U{(IZsM&Fec1AMH*EPn%bZTn0Q7x^IR9(l!xpoT zAQ$JM?;_-w5-cd=Ab?!QTSx*jBBlbBs37lx0*?}cJR$#7MW(u@y3bZSdtP#R`bXG? zEqou*F)iRWGC8@Oj~TI&^30hwp!8CU%?JgnBi}V_iCI6q@K4zo5@S%pT{NltKtX{} zXMQCgUr(?%0o1OOYRIrHPp=NrUgwa;it)tb!|y1?i8`6dwWlirMuXL1R?T`IHSbth zfE{(nH$+3_(MhQn6P#hhEk&&SOWDByF@XXo9BM^D$nX^okUw5<0DH7*SX)v)4aI3B zGHdRa2^I*1P(qlr%9X1whCQKKR=nO)B}>StihH5SY>HBS_tPgbTcAE=<1-EF@i?Q> z*EeH8pVif$d8B|5f+AwbLfzxmPByn);QJHGM1eXo@n#(A%sK~n4Z2sA*%uybTz9Teyn70$e50bhtt{cH6O# zIYkn#)6tVTQf%82Vr%*%%`WO*Uz3otX z44D!4r|w7v1ydLTPqwElI;_JNCgA9>b+$Uf^0xEnAq;buH41O7Fa%c4(}y}14q+rF zWPr0oqk)!rz|LGD-RSndg@NDg$6Xc%92YadTd5adud=M8hysLQz{!02aN9E7I~FSF zcmeG1SZKk|!KPr5QmKq!z|o7xtt;87JF`nf*DnB3W&pf8>gk+gSx=u1Y;|9olF{Le6u^BrBg$B1b>QC5z};btvZ4)LXRH|XuQJg01r*pT zfL>>;81%0*(EoylKcQLCz0tEC5_dPe~>4TkUlw(0{%!*H^V+L32w6?qFs2(86n-Un!g9Ln))Q!9Q>0JM1V75iG zu0OaW9pd#64_m>w00G@YFt{Y3Lp&f00jt#0N5$(BRCGv@sG3EERqDy3Vy~V>MIVm| z@)r_@F1C8Kv1dO6>=G<66zGVKF)2Q{$3=iDvry;>Da#=dBd)+izreepGT7vx=}cbFfRM*E7xmZia+M^|D}p+o5PKG;}@W zV}`ua8Ri1$f*>xrTJvq+!p_IVYQn$kz(2-Z=-1CJ&qJIKE{pCW?Q%dD1XjtXkCZ(J zDax~-U*JbdA%mHG<3noo>{0gj9c+9$9e(WNak0*$hdzPR;YZNNwQ%sd2nWTQKpO|Eqy>CccX3d*Q+!&fP2yFBto*$bM^PV9;D#_?o z(*ci{JSA5e+*P{hc(v^q8WwMF>Lsm{`SjtAWj^i|nhdNU#Jky<&XM@(uNL6SC)nyh z?-AiRxG?^>46TXhcI&n$bg$6}~OR`#yq+i=Iox0ffLyC!ztKb-k2`$of>Dzr> zP>FZIE&BAa(k#bH>7h4|l~p_bzTQsPM=@8BI9Mr;VCw}3wB$yAaN1uf!QizmCn`4@ zMR5l-=sFkJ*^l#h_u3Z!&Zn^8q;uZu>R9%Oc*%i0JD02zYIae&?JWo)paO zIcFfvc=X-_UK>enGl8n>e+Ryc^uI6i@I@T4ReGQL`n5Z$T{4>cWKqsRZ>_s>b9KM`79W;4QXtX`6RN=in_sR)NSET$+@c}&^PL_kOsZg*{>S) zos6kiiN^?GOL!<7P#u_830iGf*;4~wRJ9o2UHC=!->U%CzJ71yAyivDBw9~;^ z8+wzht4!@;9%^51r-L&fC+DY#U0qnR*iEu`Z(*g_^ooA!V8*E)iLs zC)CB4h@Jwm*<(zx5 zw6K!$t`oMT>rs;P{iw(Qdz64E%~}D#cN|+S7v}CNuJ%|!wL@ACvFS(+@mDXx!%+=y7<7#P@M4;E1cs%BD zZ|?b)%mYwA=v~#bqZ98#0(?Zrw7`?5!bKqSRu>f+Lyw;^x<*WgM9(0Dj#ZFY#8y>U zaw2pbM}fd9QmNk(BEM@su1&#-uaWm7Y^SWiJndwF?fSVJX`Q@M_t6a}Fow1{>P10j zs*Np@ov{LtXYOw`kbRFGlH3!0&MX~+uYFXYknywGLh=^=Z zvVx39>Itghgq&!F1#e`m#HT-ZPE3hIbcH=+-#irGG0rcy0!V4(kn$6n{RoMlWz=&D ztNqE4Mg*1(0A%VrLPb6z=9S1Hdp0;!A`l^kA;x#E>u`7H`=(Fjw^W z??ji7K5F2D>M0kqm}ac+SqYLy(`SE1s+qroBCL#RwvZN5xPQ|YhWko(E_oX35%-l^Phlz zcE=6qn$dA6t6LQ#+@nN5On9um+6-r6Ldi?;5ne%)m=9m{bQjpZi*-F%ZpJX9P)(u&u&&mj(1`}o znL@lmFDG~R9R;AkLfZqH#5oZd zj*)>$CsKlfka{a7q&h(nB#1wkJiC5^9A+>3`05ABrckWb zB6J>FO(;RD#z*&D00mv4-Q5XgaK`8e2k5+av_b$no@nVRy&G}j4h*E|xjL}zXPi>3 z)Z5g3*VvFyhDX>tV`zjwuMm{YA}IUOXtkiU#h2as>o#IS!nsl}PaUuS#SYC@$^&Y{ zar1vZg=qwv0??x=1Yxeg3LqgCe8MDVP4-IrtRUx41l$U)(>(+Xam22WuhiQ8*74EJ zF|co8fRZkWrdb=fXbR{EC<5RsHTkbx!Ek&;GB!>jqhkiAQ%uGnfMguOg80Kv7yekd zV%Bq=!*Tzsy9pAMG%-k4u%L3aAn&0Z_BID2nPJ#-euhbVq#fxjEJ8-8@*F$8R!vK-lIln z3Ijz(^54}Ynpof*VkRbjPFL_&C(m32y-ZzDX|Gz4fNuX3yxOZb4x07)4)|BMe=2|d zfB(<_D}VnR{Px>#zg3TqtA~eRq%M>nmD1rJ5WAP~@ZTvxn2hLm;5&h*NdC;SaXCUD zGk^~T972v#3@aC&sVtQ+PuLaLlQ@vvQR2?>W@sqr8gdXoE`VvG2KvaO#OK=c zb>sDZy;^Tn>y1JEpng#Q=W6dN&AMx>I_`YVyM~VfC^rR3bzCA;dA<}BT)_ZK9Hzag z&1N+z&#|7MG!Qt0DB~$u=sby^Ap(3tuL+<;QQ-Mwi1~C6sBzvdQa=jNnUoutn7J6z zc_7SWK6%AmGZ${67=D?viqJbYwutk*c~w!)3IM+6dS7EAe>JL-SM^S`S$8cz{5<>} z;;%0BuiQu5412j}K{|Q09tJg?a1nV&N2k9&7CGRK;7y`I_)x4ms10W;^HF;Og8-2+ z$^m}%Q@f*LCIK&7W(DvN%X{7=$iDemdDypY*pIUzF^a(l)71*<+jQbVWCOq#Jb=ta ze_tU~IMyxtd0{)y0giv?1-LL}RGe4fmU^6enPy`zBg87Vxkb*43Nlw~m?w7kn>4A>u z7?bR~V3h*`nI*eG(@=2W$y%#JNKR;o?s4lZFAxtVm@7F^>91|wBplL6fEkS#z*86k zPpf5C>0M#d2^jIS)*0qrRW3qNs$$HyumUKuwTowG-NP~i18@ehzU=6#Yfs>+^HvBW z+nN2id{O6IAI)N;@#0!*?o_9&tA6yn0V#zXElP~`UT_0HG9;x*0#IaCgSLXAXqlL-< zZq5o!@T)BBJ>+ACJaOLZ79k+c23GzGpuq`+Aq2}zzLWIy!A(M8z}#iYszK`BFpn7G zlffl9!lP{LG(1vIXqYaeV+!Z+@VFezHl45)se$Y}28qbNafwwUrVPjwdZfJBiC%Gn zz03TQ@}is-Al#i?P=^z0%-Rcmns+`6M116fFya$Htg@>rttD|UykJ_S2h?K73c+g& zV~3c-VUS(qeE~(J-eT#9ppSiZ+mhEWX!sMF@jenlV!dEOe?dbai>#J+#^$!`dzpr) zlRS6IOs~we9z(4V4zkumh%w|JJGVL}Vz64;kV8-faba`)BadSdM@lsjal|q~(^m&u zPN<91!I|D4csZipb4m*0ET0a}Oi&PB18q7Dwd+jCW)hXg+vGX6hq^jAbUYW*Ar8=O z(KuDL=U~zlSVb(_5~yFKCi7QHMdpOqXhmW|8U7vlrworVDcZBrG9XiE1(4xfQVT}O zSc0pgotCen<_|5wMKvm0V}!o<1miBEA+(jskkI>iQg`Y%OrOwPz8fa0^VZc zV=@L^AN&aU>ICO$I>AKFNr1^E@;gRtdXD`$4EG3gAvtVhY5^7dKLF5E_jnv^Vg!66 z3R@f2qp(B2EA;I{7cf}@2?A7=o@;Hq~t-NLQWuM{3j@2NJNYz!Sd-PA^>vm z{+GccKPEWANfHe7@wgR?OHtr}$?=%TwFQGQWmrt6D?}czOTwNN$ABy=@$?blL>iI% zP%#3sIV%8o!wCd946yeTnia`n1(_=VezS->lxuix#_-q`yt`SiNZDDHX)F2a&j~~# zp;WKlrj}02LO?EW1>m=@qI;nz+3&MCk8}rj0+2WlyKPZ7dEuLR+&d`}hacNYjiod{ z8>-MR2vqpUX2*#yLgwm~m8%UR*zBdY#2n7R6q1=S5B37cdBOeoBZJqu?F}$2IJi5> zPoJGQkw}i{n4ZDx%le|66#(28j(&hw*rTKv_JYh60N)ml-a_xvn?OQPFt{X#D8N^U z&5jF0r30(5QcuLi!SO1EPH#G~Pb`?*0TK3vYlrwD#aZbihbd)qVAliLiYtJ!onn;9 zlNITqPh|&l2T`gp=%G)bkH^3&zXJH#Eym9|XHxVzgA7iQC^X}-F?7xukmW(H!b73x z-Zo$-o{I&uzJRe+6veL$Z8YgR!0`fI^ycvClGFZNa$1s#RtO)qw0cOrzM!n&p>kR7 z3Lqfy;uDEU4}Hq&1T<@9=u?FFlL&CH&kk*Ub|?dUr{<`+j3q)|_0c~+1Din5F!7Sr zAN0=KgY#bN$Rr$}_Xl9pKC&cbk6XWiO?8pb^}%ycWPNFp1#OF~n-zh4CBZxg9(WFX%)^S zFSSOGz#sg1If?W+rCOb zt$@p(x%}zL|5!fVWk-rABaWCv*fnMHCl~5J3?cbPOl&y|#)JqN4FXAnO8zsXXN>z| zq@HyT&7be0WF2H)PMLw^=Q4dW6qBU=047moH|7nEPX$_VMl= z3-6L|Di(>j$8cza&^tU87Xp?9Z0Kt@e3# zj5yaz*izzjr)iSh2<+c_-(v2scP!?Ur);d8lv^DQCTNP!`>p?l> zdJaO$1q{qWclm@s0kZg-OflR&UGcHT&V^s4+#4m>=i62o+S2u15dn>sAb=k!7uG%_ zm&keO7f$mj8=GD8cr4EWr-b{9wj{iz7e6sey)=zI<_n`IZaVu>tBDI=x<$vBTw z{(U%<3F)l;jL|h>+QKkRbuA8KYKl!UZY4-? zuxBNh*VrZ{^ETTm*9ueGzQW3~smjX*3Zn2qt-$c2z({QNnbW+37%cwYS+V4 z%~P#HeHt+jnS^wsiWo^*TIX}zgz-&jex=6p_eT@^8AlpD#F6NsPj||Y3^zYa1t=qP zr9tWL4?_2HPO#aXlD$Ld_+9~VoOcANM*QyKa2K<+5L#hqFFh%;cR7#Dxgbt7LAJ69 zozI~vh7`H`D6mST>#t3TfL>ht5RF=I$ z4)N^NJ{}X~XNnUn9 zbUOT~F9@8Z4)F?-Qb>E~likCo2s0%2Q|o{)F<>(@8X}v=#_1Vtj>R|&@Ys(O#ih-v zSdsVkv$moyN`H0dvQTOQLf~k(@TLjemWhOao)dX6CIR0 zPr)oPDOKzxGSkQG8>1Ld^SZ{`iVKdqnY+|{fwH^Ad`b5Tt@OB@+z8ztvu@P0Mrn7g zay&$%c#+N%zAWyoif2TpB#RxAgrSDU14Yaw<3Bt~w5a~k#1vMH&aN9zamwTG55tX8 zCo^}d!{$m-$;dF-J*<#doO5<~0-h@~I-6gpWs>ky?)=VKp~r}|)=~ObuJkcX_Caz* zgDcG?xz(8xMelD?nr_tT9^y&>zGs;$)dhVlQpTIX*n3)mq9fH|BorSHKYK(o`;fa^ zrdFqNSTHN<*o*Z3@V{M*|9tfCyO@dWD#+kiZn2gIHXchKrF)3IB@D24nTU<%7%$x{hk9aAnIS}DgBE+87l9!@xRAP@#6(*OHxiQWpRC`P9>cCL-bx| zQJoF$3)3+!@>ovr7o+WCHm-k+y!*q$z9ZAzss6|jQ&{?!B$fLE$Z;bY@kuMZ(;JSw z8Z4PPE6sGQ4kY&n>gx=s`hw}MC8l$WIFmmNfYvYFxpf4)*J*Z~d}0Qw2j^Jftogj=`Icfd zclIbfZ#<5BPRAYUd2@8f%H)iE{>lD3d#2LFu@qYG4;|aNI3st7j)>q-5z4);N&?y> z9KpAKIcnS__DP=7Y}9=;(L&6hKT>{=qOI#mHP)-$8yOY6Mav)Y^~vV`K;B&V z%^aW1>p%@=?hopWXnoecQ_*?}ar&d{wDcZ9-OqXlzEeJ+k4*(?hxp% z4eXs?vn4cJuob%8{$tiaGRyTpS~lztq-$`zqbe-fQpJNItKfCjLe%Bbq_~s_@`*Kk z5t6f>5|)vi3MHfad)sE83)JfrH8mqD7W3XgyR1AgQiJXd?D~Ih@vuZ{`jK`5b?p+uhyUcvHt$b z-#Cb(EpGyu;9J^Z?v_B)Fn|K_t%xI5^_1qNipUkO&EPb+c^~z9y}q}zqyDYe>)C&| z8~eNe(b#D=cD8qS>W!WMs5cw+{k{JH_4@!g`$b$p_8;|c?kfx26Z!u51K<&;X(_rk z4(JdDwTQEhoNjFgAo;}x4Drv1aZJepxN2-%V&WeF{Xl4AiUjnbfCn1@5I98#;Ez8* zt%m{xIjSkalc6K2d>4D|GnX(NzOyUKRk3dCd)O4*1 zsDUp46M5zWJ27jsK!U!H<&FS@BUM2c0fPPpr$KqCe47^MENs3-2o=U2=s_9ZSzkuQ1 z4kBJ$LUo=FLu0O-TnJ@T7|6=iYPFbR^h4ic7_N!tA&BOdbdpYFF`X<)9(l4WrHdPJ z5}DSPTUL^?rjG|?DtE_C{_M?f{T0c7wFwHQSlL3~O&<&7zxwX>o-6+~b{qBGwfy%G z-!pIqg+PpOASlqY4z4GNfMJ9K<(W5x-X$C(UfXyERLDRcg&}2v13p1P0OaNYrcihj zOvWz(LjhDa#~~CGD;*Ml;~5}mtgp2;LuHVQd~l7$1pMcV8aO4v3{awK${~ReF%V#a zY8$n~{)ICB*?0!pbULL3{M_yXA2YsD8)LDh{;P+-Q5*iww$y*)gvoeI{wMy)ugF%~ z&=7i;Q3ysjKz!r-8ov%VzON18<;M3lF%37q|Gzh$fuAA6G~%Fp*x?(skWqQC-l$<8 z!7W{m(T^J<;1@bTsGzJC&Yl2+D_H-%PV4ZvQ=9sC)yMqx-`v~Vt!LK%PIG&Iz5XBK zduBwUjg9~OS0a|}*6OwGe{W8N2>HR*7M_l4e1cKn^BSgGL+FpumML6SWvf>3P#F9# zE@lCGGYX)n@=p^?u#b(6 zwjEUngz=Mft{k~@B%)AqI)IfaO5g?|GKTf4fX)B`oXN_uQ$eM^j~UGc5IZ)`k!296;% z8GK{o3s55T7ocrGzkqWVfG-ok zwt7yCaftH2v9a+}QvU#a`1_lyMy=VX)vNUns;rj6<<$LzX5b5u>jZoOhiC+&K&Zdc z3*s*uU(^ih|Hl6~f2m&^UqIQ>K`W8L7x3YauOGk{&`QeLhY=tqP=IS31Yn3{TgV5{ zW0Z3Mg8(q|h?oO_iSnkY*BPKA@P~((s7|%vvRs>(^9Zp6PzjLWhZs(L!_)>MNY7BjbTD+s*yGpvl=*; zJVbIK&vJYbUx=7i6wOUxSo4Uw%QnPgHG9$;bbsz#oOOErZhz1@X?JuN%Fm2EFV?_^ ze3=g~!G~Vwu-pGo1C)Ue-II&s&hcsQw-2?LGL?W?R23AAO@;Alg;=4djhJW?cbGcR zR~3d>4=?!%PL;vA&e!wcB18*)1Wr-Sh_e$K1->ML0F6Y9c;BoiWj_qk?&gj*-L1Z5 z%xNokI`TOKe~XFV4Yhk9j<`GQ@3W&FV&ca>X3R(eJjH^8Yq_LwsMQA?crcB-FmZ=c zG=9jz_wn8+7!3lwCqi(7#5HA?#ve-#3ibCpO2+}xdL+508Gks1gx!K)y7rWXv}ZS6`fhNRGxg)smo~MblsK@LxHrp zy~K-?sRw0>NOs7PB7w0QbHQZi&}2lPZiYdr{Yof28Njb}LD~8cX<0?_85=+sE4mFe zXfw%Lrx?rt46fmf11{jquwXd5M>ISze$%}>QFUjSfM(f)2~sOLb}pUPOLgSd4mF{H zuh)=6R7!d*7)j(!hLEGTk#~ti(MpiwPcjaD5?A39aKEf`X9igE~i2=2g98 z0)|LjBSe6YM@l>s0Ff)qDABIOBvN4z&}%IoO8~e8I_<{`A}(~GmYB4LGpjizSSc6W z@6?Z^sl-95CPtxDk!i!2rx? z#4Hq?cjY>ZRQrDiJxT?zTvydVmw@Tus2`(3$aXOYgbL;D5Hra}O7YSqKKgtTO?yb~ zDoPiu#G-mahT6@JiUO?4aHV*`vSP}o&Xf*b_KGxJ3a6?rO{kAjyikI`Sk;$P4@qH_ zxKD{ND8Lj!DQ1nbNQ&u1t>g*hpy_luqmjh5#7P)H4`sSa0MleP!Q)9hrp6rH6$@}@ z|C{scI`cCGlgMx}r86Wec|uVJirHnYu%~lbK;solY8Qy;#efONz6K{b7V1SCcc-vz z&O{33J|1K7QvDf)A!42!U4Vo@Os59)S`H^oR_j#e@Y!@ogCY?p9%w%b5mTdeaH8a_ zgrTHJ;j*{}e^Zrtp?_FHjQWku5!jDZljihnTy3dIUuI0p2;6ff%o^;xxk^!xOqe}( z*-~cwA)}s=mF{=qN>QYa_0BdlRDz3<6>I#;tC=NMQ_cl5xH|70m2RaZ@n7lb^Mu?m zWU5lld?KKm6nHBtA^ZSwL7t?P6#u*$idc(V@+i^%xB*V?T$I%gQqxQQN40R_~Zw4^EG(+U!(M&TXC5WV3tK13H zQRC>abp|%2gg{3zT2u%l_7Zr|o1m9~V}V}kxNt9ly2DUr>HnSRkpzwZd{F}@TK>n} zKIm!U67UjnfJP&^mn=fMjdi^j7T~>ye9ZfZ2ux7$j?pMAAb3>>#HD~LRs*MszsMf+ zND2fxRWU~b{m#jtd(t`jPy=l(RzwLA6*iOTQJrRDWoR)-JW$TCxS$M`gVa9)A}Lk_ zr=iwg-{ZjY>frvMb#mA`Iz8!FBQv}@RtKkLJ}BjH`{=ws==AOrgE=O_WNJ}~JAw#I+nJ5rlNNSTOFiT@L^;O__jBa{Aqp9ANp&(+%~D&=+XVFUw?wY@=mFo)c=T@gO?uOB(3G0HJyrZq*Nx^;@vXX11JaXFkrrbk)kqphi`1Bw+R{L* zl$sN&pANa=+a;QDdrw|!kk+Z~dV;-)y7)_PISNMqDL5P+Vi@S_KWog>8ULgYw*7w` zseMz)Xud9610PfY&BMa6`m?ZcWkj86xytk-)v9V^!MWP$ej;0oSi$v->df5F7wK-D zX0%47u!%FObfZR6+upA4HDTqUELG~OH3$|O^|kUW53V-3JXa91UGG70{qb(Q^3J~u$}Y!c}w^& zyn_%5@$u?qxeN)5S|O=?s8&}6Z%-<#Gn=-(>A^Dd%NF1T_>4<;Ma4lEmGa1p3*ItQ zgGx4UVO z#47@NA$G-Ob}xZ{CoH0^9)o8Ad!talmIG=}jiY78DlAp@4p*w8lqxFT>mV~P;Zn#( zBSZoyiR=|ci{UQ7{{L6a7FidOJ@#yQR@3t4Iyv` ze2>iXKR*42qfx}Ui`4f)9wkp0!ze^v62`0Y@J29T_bYwg+{7$|W-C6f$_z$+xFW~p zLVV&#$AAH`Rhq)Y=?#trNzS}R8b00BUun}3O%4r?Xqez#lXDk2cyV_nQL(S5c`Us- z)AqukG9ksbF(+idb79cud+U#q_)I%$2EFIa3=6L&sKQH_xTp{d`Kro&|=nw@w}{Ef6n%rJlO_Y-CE3e zassFtinNTl%X~Kvs>0%vrR` z)U6622tfplRoo5yU%CxQsPRn8RgrnONc~8+=H}$v{h>*B4*1{lQpx~h$tS;!`HwW?i#SsbOT8z=U#+8Ru#z0W|9jL8jfs0Z*Xu^6ME@GF5a(+ zkwr+K-0{~F1fNA_;8oEzz>}9^$*6fFr3G7$&qGKvVG4z zSId_21^{X7PbzKW4Vti+h6Y<0adyq7>7+68q-|0#TX-(RHmSB}0?%cf$lf8wjo^*) z1YD_}WT?>pH`LX4I}1RA{vVGAvi?6F3(FTA1i zFTxq#J0aKcVQefS;&9H+=o65{DKr3BdI7UmL=!N;ADpk;2ipK3apE~lUS53sn0T3) zRq?hu0b?AAlw?V8GKooHeWL8%4Z#FwNs~>$r{6M3m#*XEO&z)Z@*pw*n8Jl~B#=XmKMNl0Gx9sZ2{27%MCN3e zUpW$qn7w8>bh9jxb;Yq zRdugMhT@#Gnx8~M2zHz7T_ zQ@9H{1M@RJ`Q}FH1f1CRvWOv^>Z$Uc65`5 zw@H>fS~4Fzc0=?o3?Misrp(~h3COpl^92G#6{ADm2LpO-MB*prYl_h zgj%wCL{U)JpYsc%4~WDwCU8RPm{lJOT{>UAWxC9>Mv3QsS&<@Q6)dI4I=5OnQx$ZW zu~-v^c!vcNW-T`iW@J@3wQWPS`1sxp3?M>a0UbYCxC`ihA+wn4dGDIs5x`l`$f94w z;gk$e+|xh9gqs8SOCdJG5dmc6RwP#BB#Q~?=esGIvqiF|5y+60#}Km`eg%DJl~?Qt zkLn1Q8jUr76u3_>tO)XOh-*M9n z$K|FW-_~uK_3w}j7MJW7T1oAE4`%S!ZX_Rrzhoy%?{(_?rH@7s&fq1{3T&rhB%#mN zJSNG>Cp7*!Tfz6^Fl)%(yA$vY+?NXR7@Um_rIR!%??Z3o*9;Zszv9sT`vUqAj8QL% z);$U~;XfV^B>bPDJsc19`EMWL+qeEt;Ko}{$fo7m^I@`z;9r-xS=vVvaA1- z@%n3o&oYU$w<3e5XRvq{o&6A)#c1l`=q9j=2xOPUW4LA5V$!o=5~qO+j*rMcz2#+k zeeHb(rd0@o!HoQy7LgFpL*V3jV1>8>f2NM_U3*wdL=k;UH2w*xbP_+odEkm5Fomvz z_xUJX3SOC{%GU%xgucY$ZF8olJp_K7u1IsddUuKA;{6ler@!bK=huK;=Tjj}r6cxa zK)!i}IwNoE4gwA-JS%No>t;&7XcP`gPF@l6IF%7vwYrZAN&il2F!^iyj^)akHwKj= zV*TZ16~1;ZU=({nat+M?K-PaCQ<6sW?K0G={w)kau5a|og9z!{%;>afa7(d2=#MJ-dB0g zt8sZ%>Q$X(R8?=(?dcE^=?;+&k&9kgwi10-QCUM>=*y{ zy<^<_d4GAHvB%hZ%{hN-t>%~HV;|ZB&K*!GGrCOg8|w06E-Y8}%wc0-Tm7WC|CzfD zu8+0fY)1x##xyDW@PND`u{n~5?35jjv=X8Yx71Qjs0_y;)cvXp6PL^aq$ z++(ySu?NFN&kw?paC0XLo&8o8-0jiaqu)9iHI%(e^YZIDc+bvmZekz0Ot|1Ja7xCv z>&%5@%xVk^MczUdDkaTrx7vBPOE6B;sn~E+5~7(MQ4v0QDAqTq-oiP?axC9(j5b}7 zN7f|;d-Aezv?cCHd9o)|V5sSvnse73;)mxS9k^hBY*|bi`FVCmUzCH3s?|NR)3sh~ zrP;|qXqlQycqXF%4BLJF3xRk(A06?CH~6fXdUd;5IYZ*HOG+g>Z#GG-KW;N?(=qo*;>)j-xGB)#*6w|8Md!iY=jIK;f~x3{}KfsBKtPH?bNA0 z-^-qEd&c`iqthTqVC;zWIDLtJGi9|)GoIt6!loMlBu(+DBuNL0;rtwMbB`VF;G*0Y z;=vi#r&_H~8Kfvg5QCWivfw>U^yuGp`sJdJJ$g=2=jl^Fvz@DpBT5f~LwYVG(J~uHba!x1p+%*EjRbbi3x49Y z`mc}cF5~M8G4p@yGieE-Nap{THjjf(v@_pqZr1g^9LW6mXbW7h^J$zDg3%b zkSTt!Ykt@d)}9-Y3dxXkiavT@Iu5O-EUq_1P`S)l*L&*`d5e(DKEtZd`&xsi`Xj=j zR9)e>ORi=OG#5dZ6f6vnc)351Q&%!+D7@@^5EtgyA{me8J(jnTj7b9CBzt~ZECy~B zv)0kqs5;e^8TcXTBjF@ep<1Q$q%zJ!@_#vXJU;1vyUd=GtX-}kX{0H#(LC`s)-}~B zH%yu(c2<|`XxtD^vS0jnvEFF7?CrV7|eQ*f0xx1Zp{Ydoq>2T zqwj#ofrV+z+-{hu6_z#FDKr|tJ*_Iw3 z_UB<26tns{jC#bmBB(8R{rgIzM${+Aark0 z6%OLBRFHj~52H*bSG(2t%1A@*d6zqj5`PbG^HhMVTbnFCo79_JSzxL6y(~aUj`<7d zHw?UoseKx%)TKN>V{N(#hUiDfCe1?iJJpjRu~{N&R%V#XD;t=OZ!CkGR>{*SVvW{c z$yE$|{W|QUl_w6|5sZKJx}u8O*!ASv2YU+=4c~)r?Kj{+FoNtJN>5&m7;aGFea7hTg2JQkM-mU)O3wK9EpT@ddLAU6GM_bRL zZUtnp07t1N3*a^%brlsBQIjs!AQKcae}^#7>Gksi7^2WaM1q=5|M-)Qt$QRgej?Lb zHV2wYu(tmNz`q*=*JDL`QUdf(xGPA{;^Wg!kV5P~)jWQOc}oNLWjt=3L?Sl{=4Q}q zAPVuk0@vF(qU)hzZeX8X9JOF?GM^n9njAs#k>;l7* z(-ejt{W_x|c;s|5xkrF5l`s?UG`&M4TieWU8r)I{sc{%62va&V=GiqSS_+cq_Io@? zbwqz}`G#KP842e8e*6YZ+Sd*5q35qc+DC5G#qg7O^i5tr=c&KB4nZz33=`{2tu5;| zKp%YR$fDNxE}$AFA0hp~ktNomOZ zHQ%z_2aE9B?{#Hi> zXN1y~jsM1T6d8SzP=kkBE5;m4sC7LT=19&fxo~JkO*mN9?0DU2XM1hCzMnKNJGw>H zldgDcsyAhhPC}J$Jv?tTE5WDl<&~>=35=Q!2H)wW~c%SN#vF4aPj0(;AWi3a8u%vHR5m0$_X;- zWe;RO(u)Z206K~ja#KTPV zA{%sQrVzKD@-W3A)4f=KHe=kZ%zgL4?>amsHnuL;kt$S*6}8%o>{Eu@shvZfP6_ zEHTi(#)X26o{C&C1N)qj10lr=%+v0_8kHaKr0)Jux{!qEh*>96SP8Oig&3$eBi82> zpHJcWt?>k}N#$Kan_f;7aE zjgA!zR4lj2pmllt$THA}!cLD*Y!7Z4RMUo3+GmrWti24?f&_PFymn%#6CH>RGyqc@EM|88>t;1UD2RWE}t89=!R9fXKgmrqR{RB6!nVco@l(bD!VI$;*O1y`JH5=kPF4 zTfg55VT498uZ+%Y3?;xMn-NiE=g&J414kGG0=z5vjaN8T#ucy;LKN$nqSwtJuVYkx zL2awme%OQeX;vqCT4C!ZTgf-ke{iNGXw(fX!uXuU+l*uJ0TqP@3LpEL$eh^OmaH@7 z`@65j#oO(~3cr%t*YFKA#U-~UeZ46ft{j^6`Maae@G!1R49BH0HZpf!fmhL!4&koV z@Dj}?m~?`=vG>*XJf_*gcD*NFK})j6!t({0UMF~b_M!38KP`I4dfY5;+Un)5ALOH| z?$GsTg@2g)P2xD_GkUX^XE)YC4^u=6E&bM>U4d0;=S`k9i~Hb=UY>%6_N`9iwO**; z!i;+GyOg>eTMUh~Ui(=B+a&pO%6RplTzzE!tV14fa(R5+2#JJHm37B~iSs9yd?ckl zPogp3(jPqzjsfnO3;_Wc=mh2A)bwaZcAat3`N%2F2!y}GOMNcZQA84>#$IU$q_We@ zfn#FLjCGX8dvpfk{XQQgS^TDM4lZ4_#6uaax@O^`wW@b@)`LEIS17+M=XUN$WrUI^Biatz?fxivwvmB<+6-b^hjyO~-KC6~kPP;?`h{ z*Mo1TXs&U)5ts*FZpFNzD~F4;ljoHg2MAr?mY>=t8Z2y;qf ztHw!#)Z=#+3(e8R-Y$Y5bVW!<#VVhSbGa9+j7@4uJM1!BXUSeiR!-yS)H*&P*)kQs z+}Tana#~hAY4mdY{;czEd=myX{rB1Z`s6`%1w<<~JntFym~H`xkB?vL5f5vcl*@po z0l4{GKm!VvUIaiQVpo7QOk@YTMvZ9n{W;W^Bjp*~Utk&yw5K{!oz`+88VR6uMZ>=g zM_d$HWockOqCCuS<{_HRcu?X5tan95p?7g3;NVYQ3d`VE2z(#{Sy!iqb8qwO3Ne?H zzN1jvD-UgGstjJbF|y0 z$l5vaN+W*ca-GiDt&W$q*!mWKj!?!7ma|nz(lX*@4zpYs7W1<22QGYG9S(f*k~;Y_dF0-aw#w7JdIF5 zxs*~Kvn}@?r%3D1IvFf)x}VTc_I`>Iy$pW#@kZJ2(8Pi&r3Dt%BQzO*{LbENP`RHG z5DOX)M&r9EM;*hhJABvPDURy-kuFn_-vYC1Z#agXMPz#vQ82zn*xVhjIcsiQc9JMx zqOLX68liX`6WxaMWgie+*H7#y-06b96wQ6Vy{u8NkwXnVu8_~2`W_mSwuLbc&g>*= z{l_p@!3Oj}0>v?iY*7BCw5J&E@L&umk=5C&Uz4Icesb;6?+G98o_0#)7$~s+p#rQ|^Tm+)vpS z5O1bq_nZUWK||ID{POpAEB=DXipHDQDE)tf0EY&N$F}%{=hO7Bw}O6w&DBsx#i0){ zBYk-+>FrL~s}-(y?r3k#gnP55DfrCHVxS4Bb;!$Hw^t&SY!4#!tSlGlRA?3@1rsVc zuNuR)Lvs@f@)uq|iYjP3! z;n!8mA2Keh>I8nUY-FmVez|K*9B&3*a<4znmk`|xNS4eKWWp%-S>zUn0w2KOnN>e# zGv6O4*;YO^sW&;fA6pKQZ)f9Ool_wBXg!zdgS!LH`b=?Swehjz%NK;J*Wv}R5<)

A2Rz;6T; zG)?O2m`6}MqwJYnqnm7qkkKAaLw(R#CBOTen7|x82=zokvC3M3QUv#2L;NOUYW=mZ zllWb^w0PDb zS|bt?IWbZNeMHimTyHmW#SmX}?4w~|wn|8R=l9rugl6WZF_SiNs$W~2G<@UZ@efQ+ z8kI7tNnpXWd>&Y@9G266&kjNiCl)NxsO=@NGq5{%8}Ft>_Ho5uy^?x6$r_~j+X0hi zrI44K;fgMIgoLM=)}cmyyQG?#XF4%cLJNfQ3LyHp@vCgrL1OC}pmzS`hG^>nkT04p z0C#4Nc1KTuFVe+*gn)qF8y@B)P_dH@A%X$U>V#r(ET2ZB;W5g#g|hB)Cgr_34O(Q&#Nkfomb20lX3nk42bjwv z?-#!;gGR4ALW+fjtxqvV*s+s=+h1|C-f<8f6%GdGC2q&~da`S@=LhcPq*r;AY`S{jz8w-JJm_!PHgZu@H6ZXM7=*c6<8oL52v$sbY+zMU^%uTH&!uY_dpE9 zp(ClaH$%}Bf2UkyJS>Cwpd-VpH6x)_&QZbb$CLxP-}0^9dI_WF7pJO z(h54jc&fSrcKxP|LtkVyDE`@=9M*JkaiRPorIAK~;)gZ7D{$m7XcP+Cx(F8pP6GZJ z7QE|s+8NJP*X=$;~|3a-<6+orP`DM{H_1Z(gylZOY z+Zt-U0WI2vRQops>Wgp9C+k}KI2mk*=vIot=?)}MyLr~W>{z1&qLsU#r`>k7-Wn!` zGsm5mP4Qn2!-p5bJle={1kJxwq>?7pESg)@2XVy4ZEsAjfxe$r7gya4e&IP3{lepA zWYIeD9d{~OE_b_V%FI4Cv+|2ejrE(xz3%SYI5FNszJY}gSEQI<&LGl=gD}gF{F7&p zC-jy3HNV>_ymr?(L_e+zV1!VcRlozjwUNW#1*7Em>)#iHpU_b_FV`dYb;DxEP^d`h ziD(wwh&3DTafR(C*i>HsG=7cPPHNJ|%7zkiWb)@bR?{0+%wMGCmKyI7^AaPSw|Q40%e7|E^(&XM)ysez0^nCus@+_La$c2^?C8PGV<*g$Mb73 z7&Z4gR>d}0C>aA5aj|HhAsV|pBqY}&p2x}8K&{a1KP~jp-A=X&^tH^^g!@b7t$Nr@ z4PD0vO_4eaw?g&z0@Z7l=etf*Wzl+dWzlVQWsJzogVTL-9NazgKPD24+-3uF*9JOx zj;DO`zYdboYZJvt8OkjT%Y~Bdhr9-*v-s%?UJV!QeTGT3w#8gvx}W_e=6w|(1;Imj z?;M-mk*L;B{mNhRlOc|`-Y1p^v4U+W(sIx7#-4q;xfX>TO_c-j;~1L`;nfh|^go7Ifz2y9nETcw426koxfBg}7(&QtqLi*>jqxnEVGZ5R{=N>un9ts-QbvhBcF@Q0 zA#8W36CeGsTxZMfWv)Dd%W_E^{ZuVS8#dwfVRT{0>F&xCS}>1A2AhgxGKQZ!eIQHv zopDTQ!TjzEZWRVDMfIPlovvZIp9^QM^RlH2z?R6|E_6#`>Iqmc3<6vQXYZA~(PJY4 ztk~w!bbxG|sEGWJ`!0i_$x~u?!Qh8su{WX3`RLD`knutQ)XpnQF5-=BIQ;R&ID0XD zfHfmKTi|a;P)enx!42@!b-vWGu>8d=Oj&ufeTLvai@4)>990sve#I;q7i=*fMkZ`} zRp=W}gB?9n$3whsh{BiLXBg0m3gLI?S^YlH&#S<>D(Ztbqoi2E7Mq!O`RkRr`4^s6g`?wC(?X8=k+k2+q=`? z7$QK0N2lk0>uNUu4^uFQjnGLcr&2}5%%Ras4sWv zPfp<~vM9C~-8C*Qb7_*ve&TJZ;3llv&G(JaZ(x=BS)8A|bWp|?Y@gCiJ~@6G5!A?y zQ56x=NQ!kLu{L$eG`$Rf0v?h>Lhjb`gp!^iu_pz%z5pclTon3q=%1~9PG$FVsB>KK zXU3jJ=pLobEWr8^m>9PLxDy^kVw9v7VeV{sLcrI9K*;K@lpdTNXhus!K>()ilTwVP zbJj!LjyA}srF{Ep3=*N0x(PSEsbWbUBmAe{=8n*NbiXNDxd3SDf=Wvy!kVP(p3lZ9 ztbntQAn7rnL<@fOp``bXge(9`euxc0c?QLX_H)3tJPQ9+JzT&V!2{sMGk|GX1Elfz zs4|QKRU9uzGXg+4ucaoTFLufV6!1nzb&V}b2Nu}@A>G2|Z&_YuAtK0{LK7Q0>57Wk~Ij+GWpOF;xmJ+&H+8@0OE19_jVK76)^88PeOH?r+C+p-5IzmZ>A zIB#4*CjE%}tp`_g+HN$aw1;$+8+T2cdX7{J_d-K*#Xl6(j*hwJAwkl4QOx2~gdoG> zQ&k*%PC*;SCdC)it|99F&XSsjQoH1~Ec!|hHQcZsOZeTb*q0BbgUC6EExC? z^-S{wghpFWXXlcQFA$3j4Dz2{wddjCpTk(J%(_DX8_xedz;R{h_M0g~h=U1}8IjWq zZ`*59-)YI9RJN3sKuIWR7)d~Jn2k<6l=Pn2LNgDzj(~@mlqAf0Lmnvpo z)a@Bwc3p_P*k0P#8A*1Qf|Q$RKXZ?^roI-8-AfZKwY1u~3==2JdoCK*RXP2NF3ejRmY&t?nO5C1*S)L1a z`IPCW=E00r~cW5~0C^6x79!q?s%ry}_e; zTUV;IJUd(mD^28t-rqe8lRY^Lx^z#) z3T8Nm`@^-|56|HL(H~LSTmOVa-V z>F~HBA%nBw`s`A0mO??jGn{Mc@=+*)Bk6v?**ME%j)G5#%-=Sx8N(kkA)Uik5+;;G z3@3Q)$`-8q459rRcM7AVzm4|;7Uaial#4)tGYm9HSZEEn3la^SK@dlQnjA-EzrpEF zsuLfv-~H#`-Vj0GpC?}RzQurm_Fh@1eRFN_Na+*ML-WBEu&x_;beAs{q2c-g$U}jx zE!+-ZNq*k~xPq~KAy`*9S1+Kj3f)Gz@J0H5rL|7W&4EnlPuo}- zB*djQtiT4hCnjFZ(fmzcaAMh!I2c}-B6RNeRTb)3B4wQ8%kMTT=zNEUapkXH06aeu z7}%S^3R~{?-ri5C^#A@=xIP&Eu$Gk-w^l&~p;&pWb8dFl+Ek5xS@a`_D)QI9X^qEb z!}rPgGMStIqZ(aPmw{uXflak0+27Fn#iEsk{N6pNpnY-qHISkJma!TKwoD&j?v8>) z*3h{Qq%An@*_4~d+h30kuKZNsh!-o5HvnTl|Cllhni>7p4fNOJw5oa6ZLH@7ug^H0fk@ zlj-S+qpr}2;;v5c=oCSYEOfg`C_LxrP$|;N9?)1=OS&kvoS{8RKQeqNHfCFJ z2`;<4$@{fshHU?h`Nq`Gc-?BzKE*NST$_5a4a9DIiAa{6=3nxIJrW#0AzT?#JtYNy zbt*|}ADZ7Icw-cD|2mN_l7)FSyE0KQ;%Y$KHoVmGl%p6S

MIVAl^iyMcASc^sT zwt>bgcjIP#x>2J-v1pA0#(ri` ze!M5KUebIMWNhrZ8^IU0Qo4*PTRJ+7mk{K>)�xkxL}9jR|I6ntG5kMyy7a-dTeF zMEeqmCf&zsF8UK$DrvM2Gmmax>G!6$s)!DQVt?P>uR01pY_?J2VM#Q?rTK%_JJrMb z{rycCP7tj;n>vA?FV)fDb!HIV)7e&D5FpeLO8@x$V$izZt}RTQ03YOY$@2R0Pzv)(^|p=YCS_kt49{~;x;jr}(ePoUrT*MISC^v9R@_Ca*~8YV!tGzkN7 zQCPpM;|}6?v5bkH+P9*Il@l>gszM@Uq<%<4mG$U^U&eWaK;BpB@^^B62pCE6!Opi6 z%I^M|&Sf+S;|cy`0-lg2kJ;`=y1VNrS3JlgZQ6TelyiI^TD?UIM^o$Kd(v_&r*9wb z`~O9_m1Y81EB_neTFUgZu7#3b1A~rSNjHF1?gQi&=UX8FEX)|vO*Zl>LgXGx;L1Fv4>jsvA{?gSpgT2ZZZQtS4m>)7z z#0-M1I$hh-W)SJ3jMhh49vy8bQw8Xq2#M!(NW77cIB)pV;Of`ff;&OJ=siohY+*77 zH^Rwy{|FZ&I=Ep33**UYO}R7zj`Ib&HS&wBMXY*;J=R`6<3UA}mP{hJrtwU+1azYL zZ*8aPV)~zkUupy2y(Ap&8^kZ?ZE*Q(dNlGYusOrmC2s;}aj3UPI&yo-7)ySQ+n;gT z%+X_(LAHctQ^y?N2me9eFRV5ROUM*+yF6=Fa@cU)eaF)taADJ-D7MOR`HsL$HlekW znp-tuwQN5#^q9EiD_+NBi_&tguhMqa!)ua?6~~U-K)$Fs(hAkf4~XiDk4dCnRVwLk ze)6cU&aJX6i+XC&ffdQ~Kz_Hl8E4>9_yZgiS{$;)w+E*f{v}l9^ zigM!d8bciY^QOJwc0RJk6WnL(~y zjG917lg+A=M-Mlq^sjWsqq#D7F8vQ28k-e<0f&09M^NpQvjWL>6$U8a#vlQtgo0Q) z4tcpO=G`uRk(EVlKR+lK!*s|PkA6v)>9zE!Ojk(m(3YtE-qmhA{SO?n9Fq^|#)MeE zD^SolUv3WsrFX{>&ctOj*_IMePi&r>NB(CQc_?w$*z3V|42XQtdJ)`Y(>^JFL=-_W zR{bFYesUr3@pr*G+h2d(4kr@Aevb`f?3a`!5^%YnbbovJ`Q`VtL5uvt3Vr#SrDxX7 z$nn(`7f0%&zZ!Lb9rGw5+r35namj)5ky1x)EI|*?Fg~mu_Y@m$zl4EqkYnm$d6z%h zLh)sQ1K~|R{=E_(Ip_!GcN#f`CE^Evr^xx)UV*bNJ2v)&qL$->VG2%W{F_gXz>d!yz&~`#Y)y$ zhEyXIHc7ncnyw$cpWq_gjEo}P9Ohm-ocldK+BzSMBC@3c&$k$lsQL!HXa+1MsIrKx zq{$9O!D<+OUsxokbaFrtsv``2o%rv{k_oR)8h;l-925Q^UH?OS!u}HF#~E%Ti&G~l zS|?<9kj~WGp0sMoDynPH3a>tDcrlJ$_A#~aB^ZP<4ThJO|L#9hEvlGDf2*log=&&e zq-~3|TV~sz!#~@4V`Gq6tx-w}I@Gq+$TQBx*RT@miRhV$W^=3jRqlvi!tjp4`NSq+ z{XQ&r%&p>WY8@eF$f#R|oU+cB8@i|uCf9gQ{}L8Z_O3DSU7lC(4hrG@aV!o|bKF~{ zOa|vbxV~MCmgr`i)M%9Db<2cN9r)M_4(TDu{8BsFBINqG0td=l7x?CIuN;;6kJveX z92y_8ey`Lmuj&0+ZLrD8SlFFb=gwL7!~b3(sJZ;njZh8s7o|bu4A-rNtK%Sjfo<+F z=OB(OyM2lFp8sJhVImjXM@_n7uVr+nLJp?B%xhWa;T;}_N)wLMIxkLo??@)3WQKr> zrr_jkT_LH|AEcpQ6$hydf*9WY?#bN}wLC~QT;B*c-3c@da~pMpXCOhEYZeY=!_{Ags*xKqq<1wg|43;?t0i% zDj?l!K^$7@*VOJ1DZ4bJSduP1ZF2dhvF=Yq7->V=qkruw-yJr0K~_T@ab(y@X6+%_ z_$gkE1vC2Qto4t>_aWoFQEFV7oN zA4?Yxa$B7wk_$DbP5)Y|RP5e2D`uPX?R=j=B#)fs#nYe+pS31tD)ReTu?Q8uxpEJk z;wk0#+dD(Ir^J<0m8)vQeTubs%K5x)hlaSg4sbX0)52oot1fcxaDEq|-MJNOvMiho z8#|`G_^44q<#3!lHAIt*q6Xo4j)`Bf2gac{s^+u7kW_^>q^jxa??}^Xr`7PW6sJ4{ z>C%$P?+GCj1FG_yyqL!(y5b8EGfbKo=%paTyncklQdOQmlp7v3 zb>v<7H=?i32#eYy9^I==Af(_Bw_{kI2VRoA@)Bv1Gi`|a(rC^aH7hBxjcMoG9bhG> zFaD^3Cn0q;O2}iJR~a_C)T0RpFxi_7V;oBSy(%BC1U#=kjmiA#O|N<3h-hJJ1uwW+ zZ4T8BV8|j<;|Ots(;oFmMRaGzzrfmjO?5%-JReHujm}A*<0rt?!Xxg&!OL~Dwly+1Pv>UyXF4sp(c_khCq^MQtz>ZZ z=+yu0UBdblh_{=6Budh1P|U!}`rQ=O3F^b#Hlgx!GKfv~-#Aq>6C{Qlo@{wP+z`U1iy^al zK}#x$>{p=z>&S&gD3TIojGuH8dKiO2MslUH8N4rjJF;jWzEpap8n>HJu6pf0=cUJ+ zHHImWC{bVHMNSkD-z_uX(+efbl8BVts?!&>q^Ln|WSj$T)e_<~iWr}w=Ifa}+o;i0 zgF-*NGag%$opi{iS0Bg@8_NQ66~5QG zU&nMn>A;26eb*}q{Md=vyRhd+(e{_Dc zVQyr3R8em|NM&qo0POw!a@#o4D2(sFudV_=CHtFr-$<7HHHqt)r;Z}aj$=z!B-u{9 z&z1)wA&C)5a0t-0l1bIMjdOeFO5Va334V&QWjnJQZOz6cfkt2gPW}i^t|wKr@mWnHY+9~hHrV4 zzdM11BKQCP@Bc$s8{hy^2)fXPQ{*6*g1!yu1p7{9hFJqMNgi-M&y;N^G_we>2!P;ot9x2w0}E1$Ofa!* z#0nfB!-hTrH_*4>*hU0U48{m}kPu`7%cU4BaNq-q9M6Unk$S~);1n@c906^hX{^bR>-N&|NEcQXmzJ&`?srX}Pa9!pj zNYOr^et;?j`8Sq=mk1KVUY320^#E`u|g zAwH-9o&Y*SNf;D^fS@`rdOQIxrhp&{pleD{jK>VvYXAitivSb()(tX2KrDC4p-SB; z>aiJ{mnHR3qg1Pv3Nd1&PoPaurQ#xbi~YG|RFZ_s3(#>qx)2h;h=7(qg`S7ZdekF; zgxsPtNI6QDODME$K79a-R9=87=IC-Mz^-k%0$*zaZV~W&d}EmiP$pNRF+pCf#uzfO z;grL!yZ{b@Zhk}YW+oHXPGxH2F|-+VA^PkgE>%Kkn4V?QWgt<)Vg1yHbhZzwn~qC2 z=gkJ23Q(1QMlKU>Gwg8yUhtkY(Zq6*`5F+4eKE_(?L0};~2CfWxB1kFp|qUg*u1k;K2743tq#*rmD4N>GSR15jMtFF_{l4U zpe8zvo7@K zi1ux0pcp7RLjN(UT>IK*R5jD;j5&})FLC?nyvls%B zAj^SX%||wd5iTaWOQBMu7~4@@Iff!w$eXbe8doTE@Qp^p*v4bqnjm9g*vR24py=bx z*tcAYraqrAp=X6(lok`uykq-;Z4cRar0T6Z^%0T%9k(Pnvc4^+$|`sf_%`q$ohh>s zFk!fbOq_fiP&vPb6KDj*lOQUU%8M6bj+j{!Dr!k)1_J+jB?OfM^a8xcL|8%`1#T#@ z(iH$^m{6&{BW)cbtCx(B0YG06gKyu(oCVmz&vy~CU@g2!ZBl~d=xE2A|REDiSEinLU)$wMQ}`XSE(qyFpANlt&nEfOC(W?e~{qf z8YYJU+6YgM?|ca{l&J<@9E% z3@@QAyW|QcwNx%%EWZE;T;DJPE!U!vT~m>Ulrdv7KLI|*6c~=lm)NdF+cSLY9zY6n zq(CjM(~<*i0d z5q{vd$T?wC_ulUA_KyC#hus0jR0ASE95F=V6(;GIKBCAKnsU2gO0&j?6ipXl>)2)z za_*T>&D7i+f_KBfXUe46X#8D&eeS{=XxWUo*hk6-=|Bf3CV92;pcmKks{vn3DvwuYr$7 z$b~MAnr83XwuQ3a#Y|}aet-xLd;`g$8GRTA<8Vvk_#mrFcj|Xs)5Deu^fdh1yuo3wozdye>Hjh!K$&{McTevEO64@_YRmm~jrLp)~5B~X)Zv&;4& zA-C8UY^>;>95$=@Z0XBeXVdmS#k^fp^Y$Dq{#D_sfdmfnSzoYXo{yQKvHxH4k88{P zZy^^0G!^?bQckoLbX;V@Z=SZg1~0fD%V5k5SBgLy7Qn$KQZ?D&H&2ztp;s1)!A#bY zk3#x{{PZNNaw-Z<2gE4h7L$wJ8k&ceM_NJUE#pF;G2rOPMx{kZ7^S{t@QF_~9(E0Q zC0$*=3s39s923vCZXiW9IeROgE!p6`YR(|lnA?YoX~d%e|Gb39qWLy6Hx0h7V1}=` z51MZp4e&xCEJ^_*EXF1w3!7|3Ly&=8Zs~|p{ea9Al_e8!%^YBG`23obL1A_g)Orf zZMn|zxmCl^I3Jt>wLf=ue9#U{Nb^xF)|16mhsX(BiJst$fjuObh(iw=2oU5!pZj@v z3!(t<(I0{3ODY4xM*9TULFW!S9#h6u&&LzXMq(4a8hYG3xwIV3kbLHXB^{XzDk9vc zY|$Am65J3=c z%0da`blJ9{kXDz`9fJjFpueACkY3z0>alDY6Z!<@>Xy!#XAQV`x zVFxDC2ia?V2)&k~|2h=1O*x12309$6&rmQG;Xy7rth2^0(+#VWG?VuB;K1R2*)nvGvbRGQZf=}Og=ds}C! zKzw40oR#fX%(qQYeDgm3IjQ>j&i_g18U}K#^ARUKE<|cRM49N2%t5ZHx%4=W#)w`; zjE}^}SS8zpUT$yuh*0R$J~ksGtiy{X2G<1pth-bN#a1>cA(yhbnmcP{w|dxoaF=Rc z`>2QiROtqAXednEjAMCo28Z+b* zWfQSqjep_r)hlH}@pm~m{*{KsyxHJR2gXc6d-RSk)WypR=BsmPx3P_xMQTdDz+DsR z{k5!tRxuzmX~T`deJxTanmgHW3X4=K(6flvl8HPUFO;iH1Q3Y<+v*=nl%$JY&X#h| zS5>T3ESG&fk^2He%R~mucKPslB4)P@xpjnPk2_3KPWA03v2iV$Rb{!h;DQF&@{bwm ztXt!S@&MkV@eJenP;*sz(v$S2!P?U{wADN>Y=Lk^%-05d)%NO5qtV!iHdXrAY;*HO zGzo-9EA_P%Eth1GDRPl-8NzotbfHIPm?#%K#CI{qUPXtRx_1GsWLmG(^?(B6d;G zaCj;vnTT`f&cg(0{!8Id4Py=XQqq_Q-pFzg4(LAE*%gw*kPBb#ac+vxn0QGx9>Ot8|`E3u6Z z6)ij}wFMh`&qeVpk9_p5U*vm_cAr9BrSBqm#Oow!@YaNpt!?TIZ3!*w^upP467U8bmobBEUeb0jwA7|)z}=%D6S6bXDpxMQQ; zJxKr-@Py@)0(QeVI`W}QEP8?#y~t}C{}%eGD>u$1^tn@>LZYOlYl*(9@H%4HC2SgK zntcBkRA-cW`OT$cfD;C#{V}P+s$Sp5&yrv z_3O|0|0nr<ig?7P&Uyl2Ps^+84xSk zPg+Y=9<{MPQx@F0*BPS*=C3Z!~maUh2A;|+`wc*ml4{*n}k zK=^f|9-c;7j(uhWWg801l^CR{mh%Kw{k~^@Nx#h;IMMlor(!{Ppl6L7$VQ37kSm_@ zjpd4Inb!13si&bYI+yb_?Gfwi6Sbs*4a&DxD4=2Kl7bqRFGX<*mt~ZzU-sx-{s`D#$|pfVB8lxUSZh&JMs+yPKb=Eq=`KY1+~^U!KSSl{-RD)0#SN`82JqHeWuZCAE3;G_9>X zqdl#i`yl(B7A@A-+EjE5?`hhLwxga>M@GkrpGbqDyQdv;;<)0|v?)(pKT-e5quft5 z^T>1J&*1r~WIyQ+wp=arU}tx9Xk@)k-{_Rddf{dsLs@$h;^fPE!7katNx@!^)xE_3 zn`-qz4z|KApHx$i={n6hA++8eb&C9Y_ueK-AJtjj1`n!3{wj?`XL!~OULNsz+`S%t zaAw`waG5vyeyi*mCM8DuN*iiL{`vc zK_Wb5(IdyV$kjwX?n$obl?xnS52Rh?MS8mUm?Z;cDPNMmB2(l?i^hp1dHM?*pbuby zKZfZLyA%pPs^j7TgzH&~{xiEinStp)lMBV6nkiiVEm@!?*!s`pfR;S$Ka&CR^nYt! zFpHCIe__TJZSTfUjXrlwR(M`@^}wuLk8tu=z>YW`GHc`Ns4VS~l~Lg*cAuFilgG!R zu*Cg>4a3}-PZcg9@^U`=K++R$Ro58-8=Fqz@zI+)(l?Vck&ou*REaC zx34@Ze3eajy^SR9f_W6+kBYgvndWgr$h2!g?iY=fyhkJ-O3G}BMTE(#NA8D&maBN( zhK)*J{Kye;nYoeIZh${ZM0P4!^HVv-wCv3*FAE>Oj>_OfJjL{XEE{4uw4aI#UeVGi z)#lPo-E}UfbJBm`Pt_G=3%?)4Fu(Uwb(6E8d>qBQG?T=d1xQO8{)2=CmCD}nZ_kCY zF+S^#%`P3wvw~77+RiH(pYl8^EXtn0?qQzD#Q(U~u1xU1ZW^*L3s|?GFn#I3W453! zFIaOM`XvZ!2A#T0;gLP5k2E0iZhUy;1&FdME-gAc!Jbucuqf3|d?CYcTVFR<9wnpp zU;E(m1LjntFw*8;UW@gg%9oe(Kkkf>sk+xKy!jS(xdzHMq%|n+0ebG;QgNx!BZhR9 z2re_c;I9=^ChleW*>yi^*FDs%=6^}@tK#1K7?t@QThxh#GfeTUlIV)6x^TZ3R2HA} zs7%~Hw+?c1{qFZdFmcoMIuIRXE<=OGqhAp^s!%pX(o%2?Rt ztm{1KBg@mCfrm=Cx|03rr98aX{V&odim%ji|mux?t3~IM_KVBo^8uG`3 zFRtZ(JoxJR^v7;tNyO2ETZ!Fu{P@j?OEn*_9X=U8GA+D~$0j7aivJOZ;5z5C71eQG zUgw{hSg*TYO}y%i=^>ZQtjQ9S@<;Eel4*j$UqfAod%}+@cVX8*YAb4|quqMM?hgnW z#w6fTTYHKn!oTB;{RH%c?W~QU74@lY!tCw+zl7hpMvROihGKV{EU`;x8n=h-J!2=Ykq9|OZm{I4*e zLmV4i$M&^}9ca0^BX+f|^~(3k-+uo7lD~Pgu}P8R*^nZ#**hC`hIM*J*V;y-(P-@L z?C^gZjYjg{ot>TL-ZAa(6=F-VBh)wRVoMA z2-rIwECmecf-wRU9JnTc6wD~~$o}T0i49VpbD(t#Z`Lc7_xKi23?NT00_Y6MhNL5E zzf$@34OkOUzkqgtNL|Lb*F}gI`2M}}83zFR2n2*-%pi~jp~(4#0257MU{fF~0Ry|# z$F`09I_TR75(FUOg!>i9w7j=Oun59sas<>XMT%z&$F|e`0>E8z- z#oxY#SX4jbzz=aj>U4aHv>7H8eE+Ujtq%}Kx6X8Rs)CHxX3Y5ZjR9tVRYsDRp;Hf7 z1h|+2bmw7$OrQeq>_r`nFhGRDv2BqVfQ(VDxV4W_Y*7#p#3`O&+s3zy(ZA1wF*2zA zJ20^0K$mrudIxH?@MJRh_AQRSc>Dc3@UTy76YSqI+~ii#raajJ-Zb7c_E}X)tNdQq z6B&W;-+z~Ma*@(Vy|rwcNnn_T6+pTVerLTR?bRs-L^ldwDXH#eJGzt$V|M!mVuXxmJ(h4uK0&EKWG=d}=teSBCX%T4|;-MTBl zMxt<_i-M42i}B{hg5U|+!p8<-;iWrrFI? zaYGQ;0N@o@7^$*3H~4 zbOtGai~+pkD6V+OXOj$Ib}S6Fap&ETk@A|6#DF35HRv4jcVM_3>UTL{An^D-7nNI! z&VY~p2rM6&dc&`IO{M3gP9tE9Y^nAsg~p736rdPtnv^i9!huWcmCEmfv(wIXuhs4R z_VQIsNJLRt5~S6e+$U8c4r*?Z@O&ZI^&p-7R{h5M2AYtmzr$Ms zEa*u3YrM8(KutVxWUDW~g;am9f|@MD8Up{-KRZ2ce+KN^fB#;o4A2DmjHkcn*ah4U zrJGV}BKf_-rh5nb z2v{x?HU7F@iN?-z8)%RGi`)O#CYo5T#aUCQp1qznitYdA&i2k$!v5cF?Ckus|DWRb z?c3%*Kr5h_AIW1n`!z5z=$(y#gH3C)0RPzJQ%MbQ*+AT1QirC=r3BhTm52h=zJH(i z*rjaTsB^7=Rb($}89;nQXskLn!~qQG42*3&wyg;=7KV*v8fIWX3T-?EhQIJA270Cj zfNqdW2~hbfz!y9wz{b-ln}5{w1qfwR!p+#{XOP950zIn`O%g*f%u5M9i!UoC*0iv? zw7KJiG7@9xuZR*O!$yQ;u`iBc0XIu<@jm=AFkcKMNoL3~+sPsw!I6D1fi^)Ez?TF2 z;7y~^WDmaOK!33>+OA}wo&ZDrARmgLvLXmuQgJJzVv6=v8rOMSS%qh(7|#QbGfv>K zU#VsGVx=bgtfIHYN~aL7aE7u^ye|sz(bBK>k7WnSR& z28QxWc@#52Wr*AANE*;JkgX#p-jqO!DdkA#cwQL_`q*-53}x<>EMGN)XaS)Vv4TB= z6fW{ZX_T@6>6m4~D}x~Pcxuh4GxQf_E9!{o@5>;-=h(1Q`BUL^2nm^^g_sS+-^FMK zbQXzBKxc(>pzubwv1_ZTb=;?0U6j`-@w=Go3%+J?pq4Xv-J`;J3v+z(n;I%bmKb{ne#l){~Z z-o4>H7{Pa39lr}E6XYLSHhPbs>0|61LY|6~)o#|Ci1Kbwn_tO5yFtiHaZBzdVts6YdB>vkZXC-*(1wAIH0`#PN|V9 zt4r4D_4mrjnFMfvY(&w$+kcPoT(7*fO55!jGUfy1;d?_EQb@_YYj+NZeN1Qu4~uzV z*f=ni;0S>M@Rk5^Ndn*r*vmLS24OBGUWzXuYvjgYi{aP<04fX8zKjwvykH+}Ir2#) zxY-BIy++rn#C;VZz|6Nfkl!{^pxci zS{3E5Rc$7p%fjNU`GUtGEA+qf2uTUjHkaQ>dPVi*^GY%x9l)w?;<2nQ;N&SEvZ|bX zUP-ZVSDdODdsqofk>+*+n_6;}dLc}7G4B*E3Y;+{1e(}CcHk6^;8YoLJM}`-UiH$5 ziD9g6qyFnoeaT#R7prlzRo_}t#h~}FwYVf+ zAk0Bkm*-@`cM&tp3X6yX>IVpf0OY6z9IuXR0z3h{6&{zD12e=>jrj_zUJ1#fKGT9G z@G+*K-2w*ksWq_-ND=Un%_CL9Gd9Ptq1Mtk zk|-lWJybc38R``eWr~02J7!SmY6caY}87~DJ$_( z1mW!e229JKpek}yfL9Em#zs_(HF9bZUead&E|Kln=PQYkH> z1c-s@NW6YZ(0U{&yEm-~K!3zxG{PxC2$t%tFo2I@8O|JrWn*yCY$yrJlNO}UDY{$? z5Dk1c3K+K`A%LssD6TFoBeFQZL_fL{CR6=~@#`EiD=-hn$afKCAMs}F`@S9`7_a#! z_#?n761YfdzDKqb@yq7d-=ry+A={~oj{@x(@+}IdXg?N!C<7A!FJL=$GTSs}(5IqQ zoBgT6P;1c}x$ppg0v~xcG!Ur%zg1AZ=A8sRuO4RsV|NC?jFLQx&ovTA=9d=^8nZTD zyY2NpB}l>oDnXE(_A zEfax1*`)6pU~ilMX*t7SGO_MJwN}luW>h4vYGV@E_5%D7KwGGH=y@FDdgT%c=)62- zZ7}Q!7$XA)1Ob8_1WrQH5Ohu~WShb?5_gqw?Luc30k6gj&Vz&Akd@^zWF9g$>S=R{ zAr)uIOAeh)5@mT4Gma*p`gcahC8l5p&} zJ)VGAm48%A0m--7v%4pXT`bv8s>1NT{S`Y3P^Qar&I)7~Uj1ajDiTrH;aL)_b$ub? zOS`YnP$QbLK-h8`nE<>dC0GV zSCObzi=i>x_)(7Nd~nPX$wwi>Dv2Yds@6kv)f017Gm?I%3AW*&vaj!+qDjWsqwR(%C-Pl#h`QhxJ!{7p|HHLW~(=4e*m3 z6#%GBt_3@U=US!7x+ZhWyT0Lxvch=TF@iqwulW+^dScmVA8g)0f71`#O?kd-Gv2-N z6EvH=rg9p|GhcC>G>?+_#>SQ*QIy{G8lcdhqR82xL3^Pb8& zyHh7OMpQyMhU8(=XwZT0-}l)9OOuAMWqtN5)lqrq#!z`6vO7E5N%Ud}zf|q&){utI zE6X*}ou;dEBFXFEPcZSZ^BFq!h7Mt)E~Bm!?IuT3<{*k4EnNpHu@2+BfB8s^XP`6W z!!@H9VsW=0W^K>{(S&+P;StpZN|R+NlC**pD+rP@Vl>4mR};sS`(FMCtQ%+}Vb0vn zAZ5iX)ks0sg@qO>SQ8_nYD)*Tvh7(zJdqS~4P=5F&Ng7V09L~4%*N*~U+V^mCXtUe zZ)eEm)x&ZY0S2^fWb!T+Cj^<V#@{xL3N;!mF1`~Ug!$|=$e(x zMF7Lmv?iPo3QXi7*JK7Dc3JauhWs2{D-2g~YtfnIX0jb%KRjqJ`eE7pRL@@IX&n^J z--%ieSn!n)BPE9Fq-o?1;^#Eu1(Cm;P^Am934Rq@k!38(mT^R)!Juyxd{=9dka_v; zeZnSy&iQFe9c=a(A8srN49Bc=+zIv#L;wnGSU0faL3hE$n7`m@<^a_EX<`vv@wppJ zoowntPkqSbABQChWSgw)yTDC&K_r@?6G9@!wM&RfHHNd5M3PT@fem%KtMMjPU1m2j zO0(b#7TgEAsF_@LXtZf`RjUevYBkT$6rK8>@4YfXHrYbNVN7PS-0B~L1FrMaeE>a6 ze9Gj0Ku|cVm<$Ye5Lvj+oxRE-SF3_*y_$8@IJFVQ>W0pxCARVrV!G=NSPq;bepWjm z$OpHOt&%9N$aA=AGmeR_bQaXM>&&cHvPyZp^qv`&WqV7NY0R^sg1|buB)zTtA0Bc zE#y`R@!}_ih()n5(&C)jWIS1=YBs|+6{I-N>pq%Vg!+rr>l9em%xK^Tpz811yrTLl zO_ug01fBXOioIb7`s$ia{l)!nj!6tTpRtv^fH9g#;D5GU#enl8-ls7@c zgOD$ebt$2V;>o1!FuBnT*~%@Fx*gmK!&gf|HE%Xp(Qqd-TV9|uE>{1Nf%ljN6lggM zBqss&`93p&L`qEv5ucXM3)$2^m)6!0Uyqv00=T*g&uZt#p;1@miHOTImFWU0#hxs( zntsm~s2@%TXNP>=QyDJ>woVbsR?AtTwySFAB```T=_nfJa>&-wavL;^oXLv{gSUj2 z&I=0*bA;WJ77x!jL5t&zC7NulSvI&E_WwXXyl{0 zMPWiJe1rU3-=Zi=Un1&DZ;D7RnC1wtXHk?91YIUFfAkGj$k}phB#)wVTVfL7c#XW8!ca}v+fGR4}lUz7LYC}RS z=+<3CH^)A{C1~@c*{JO_w)ZOMJRFe(V?y~-*hdb&k!v6B-AWUe?vN>>nSHUkeQ@tN zNhjs<<+!X2T6L zyF=b!SED7&jNF_hy^_6VQGyWVwY0f*4P>1 z2|a}i7vbl;UIP8H!NU%;Tvn={3ea`U*We`weXVZ9 zWCi0pmWiXkb?_%3o^4Sc&RYdqOgH)?(#+vThhYETm6?}lZbP8AA^rG|8B*T%k%?St zL7VXKifC(0bc#Yr2Aa!96O02YIuW~kkBny)MP`^ER75236wn})_J7E2!&L*(l_2qS z7?ea2KM2ym=i87Jb0bu}*#{2v{web7|7#yqdArqYABU==WJn2u`x?Bw;Ubc3PWFcj zzJKR?A1`mhfR|b(IS~y5xdQ}&49VhlJ zZi%Bs|A{y8__Azzr-;h7GY5TMcwv0(S3hrGd^L~W(yLD&&OTo@?KA7$%-rtM@#WzH zZe28tqr2JXt@D$sqr=A4`9*MbfTth69^Z8jTC{u6q1}VS^X@@wPyQEl4_ddEmLbYt z^ctT(eQ2CnEw}rnb$8Zo+_L|=7awoC2Uz^q-ns1_yn`QZJ?HB3uwj1sU>jfY$#MJL zm+{ft=2fR@n@1N5c)9CJ+)m)-$GzjD!);^Hq;UHq?Ok^7x(Bv%b#P8UUmiC;FB*-{ zqfX=W@`Lqx>m%)rrrX`4^R3Tc=Z)^yfz@{3Eyi1e=I8B?d&eDe*KK)=t53a#;n-iy zBl~9TcK42tcAMj)+Y{5dSQuOO&G-wRnqN8r!?*4BysNFxAXh~}T~J~q8SPQMO5bkDCYuIzW8hK&!M(R(kr za%NlT)8XOS(fLjH;Oee-^tRud5AenN!{JB!^Y+DI??dqR`b2_b@qPHxcJ&T>WwbuyB|J& zx*+JNH#$Fhi?6osw$AOrhk?_$y}0zw&pPyE^wl1Y-d`-vkM0(OFZNN__1u%j;HJBE zz8E9;L@Z#{}`S#(L^UHzt*|l#!HqFnUzZ{;8w%={T zOM23sdt}g{v#xCpjl<5))%oFv-uc_hk8}FR)h92w+CJ>VhCMiMzikc<-_hZx!*~5r zNDJkQwfHLpG$(<{dguC^`~#`_Q6*!`&M2phfsNV}Kkciqv2 zef6bFyIY?Z-FBnV9euD*N7Juo2gkJQbecV0#%P|64(&2JqHVRNW9RMs>Qi^`xNUs> zaO-VdefsbfUcL>^tan@8;m+;pm)41~WxHcX@b=7lH%A?M+S~T}=by~4SBLM;K5rd2 zd!4(l7hAKN^H04?ba^$rIOx5^Y`m zI`q;U4L4MtXQNJY!1PP+(0ez0f8l?24twTyXZQTm z?5H>Qj)u;~r}4=A`q44z=={RFy!fy+bPumC4vj_E?qN8;>YO(Rm*~sqU1RIRyV0lK zVfWl@T#U?5CkuK!I+{03ceWURxtM*Pn|p)#;QiI*t~KcFQsdKykE3mK2)92Rnr}!O8aF$;YpzZEp4Y zmtST(sPlGbd^q?p*d7Fz2Uk1i=eq}^`L6Z(%WT+nc0Y|B`%CY_Y@BuMj0osfmz9g#eKkuY}UP z`416J$d@jJ2hi|yj%+m*xazD@1Yo?7O~z%WK`jus*o(INmj9$kP}s6MTO-)l7n zDXd@rFInTifBStS!or#)`Nnk z6K^n?BZX&3sW$43W>JWhrW|y~qc*%VoW5Dv=pvC(nuS?Kj&uZ{=)k-D^*~{(pG;U4 zbm0Mum4O;wkV3ZIKYtje4Cq?W6uGL3nR+VnS*?O-9PBzV&0**LaV%zKrEfCG;=r_Jti<;o_~(DqS%D)O8_yPZ6+ zp~2hO0I!s-vr;|PO&jsk7P;j92B7CLamg*Ak*pCI9^Xhk2zTi#8@ahKH$Wq13grpT zZ^9{?_gVFOKJH7*qFl)N#zCWK)@H**4x)B=_0O@}$EG$)Jghn{%M`!oAR*b~LxaLc z(Yr+-n=xR8BRjd6NG}m$Lq;bp(uqp^Gf_!Yk@64+{~KFM8IUI5tMRc6@J2?*$07X* zzF^CZb{vYjmqLmrfj!V}hDr8ttjvuezUzu*H91JI`jyy{5h3-WhpLIn)fn_Y9M&J0Ni8Ihn$*98{QSj)=JAW4Bpgi6J3=}GM( zZ6x3i6IaueYb4`Bo8p$_0rmtzd`iebBB`&lWhm0t+24~SEK%6WQIQR_Ex;$G!B-HFq7HnPo=6=;&F>I>kjTCm#SiO>GrSTK0Zu^Z z%H5DcD7!aAR+syCgc_+l92iTY+ zU!@7LB3H0*uWIvUR`8a|Yl|J$!jF8a6MgXiD0nfGAR!8`G6G<&IK>-@LK1>Fbm2ve z*^tf3NkeAq%cei>3m*qG9HsJt@+i@&Om74%nvfCh$j(NYM`j@g#rKgx?S+Wq`G52- z&ty;jSX!M?8mvUY2eL{VPfy0J!YMsvpQeV4GJTU@Qt2>rFq8>CyKupCggPEw2wupG znmuSx8Eek3eV;+sw2>fM-@bV8*wQwt(!@kd=+viIoJxKI1R065UAfHpE#uvvA-R8o zz_tDeJ*n0tqxARhmE^nq_~J3Eid1c}+`(LPOK}rhMG}30OQIBj(1T;kwwUQxKZy#5xiVk* zXo~LmRrJ-He>Q4w|Mma=&;QgDe^i$PN^iNx=;4{6Jp-2|5%nK_4kl~s*C6?_UD#6tIQg4kaNQZp5rkAsQ&kF zpjmIet=}b2KE=3P-`LO=Gm)j9-HL{6xPmK27Tr=jVK0XUAI6K-~X`J*x5w-%jA z7rB07fy)oNqvGVkx;I>k-1YJ1v)%R&@z;y#CF0P2rNA4X=ZOE7m6R@qd70#N34TTm z>AB~=X?gdC()pZr$FG5h`MWmRY~(^$+-THTHKvoQI_6cKHC4&hszRrlCjQTu*wr+s zdDbeoh&4%%T{R*<=Zzm_L*|UIr2|aQnOKi;A=+ZqWrG!qy~rG>LW(uJJ&~C(<`RzW zhQ-7o;;znB`AVL*{S(N2-8Z@$Ib3@5v27WPc&7W%yC6P-nCmNSF_rUD0}uVFmg}$v zs37 z2t%UuXka~YAh|K3VY87R61==l{ZQ*$Zk-ijKx7~6X7&Q$xtEVpjfzau zH;v61f;OFf%|Iq398$F0+0j0V0p zvk$82G~MBCBjT^xbdG8S*1r(!rsA=)QP$HEEW!BrUH5u;dfnUN$1w?LlaFUNH~al#U= zx310yo$FDj*XoU~j}O*I8pol=k;tZu7r3T8VZ*g$=Hk{qJ?=aYZU)Z>Q3AJNr#0-75O(ErkQH`bc|mR4I50czO)*{V z)3bBdV;9e()N#PN>?VV(jvK`lQ*oX5<{Vy4QoV({&D%Vk&%Wr>wE1@}uWG zS|ULgt@G2-b?e|@kY%iEi#(Ai37RI~DlC9CIy>p~*2kX|3R*lj+E^ zod6-Kox$+YK=OF=ck#T1N{_i(J_~5ai@0A4mzjT!_nEGbA50;P>5omJCGw} z`94rJ8OE5~@J3P{g$@tuc$@QPgHY_NYg02K;~%@50FOX$zZ`5Lo8w?wd7YKwfjZ&J z*bw`G?vN2s>{mB3d3?|swXVBo7oEZNakq7pA&~p}6^rs(qn78X5Tf{o4uw#I1wR*O#s1(e>!K+c`TgspZ$y zSK0~W0fOe@5?XX5{FlYDeR_6uecHL`WDKB3MAybs8{Hr~sj~`>h%e!P`+PV$>t3I> z-gUCvh)=_M9p{3j$+F|*xDPER|h*XMmk!qZA?vvB|^ z9I|Pw4}ECc$UgTN0n70|>hwB;)+rN}5$l6?tNp%nJv_eZTzB6+8x==9^SRx|E=4YF zLt}=9)>jn6XbC~x&Zxy-|4cAiOnoirOfGY;~Pva;di>98Cc+GqXa&JRIA8+#U75ql|MKLq|# zs+LjE9v(lt;IxTVR$Tgnvy0<{&fwW`R>`=F5a%A@;gCzl*=gtc;C#T1$|ps+bvbMi z!UO`_=pgX9H5s0z%2`J)F_qu7+9&7zXI+iGgT_4Y)Hl6KkDu64&(R&luq|*C6~%8S zHX8fK*9T|a))UhchKLss@dcu(cDg;2gb%IGQD<=7I${gB_h-Y5p&8rOlQ7{Fx%8kn z%--b;$4EeDb-uILVt*AP!gnICTj!(q<@i`;i-|FjH(z6z$b$=nH%+ltZlW8u|r z^<_5E=A$V78Uo*;d!skqraYG2T{q=p*#$K5#LcvD`UAWr>SDg z{elb{&dipH4Cv?Vbm?sDo{w6iF}D%!@+Sz zsKVo}zq)}qrE-bJGiLvt4%^752bNzJ`Tp5pnHJ3E_^oJhC^HFRpBASbPHo^tU7NSB zx0a;U8GMK-sq1d1dp7udJ?MNq?+l-M1)ZN!yI`hSH5K+!7PR~4KLGt&lI{l(pGvS@ zRsgtD<=MMmUUeRDjSRHML+$ZiLJigUmuks&j| z$o$MmxpPQ=aMtaN-gnN2Mb=~NkXfP?%RqeQ7iS%7=+0Z-R0$QGrbRU-|LrIA^U_A& zF_YtbkQwe$*zgzMnF-zly55_JITy;`V9sX2zSH>G2Lt+_xy}(h3H>)Ld;zh7!8nG2c77-@8 zYjF%CNE;iOcjqm~dA(LxemnOz#4|v~`d#bv*kMOE>s)vkFGXvFVjoWRJ$;9@A@=@@ zL%hO*X4eII@R}VRH~bfOE>j$Ifv1fo&FRJ%5Sxh?Zu1`t+T>et*%#i6pD^C zb8FJ-befYvaH*ZB+M=qqCL-V^J}yV1aU?(dFivMUZ{iSCL<7ZWfO-KjB^w+UgJ(92rP8rX55Ywm-8RyPCUZ}JpBn`6t} zG|^r4wNSW-{lQ+;RPGQ%q`lzs9TIqVXo3AqOeh-^|GXBS03SqA~YB z#%|HaIQttFX5TxS~MzEn;~eHNPf0rcERV&3&>G$5i-fKYtg96 zdrm1sX9A_9e#^M>EX?tiP8ayCD1)D>`8@giidBDRLc?5DvV?)Zi7Pi!S$k8QxhJ?t zuB}*kAVigCO+#kEXeryHu^UzM5e!vC9G#RC=YHcgXE>G_yZ>&3_OCt?*F6s76FTer zl=Y&`cYGE#(Vd*&kgr+X$s~+5Is4ZD!p$Hnwp>MnSf!iYI1o``*p}po8YxjNY#I!Y!R4^!M_S)!a&7g+etH$0mP2C9kOON< z97T51`-sgtv+3SXYLsD;RrxQMy&#R@aqpN1qm5d}y-sGfl)`|f5&>p$&Ml8Nd*;L5 zX@q`EE%Ae#Sbol2B4K+!s=~}mksK<{tW`;3wZ+#RmN<65mQ~g|)<+Wa=f0-l(S8~C ze>jLD-*Ttxy8dIy{U2M6ovlXl{*Okp@$>$Vr}%O47bm_cQai!?Ce|o(e3%#>Pe8`? zTSt7OndkKD+mKGM?`%5IpCjto&_K2M8&ZRwSK}LRn-(DfBAd;<-O4QjGkAjl#ej7J zmAU4X{_&BAeQLQ=bzPlHD1v4MPt=ulNVlQnTtLwN)p?u&r#8q?GECcn=v`QFueJ>Oxl; z<*7!aGKdsL;&C7Rne5#3U_U|Os>Wg%^6T7`%nAgihT0XI8s5IP05Y%{UO&_lfiNd1 zzU`jdU}D|jAnIF2qG1=C=$cxgT}u}p+6PevKo1f^XFd+5%p_CG1(hZ+97+ltcCSr~ z%va(`D&mJ(IX-+7jgqU8E}(X{}j7?{I8spMiWBhiwQxX@)UEZvi_BRp^ZyxFKbUQIrE z!PvHpI`ll^VajG&%^B;Gz(M}8nJu5u_Y8HR4}J!GGn}UmkZ0qCgIv0<$w^!%^hooP zk38ElAQ1)X>QSj&X3$I*q94Ry8!%e{QZ@n!vXMctFFy0Ds82Jn6nB$34tDEWnHa)* zk$~l+EJZhPb2y|d@O`B}Lgup{j52yfV#Pg8BycvBe$?=OB{S`fB-r{pNDyDPRX3w0 zr-&)o;KYy_+}hnEffI{ZP)!KmZRsXdQr=?tt4PJ0L?A^Wn~N9?fRY}NIx-&-P4jG`!m<`I(JKcxV?!d^!zT!jlEr^|CY03b8s3rtnp)V+8D^Km>p|xzb1KSS zuEzkDK)}If{_$iX-^_k3+q?o-qGcf^ZEUmEvxVJ0m%Dt0D3G~spPim|L_QTE;$>0G zX|LSz(FBx!KxQTJ?Vk_d-wRW%jnz=}eC*)7>yXr;^RwLh$g*+Lfaar++$kxZI)>-n z&S0(g6lsVTq9T4O`!#oO)v|9b;aOTrKtlZV=jikGpmR9r4Bv|jfpQIobl{)oV>2*lO}4%%{}uQ7WKDitW1gLM zu3Ll0xp-(bhG>0fLFYPogHwoH;Yy!3S$rl&x3nJhP=2oa-~n=@P=dF_@oI@K&qiaZ zq-5OtBA8sBzoBsumx`4)pY+NWMGlF>tA&avZC{ABvTixAy>Gp&4dpn7d{4MnxMBRX zf*^g!F(jj_z*Ziv#e1MDg!@E60RP^BJ~_XP_#Y`N^5&j3!~hk?|1@@f-P%pY|LpB< z|BU~6iXR&fmG{W@kPj#ZQ$*RyDGUVSLQoma5HJyimQ4V5!3^I5IzvQ$2GB=fj4XEw zrZSMotXKqCE*K*l-vS=;Q&Eva@>~FsC4}4^T8Kgjqe5!-v3AjbT#4fFfNT(SR zMh)MFvL+TXK|l~d(6=q*gNcoAUo%Z?QDBkR{2QI2il{>we2YYN>lOV(8NcR?5teYk z__Hp@sc*w5mg%L=AF%%$s46Daz)K3J%<4Ko6O#DECW(wDpyf}Y=OI(Sv@5fv-=Y8@ z4kvwam<~SU_OP<8^ZUf~Ag=0uxQn2UnMn6J$!avbm@M<#6B3zm8QK!co(?Dd?za2m z9E)8l-NB*g$LKsk3nsDx=T|=B1ChsdRpS_JfU49DnP)yiVAX`CiMFEjQSzJS37a zigrT9^-4Pzxmi_lgGsEaTqI>W31yJ$jQ#$-66KPJb_qBCPWG9Z_;*q*kEp^y$Mh8m z#^9BW+}P_4(A)qUaZG9%d2Gb67I|z|9v~%2-Dfl|VP6W6u5|QV90fo!oEMt7u1;RM z`MBoO+Ngym50(pP0sM$(Rq%?LOj$@vBO`SB6_BxV%zS=EfW!eG=`0CDmsnW?J03LX ziYM(eLRs!{+I}su{rP7Evtub!Ojt4GKhB%wVU`)~J@P?-vS-iqQvoIGWYLp8EKnMO zWhV#j1L)z$2=0mgL(dfa3?u#-M*O^C#NYA~mHCJtC+o*|dVOr$Qnq~Pnl0O#!Cv5i z-Hff;A0tRPD-%I1nP`FoVXU$$RG(o&dx+j*e;zfhy-ekkjb+L#hL`17&p}mRiNw>? zOs77YLW)f2S)`Drc+quHRseM=eM#hVsf_31FQ8E`xGoBFVJ@XFjy5kIZreO<*nGOc zI>O~sC(!pJp1jHk1J1Q2^RsG&X2t{IMSwQ{p@(}v0O1Hq47l2GeE?)Lod0VQ+QZqA zhADtOZ0|2z%w#7&%O?cjWd^<uVX)rT&a66Vo0uh2Sy&J z^U@oZyA&f2Cq`s$^0(EJ-e)(lk&|66d27R}WEb6yke%45)I|xaqERLhY$jtKM0Y_V z<^0|(omDxfBUi>a(xy@`K0&6;I7;aNp?r_>W97!on3GnY7YeUCDZK0?Gt?=gd}jFe zYBzT*xwj)7+LH+EQLdh9;^L0@+KqqUT8ZR^`eZHnQo1Y??ewi2t6?2o%aPOiYB+ny zB{OS6p9$%(`IWFPP8s@`2=kUnM*LZE67eNNB&v`g{JxIp^m)NG87?3hD46LM&JP(} z8Zej)7c6u;FVQIFuAfJK96p}%ETtctK}DC6|iVx2gs#kG3$!z8NJC(BaWN8$1n@Ed)%E>^5(3i zN-W{&WjMC_$3zAf3t%~937!j`mqXR#+@g^PUS6Ur<99QpLZV{<(aH0I1u@Yprld~b zj2w?Hcq*80$4?U|!ZBo-+?+@9%caVu{1@Ocv$9CcSrbl}p(K&I zaFif33NYuhAa{b-QkL&Eza^i2Ok@+WTrHbOSTEEOyh>U{)M9J8c#v*Loif%ErZKOa z&Y5P(z-PXfUZ20=swGr?5u;M!4@^Nq+nd2=ooN#A{d+yO&lM(ekghtReU##428(1X z^22Q9`H?>fb*kbWZX#tZaH#+=^>N?{^;QxoUZd|@*th7SYq^#aIQw9$(P&h{4LyN! zOo>O`CG9(@yklFbavNMCsv6k`O$OU?`IaIY&Mj|rI=n!>HHof}NZMYtzm6t;o?l%5 zn-DqJCF?W&_-~p1-)iio^#8A0KlT4p{J!PpOfYAVcB8{geYlt=&Amk27Z;u(x_{Ug zTl@Gk$E$g8F~w^L`4VuH=6mdDEroS)7}h#Mid0MSbcX3XaM5}=sv%eKBA8tr;i-$* zPTB1|t#>fC-mw3xIZV4ld;d*+x3;z2s5kd^cHcDKHg?~}4qmIw|c( zO!$d!P1uN#>#%)(;!IQCVG*^rl4sh>g@=s|W_soW42#48PJHa}sJB|?zL9vg zc7C$3lY8yzbkM6ArytQ!%5$tE{IQ$rTKq>jfW_>O@teF<2sS;gF{#^2hkTlrG`l`q8%)ggfCluf()hw(^3e$?p_`k<8b@ zh-WW=J_4c8aq*qO8&qkkBLSM)DjeAcb`3}q2XjgO=-x;k77kG?PzhlO+nPm71o>%V z)zo6;%JlJH&*%B`7yaV)U&eOq8tlNO>;Go*{-?d2y`T3#J<0FKxf&)b6hJi{e&d_# z``}MLv;1?|8C)E4^__zMqU<9^ywzhUF0`hUM ze?E%f@{L}qUEh%djJu{8oE-`0?0l34M5u{_Xj{4qsWAipD5^2BY?Lamo)0Y>f#Umw zqI>(kf8S(Nj*X|RNAc9hY$k}Yb#+kSoAN-YgK^yPVG(BJV|8PUXbSA9Qy1e!F3n(T)(*fpF)am;i87_=+mwLx3;#E`hVxwy`Sg*pXA34@s7;XZ!ZA4^DseXxLjf; zw3LeQUZ}d3d*`0pcACpsT@r94TB!>i5|va_4Gie4BbJbHk3miVLiQG%b`rmMI?{$h zVh>L3ZmA;SYEov#_HjVb?smIHW99S zN>9P5Q@=~tua%cAC64wLRY*JIbC5P&(u(S3`|+0{dP|1G(>C&HYtU15l+cY4h4pys z2fQUU8$+`;hBkB!Acn?WZF^JRju??8iIQqFG@btgT`G1|8 zzsu+UUmO1)d+)a7NRA|m)t)1h9itgv&ZA7W261|~lXFPstu8$|+iPNxtSX+$V&;;W zT~q2E%LF4p5}m<7Odx_;obEQ$+cABD-u4UhA9~S8=uP?qy~*GXAP^TanN?ZU-Lu8D z?a3km2jFlx+#P;7I4a)%htCeb-2b2B^HIJxnG1S#uU!2f+l%^39@;+Ua{T6-XU|Fi zG(C1z4-2H|kn<3C{?_~bo(iuk7?f_`IZHB6MRi|fw$J{`R6@c< zlWv+U%*ycxoCHw<6AKgW!T1Jfnk=sD3PGr9%awQX&B1{!OcK##aTUdE#@|EM?t^{R z?62l$DD}qtE1lfu3f+^P+GCCP?U{&gY3wt{?tQyj99+c`+@|E+0;8a!!-A+h__vZ7ySo5RMNH-efRxbtG*qnm5n8lS#LKHmg`>kMugdomooJRNMFf_4Ai0^@Y>vfF!iRVW3vy?evy|J`6beDUsTGC93^(LJ3E z8f7T%Q-Qv6jDL2YOLePGCa374?Pgiah~NW?kh+4v!9MVSE2<#n8*jN4@KafW^w=#y zidFTp-yDjjK7WvjD@g0lHF29455>4{a7)+ni>2k?^`~I}iRp}nv@JdF^S%EZK0Pe? z|35qU;{X3yKE+goo@X9l$}csVI@}O#8|~>P`Rj>LCNbqn2w_@S@K94bT#(9v=xv6R&+0djg4T73BjPz(kr##>Z zXVU#e!8ylw0O*~4Iqa7P9G>^gcj}Hf3xoAoh~xzim|V+*Ewf+$lJc1O{a8e~kwIO0 zJv=>yKi<3^K{3lVnG7y2hxX5x!+uSh;JSWc>fisldP(2^*;)BPEl$I(yp*U@>lC@_ zt8TciNp{M^^u5g#S!ytoFCq49 zKAL}|5jLFj@V(uS`~x?tckL1SjBnHz~e`lk&^I-N?IK z6RH|+bxFwO*)Bp!0-4W7lLYz>SO{x)XhS}6eFtYWr&{PrZ(L@-&qPcvPAB@NN@KH; zg^{7Rbv4MPs3{MnrsZ1(>t$IYvRo7 z?I!)AH;_m^R!&L%`{=>ocKF7}nsWz)0d$8)l_=*JjO zgkBoQEKDXLjd~)~%aY}Z>Pxkk>me5+ae9?zp22@B;+sHF-}KsLgi@ap{F}prK27LE z;pUviGzeI58L2)S!N1Nr-3&1-et@;`n-MMpcUP> zjyh&QY9F}LjlFjn^FvpfkUNP#&LM&fUcmm%t;P#%S zvAS<3T`AKg8;gMTwWytwP>Xe2(dJg_1B$hE=DC%~nme@Au&`DgYmd{u;7cabH@2Y)5R&Ao?qI#mz6 z$Qo1++gmX2X3QdS@3D(Lt0&+UT2;?tlF&rndj@W=>d~dsqI%@Pi^;i=$%m3&W%ug2 zu$e43t)A4m@W+h$>$j9A?vzR}qjJL%4|}7N6TijW#22TN9*Yx5d)wG&iMKChun&%D z`#ODbqlP_C`I09rhRcC_Xz9*h%G+^t2ZS7&0&LltS2iszstRyVMDV`wf%C%dcTWo2 z?KC63*B?G71K{pinU+wIz~OOLn3XK>7-lx=>lpjJ0naJD(^{byUXoBe(l zESTXOE1HSz;8LdAwp(37#<0N4@u{``>w?MJEQ_z-=*|dV-Lk3q4Q%r!Bf-fx2j8Ga zSRm%}%-vm^Q+PNt$pB{}Uee@*BpB!lGY`Q**uHS!sA`(J5BE(4j-1o|OZTgy+x@21 zt6i;FIDiN^3zK1g3(8EBa<@t56TGb}Hp{!K`aEV{aycGW&o*n2o2~Rjl=E?I6A`hH z`|dYUEONOVz%PMvtd=0u5J%P(_=ZQ_NTG%X6E9}Wc%2|!(1d$ESc2Ur+=Z`SA0B+| zY}7q)CqE2l4#phs;U9k_;DbFQjeh{k^1cZ++Fu>)E0Fu99@>N9Arc3ioL=k+J@EJDzBI0)8?;{?UNs zD+kJOVgK5~hzy#m{eb>Kp8SK__wqh&EWqXZ^WTGwSqQuGu{?e3do&29)VujOLIJ#L zkMCZ0+cdLQg;=qw3O1Fsn!w+!(cCmZD%m85OdQFgLx@DpaDPSP{WuLx6v%$jyTRSh zeUEm$I4Q;eei}xNcKre?#xHY)Y<6L{TUhOfZueGhS}fi3?}m}W!aorYHR)6>hy{bf zO`x_J&MM~Oa(sG%Kbp58^=(J4<`2t?)mj~Tb^eK)aoX>mZ{WQpzkm#Ru4jPDPDWxf zIo;4F*QToT^R#pdU4PssD(sDE|d zolM@Ijr&*Ur`_J*)!Au(Ft#mI$>Is4v9~zM`K(B`ak#8Y2ixU+J7zpcs_w#KUu>7} zt9~vOxU1}KS{CA0{BDx$FgCW!_XS~jx9+xS9)gszJ>#izDkFMoXH&sNXTq#m?t+$qkxeHwA!E1 z757BgiNblqd{?-p?DsNR2TXQ6DYF#Vu5%!^LYIaU@>5&8lj#X{Ua|zpWcu_m3%!yV z@Qbrq`BV1)Vrf7hHUQub|Nn!h&mI^3zYd;!@&EcPpI?{VSkYcqppU)RGUE$-x*I^9 z$@`??J{Vx0hFr2Z)r@)`i$J#g^{uiE0(iA~93~H;kzbmNeffOoCx8D3+*5k(=Z*h8JUS}n|2};D z^vnJKIX;?~Kph^)BJ4P30WH8KTPhDpZ>3Wka!Z?#&Y6F@4U`@Sg>$E_ev>p^X6NVt zNz7@WyEX2*pgyx~4|8kl$>nbXI}7|Vdut$j8&}sP#ezrn&%17+&%E%Rmz+~|<}9%r z+4*vleEv_K|1Y(xvGybWJo?}9lgGvU4^N&wKK{c0KgXvO)B6MSGXH$;GmpmhVYdxh z%rB)dZr2s}3KbjGZKBJ%H}9!C-XGKl>XLV;kz42SnbgW%G|D^XnbRl}k4}O+Mj5$Yn$ps00jzL7dB7UH82 z{n2w%IehLrULrqeBbN|yP2Uspq}JZjtb@-z9WInkYF0gFE6#4evq7leH&%y@7HO;w zr!1j|jX&22nNc33F*6wphx1UxtVW0$VKAF9FOer?Btlj*{!%^1@t}~E0Vjy$p$OOc z`fel;o5vAS)Z$HP6KG=6#>bB_)1pV8r=cGpK)wH8dD@VWPpP53L}RU_lkXe7@t}J# zP>8rZ@2kH|DKHvwod%11-}t@zbpeNewoj5K?<)De;Z$~3uuc6($?)IV&xjw{_;Wce zO4Ze1u{Y6ag$tB5vDt>J(zWacv26XwXB^)SPfXRf`RV1q+kI{YSX(Fd+jwfs%YPxJ zzr#fD4`v0}F8>`KJUx0=l>Z(-`I7(ZvwR+;A_vy&))&>4z7)#v4!$|K<9z9^Si!Lq zZKxQgsT6MoCtH|%x#~7NoR@CYk=wmOpwRPe`z&1Vd`aH>_RVtJ`<4%pAAhcyG7A^$ z$YfnInaVP!%KQ@UTz7emUM!?+8vQV5sfaK?ECWChUI3H3^XKQK)sc zs~W$E+iwmI4jvx0Gzi)>;=c~e!r7todCU}QeHwA;=rs36@O`jb!Q--tbR&MAuT!)` zO_~Sas$w~sU&Dso&5SBe%Z8oWzza8ULK;OUYCo4OS+G<(zc{5!uq;yT9^7+xaw(KD zaO*tY%l`N&NX3Y)Z7qBLW~c=?K+c-+(Z_m&3}3xvBHkRHT@};iv-jOJSvZMsIuM?^Ax^mjwJ?`A zK@(2TG@7hD)eaG_5CFy*4GW#jzlvhMr182%zLHSsgvM(FyD-|rl9@UvdTjFZ&tR=b zR$`}N6{~U$FpZlJCPa(ehoQ&H`4s4~yxxbR(4A*u$g1^eIAXJ7LFf1VGdfc9bwIrktA zONpn{b1NP=UDQv;NZI~X#UfOdBXE?v^0IA#m9rI#W9~D6h8RMtXf2B z7#j47*8%A?n~E~k&9PH!S8Y+pELldL2vIKbxtEXz=I8wi$XriS?PQS5T7tgWy3=3odJV zCH;&KnV;Jv7HWu4_*vekm;no~YE3;%9SjYYHpK$=nzQ#OJAAYRmL9<{&3L9H7J%N#?NNc9;r0%m2`}a z^1m_dK7bRzUH+d3kBjlYPmiB|@&EiRpC5nR|2;89vPmK`XF^Q?P@Wnp39SyGf~ghUSVjL%d3=MY zVCNCqg5PcSKHAA(w7quxy~c#j#wK*HZly@HIZLv7$m)tUW#WG_T)N#ZdAPa7$oE%= z`gcS=c|)U!hx44X-#t;f%z?O*vNQH?Eo+b?7K>or-S0kyugV3VvccRYSw57~0`Mf5 zuYKuuGJJS_AN^)9LoHO-b{LKHm0qQ0KbSa^2_J5 zfAaDl*s2~j`15Z6&*Ot<#rV(T$B)0{fA}mP`(TH!byh^O^`ml6b-Aii*1q}`s;shm zK9q{FoP1lbtK{vuPHT7!&c@8VNED>Iz~ovNAVra#%?=aNtqU;HWN{A|x^*5#7K^eA zj6&p$h2nFW>^>9IIu9de>iXfKp3EIEa;+_(qO9*)wll*v);AlAfIa7-uf!==fP+2? zSt90tEk?Y2k~;84%x>q31LyPZjxrfgmx9x-L$L_hn9WXVS^UM8HPnnS>L4L=xy=EV zDTES0Wy6OBEo8ldSkteioUG=Kj2UJKbe-u)KjghQ8+ z|9MDnLlv>{^KP%AEXP)ARV1iM4`YPdPT-GY-IgLwxy8|v-mf@G`|Jpbr=+yXq18X8qoiB2;gj)P@R^$i{Mghv#zyCT9MSW3%(rA=> zTDp*V0LX~o&pD)JY(uoDLm0nZiU{SsTp6oK$D*^XuJK4#VAhEdt7%t`0*>>D-DS75 zJ$>U=VPUm0aP>zT`KnoYoGDGbMa5u0h-t-y|Asij()(cMV5FHGTQIW1=imrCQwQ|^ z+u5@zmE7BT!*a6p$81V*6*+#IAoFMNH#hCGg!15y9=bT=PSEphcLLAetJ`ZQ z=((ml0rzO=v7iFDCCMs^uHHMNc0A<9X?&dv9wxh?7Mt$0cp60k_vj9Ybz4?|{*cqZ z=_UuJeJ8RVKK794hUh!+1lqi~za8eJ{l{0F-R{n!J{9J%Hqsq*c*p*15dD7ZTIqvp zqgxaYS2exQFwoG=7jXjcq(elxfPtIC18@txlsX6e{f1NBa_HUY31lA#-O(W#eK!ci zE!aRRXNITX{!`0iqGE1&o#Z!3k@r&u_5<$T^1QLF z`|IY>bK@JY1Y2861I!9)p$p@_Q>r_U&95Bis9l{=z^|d?!=N1@5`jPE{h=~{95)j2 zmht%ly!;Qc0?m3xNg!SCd2k2Lb|>G?RPq}5b9TYvB@baYF}}~BZEGVJc{@WaIHHv2 zm1I4w*GKkMam&g6ta~C%*!!d>LYc&rhl$Mbcd46|So|l^R@6;U@K$DV4dQUmW4_`6n=@a{nDUUt zCj^Rz;_t77Omq-%>H9v9zY{^aWamLT=cZ;@6my}Lc0$552(UHtdo-d`9`J-S>HebN zoP(zr_RhW>_Dcf}&wJ*(m{I>M4Ax^I637RQ6=vy>AgC8JF2zG z>*48Xtxev%9-Z}TZ88~LTn_agFNgh_z682{Vd~%ixq3<8|JhmjK`l>I?6N z#X94|wjUv~g+a5cNZR$baH9qd&ednNi zZJURAQNNnw8;@h@Yixi$)?Glw+6r8zQ|ZM#!n7OyPS7V#pJ9Kuxi6teRD8ukKN4Jr zFzvdGH}iO)`)wVK`uBt1?e7ZKu46|Ob^B)ScOVGl?<*Frc7@zi9R}fQ1KgdM(@I7Q z_N!-4dY0Q5lx~vW_3|mz&Fp6Haz=}NsyES0;EtYh5q;7Vu zTis^@w$Ew`=oil;wtm^gOxuZD`$9e@R;=ZhI;GhoelC%3%g=HJKd= z)?SyXP9~Azzp$i50{gTb|C{<0@&EJB`9rZeeGEW^d?o;~kZJX^AQeXcD5Pp0b$=`< zip*g`aNo-zqD+Oh$uC8OY62gEt|%5O?z6a^#z7S=+J%{hm*dmBsj;$GHA9M-&tv8# zcTT`Gyx#=eUeyyov8`Pa8S`+k)v$k$p>3C~<5r4`Re*Mo7q@h)o`dv6#N^h&vB^D# z)g7t_jAF5j3c?n~xL;|D`W8xBMw`}Qu2Zn&7oexpO(1iN!sDa_pc_uj7AfSMnMfNdDavYz}p7F)=l^eI+s4tM@$wX}u?)W#+d<$JNv z6Mxy*-?`Il$2mH`>Rz|-9?DDjj$i? zO3H)$Men5h-XVccqb-U7{QS436u_eHf4OXDH6@^*@?zO>1)t$gsaW>ITqmD=iTArn z?z_$}m&lHn2q5->?~feJhr2oe?1SAJ8MME-3uDSd|NQOb7rHil_Wqt12F`aQ7s8+K zwjsEUKR~~$c)8FeN?x;d(WB_IVUvYkyoR^0ww_J@9E5 zLC87;dCQv{w%+_$bT_Ci4mcJ5=y%R?rDkvu(@^r{HCw}#qTeReFA4r~!`AkFWan8| zf!;cMcSM`o*$$_FxX-BPS=7Yc2-`%?zqI>b$^X;!czq~0(7XKqpB*0->pwsFQvdn$ zd@8Q4e8{f}2iPO-{bllZDem!x#y2d1)a<0WwOvT(%s=IxlF87WtTJQR#)>FAx*C>3 zy4a2E&?Wt=24s?-fKHcjj9PL7ykZ% zJ6|Thb47j+LIroj{sa{9@cHm|JpXzAzcSTJ9yA2tj{L7j2ak*V|MAnKFZ}$nK z|5u&~v?`_4H>tNxaq@GwrvJu7{FSxSEAqr%(TH#CTrNudfF%fQwZL52wEGkk%wS=O zv@MWygKedY9;`OPlJfA%!}zUyPGD4>Kcqxk)2X6lL}QzX)D+;Vz-R}BgbysX@YUVb z&$4=!4^T&;R3X8F$JL4$7E3zi9dA|_oBBoTCTy;V@YP)v1u`YQQ`-5Dt~jt;nSuL4 zb+&73J%#*`_gd&DSmmc#qWeXu%7j~Q!GP;*JZ(GHSvXc#=10{D&hxE}HG`{)#_E!O z`GGr`3jc|U$C|_B7K!C@fSe&i(}SJo+zbi_yOOAoWb)k{+Sy7O`O>$!;=y+iOLfiM zYJw?HZ1ta?ws;3lIVb&mWX0>>8YQ=#ve+de--g;vJ6%R^xm~42xI-F&n9q4QZ{(+@ zzuh{cqsK=_k4xj5ZwrvxZoRi{5T8^+e3Dlo^Oavp(gSh;`w9UP`wqg>S2u?T=3k^~ zgmsfS1fV>SL}&GYE%3I~8Euk=Nfo{=0Qk2f?v*%BjzkLuRP&UY@gyJ?Q+2USV#PyJ zr4v=WB!33pSN%|6eE&P7ff6fJj?L7pADEZC)>JUzKJ%!p9M>#Qefz;PSS!wT`)Idp zx)9=Kf`yVQSM!Cfe?GRp6I;yqSw$!~yfgajef9!d@oMO^_uVvE~iVQUqJ6fixOLK~rt+W@+*pBO+Fdj)=&r2k?zI$;aLrIGCnoMV{5y z#fHmZ6HDHHIec^QO}V;UegY=Tj?NQ2Ja^C4FKwXw^7*8no5O?s@u1s(Gw3Y+Pc+7M z`~TzPqvNLq`~TtL@zXE%|IhLH9eE8-a$igG`tX3fV!@Jl3mPY#TJ3xL)6L<*pZ7rU zI@#a%g(o}cTBq)}CgGA$qAo-d@EP;gUcd+jbuSes#B5sdgg}FUtVJ4UdAYpoin5|) zdrBqqiCb}?Q>*>%cjV&qkNxo@PM@2ii>`m z{RxcxTbBQN`H}5@^DU)1tZ@pL}w_4OGGZ3B%YmDmE0cOm=J+-o0?Lt_Tsc&(;xSW@-2ie3R23;pOfhW^!lUO+C zA=|gBd(ds!IKPm5-+epDCP;71qb^LZNxr`kk<5Od^JI}u;kRs4_Eno^8y}?o2VMYa zwq4ZKBWN*X`9TTlRabE1?KPky;4;BOa~bkYgq50~_OZAV{Cs_LcyR3= z>60pS>kf$9D2?aLo>J5l(wLfK%E(Lvfw+YUD0+w4Nu(FkSbZJQn8N$IBw_|Xzdk&u zAxSBoJB7J7FTEM@csnS5mPsIMWcFod&cBtpED7pTLyj`$l z!D5mKeIN<`L(zRD-^TWRKSxloB0jxV|PokskgDl3|C8jpwEIvz#GJ z#fV`D<||ku5n52-PK^<|+M8w;MFl{~n zeBKJRZIFD+dk>ZO{<;2%OmKUdB)57LT0lIJ3y}ssnKEKnw6oE9utd!IPGgAFClluv@Ep43L7& zE4g87GVGH*8$zR|qJGb6ur?jEZkFvU;FcIs*{>OTjYsCPQ~-wEH(Jn=GF>vCOxJM4 zk$r%=tK?7BR74EL@J_`bZZb?Y%t(Z7BU`KcTWBM@^QX5(xGm1W%90?gjI!@i<=RB1?8{o{s( zax)p2ta}-3_>K(16^}&-xTqwfLLxcUe>H)x^0>ogZtQRJz`6ZXn@{fU{w9r^+ds1D z;I{NHGD9PFfI*@S$9PlIZ|YvtQrGh^_2DjX47*PbK%=rqj!uRk$AS5x=FYI*ARkl z$_W1On}dTg`14dQwgQe)x!45q_-P(w6pN+M+)qIQ=~aDacpw-qmJsiuaOBZtMEN{- z>^B5Gxtm46V4CfdLB84)SH0LANRxwx%+$XdOw9ZRO`J)c)Aihf8Z)1~QZ#?h$>|1o zawd5#Xwww+Q7v74#+CmimVk29W>-54iD_qQMOj^=dp^vR4A)Xt09;TYCkYLGrGdKo zqPdVl1exeK8+M{js`{LZT!AguOm_~|Gs}`$>cQ0)IgZ$VQDovk)n`#vRb=_-+@W8 zFwutI9HKHqh_izmvRcCQvx|&|es(KGl*dG}h{hlkP1lNzi$H{6t)X7BZSHw}-rNyD zdtAcl*O~N+7X{pCCP2nVd!>_uGdEnm7$>eJP)fL%5uIM*b|KX1W6LRvC804R^O%MT zGE^WX0b8-aNcM?P2>e>+QCKx16ei6N2(@k0cppDXDOYHL1mJg~U+_MJ5Q-@{3-He( z2K>4w!jO5%gN)>)t~6#W1L17g?-`x4L{e3$Ck=o^*cq7fUB0xd(kY^zOg-k%H_Sq3 zTg)jrYGZjg6CE-@6W$4FMOCd&!5e@7t0pMB|g4^$suMdwP#A2 z2)LJ&$0_D>RD)m%Qt2?WG80f&g+t2WJj1P8`b5DbXKD$~9hheucIfz@u)!G zaVcal?Oz3$d2klfU&}4hhEqsTSLEz<0j3~H8iz#8W+2O~Sd5~KVoYMDh$cjZ185-I z*3CPaN|t{y!jUE*1aKs!7)jH-d-b|GA*ymKiq@^`J1FRyq%x&Jprqb3^a)j6_E$9C zkJHdpXUlt+6moX#d$i-l3Q}>gZZe|6omw=7?4S0#=O1&k!dNkr35}C;)ZZ=yf#PC> z68(cYCxsCV`9?~sOC_770h(ab$j1X)=ztnWvw9K_N8JwV z)LB_;*!Mh0rQs__gT1{to#=ODwV{bQKP{q~ob2x#vpKxb>#N3LUvL*=NlL}AL08ms zqWZB-N-#jXBfwm62TtZn!G`7ML z3zJwo27K^{+*jkkcp4kjj>|(rVWh7mjJ3x7)!qh68kv29*<`uxRW}qR?id`Di3b=T z;M{w3h3E$u+%2%O^VmvEWpT`WV`hJViCCCdX`$}R_Gy6x{qd&=z}$J3+`&HfFsUO^ ztuT~^a#4KYOgckzNsva+UrX)K6Yg-X+!56tyrGG=&~}qkZ8gCyi71aHj!9!?Z>^>3 zptl>4fRpIlYc%+Wr6-q;%vsG-(lV8a9@%Ow*O`}6~VonKltJGbJervWh-pD2HX+#2 zXf?MYz6k{N(Zez43RVT*dVWuIWK{>q{}dv@jP59AI%W*`Ff`0!&7?X{=$}%a5w~9a zxyiY%ZdJ2F-?*Kpq}ON}^gu?7CquFFn}cuEmTQZu)ol7)DqKw_r>Ng-@WvFx$A)EX2RM?p(-sN9jD{YY zU}HbmYpNUs+YxApdZ7#5u>u=EJQlK;dsv}<64FR6MA9+t2(t6NMu7a+p8~$*iTrct zdoN1=^`|9Uig^9!od1Ps3)(3*hv8r1AOuGtW*AV$Ma=A?VOz7B_8r^{_c#q_M$jROmxQcN=s-WG|OpL$j@Fr4{oNoHy2p-jP(b;rR=c^1WT{)K6wimCXe!36xg-^@A$y42B`#C zZKK%?&^`{Qae&^lG;uinqCAuakXh~D93JdvgYH*j9t_fVP6C?|8Km=%7=9kp z84amR!OoE8jFFevEO(^nit+&1n8QOfxNMN~4XZKM*up+(_Q69tyX(W>*3C)#xErE#n- zKHb{*tV<(#=Og5ad!VfM6}*{h%w4S_a4N^P+P|FB)=0;y~*%C*fG!6 zcfv)tFZ;^98M5|d?D*j3R1SCn$<1+r(uC^x9~%gP@Mv&dyEciPI#cT1q|pWD;V3}G zFHuE;C||3oVXwkeA3t#cYuw)#a`l#>)1ZZo;i&fot%F#%Ol|?F%|-z5JMY1(E*d?l81bmF0~lVB{_VezDpA(O~f%- z()al`?w7uqg4D7*KD*My8R&(Gi7&j=MurhORXACQTZNYuXSXmI^Ldg3ZdPOmDXf7= z#z-#NLm|k1*nP7P`NEU^OUdGwDfihv_pelEd6i1mStQHgckVY=YC3Jmx4xwB+xGcR zVGA)}lznPU1T+xFIfD|(!+F3Q=f3Of<@NO*_(UUOn{aDgFRrf%e7z89EStpmMadKL z^kAvl94&09PDTlACZ7YZ`A*4~)tpal_u$3EFeRu3LX3yc&EWxjab3G!E#K0ZbrLGg z8GpkoZhb?;YO>$GQC&*R=(=`&XU&%CdG_ACHZevDzJY?T+~iy*huJ?8 z9%(9#xpyNW)IMgIA*4!D-%P1o)CghWN~Tkpkbf%7kNk7?#g$00cnbN)f6V8RQ2)Rz60?ftHur@R zU_&Qx%88URt|WVtZc|<5zEZAfAX|79XJ3&2IyoC5LPN%U<4$IRuQbASNEU|icWO0f zsghpZu=TfJ?ddk{+XEtL`-ZJMKS&WaYviGFWVkV7-+qPT0xo{(>^Oh>AEmX^C~C)y z`b+j{azNcx|L1Y3{?F0T!SR>;PoLv+VNDVVbz}ETj-wWd(l`>5wWlc$@V3fA4_ij7 zfX6@aN&v zDRd~6n7QGQg}hO(4-fwD|Mh>*eckrJAH!4M#e#YZ0OvCnDYnSwX7(U_#0+DPX#lN8 zV)8GifG))rWy>Ae=MtYvRd1Z5VvL}FNrNhl6YvO&8S}+b&7X&}n93why+k3yTL`7B zs|hF>K~fLiDj?O0!7jw*FV&*JZjLsKwjYCkGe~~#6BbGih}Q8=xL1^f6g>W%xp&Wp z&`BpYlw`(e0yY(yDg;R~OM{>-BjzP>x&+T}3?N^(EIM-NYZ00zVo4K3v_XDmfoPFs z8YH}}!;9he$sU!&XEO+< znX*9KHe2-?UV|n)MBTw)cEuhrDCUL|A--EkEhnHytOwd_DRj!jG~>opUjy<)){T&j$NqFRm8|9NQQni_WBI}Jq~nqmf|+j~7adwV+Q zzZ^`+@PfSRPROfnpIp2ekhAmiv+>2{Xn66CT%3{d;Je}AE&O5$twqkq!?SU{c5z0O zHhzB59rXs}>;<`aHJoJaI)+9EUr)9+B*RI)Hu!GXAB=i~K6(Dm?bttiJ32k<_J^aF zEz&zXe+PdIN0W>0>FIFvl9018xtyrK)GYCs)N7No7Z-24<3WcEUyyfam!vyZ3%^k9 z&PL?<;8pkZg_=s2^v>R#cSrA9&}=+79}gyKQWvkf7p7;u*1f!Vbv7RUFN3~9%k$v~ z(WU#^QTk_ObasJDQw_VPr{rQVelszvuGbtq>egn7xIVkM7Ordn1DW--NO#mH=Y#Q^ z?r1Q&IDJ>I^#`Yei+rn&+V8^-=?`8EN5hNZ*=T~_9Fj&CGb8+!`QY>*LfIfoMwJc_ zW1w2XyhX@88W6UO0l?`ewDwQLZ-QfyJ(ay1LHC-530<}qE$7SXN; zo={-H)}@s%#pFR9p5+N%K?!9VBs5gq|0Wc-?S;6-`%R#ufH^8^qLPP9$`+aNkcJ-D zdT4|>i|aL?tymx;yoj^OcF493@dd-hn>_Y3T&qhZ!xo$gd`k8hUjZ2czC9WepDi(c zX2R5d@I=~ksZ{jXmt^m-S+CtviMO269oMi_AX1*#YgJ4GK6fLIa>q1^xrnictk*P^ zCa!({Z)A&XI#TXAhW5s|-6BiiVn)~l2B46ICw-e_ z2xn;?0#PXWD_j$>{l{xX2S21Smp)!$>gd9@--hZ#z^=qyL$8^TC`Y8xQ2nT zqHj=k*DR^G;32bPgP+-StqzMTMJsq|$p4ZuMSI+19ij%47zr?CMBJ)7U&L^s;ttw< zgZIXIO<_?x*+U{z)u?6v3AV17;34BaH#d;@OJz3~|F|T!;8G z>Mh_N=AoAuMydq|NtV=CGK2N8%SaF3glJ+s{PZ2`yLY!tm+-Xa942+<<}^m-NSzWX zg~u_Oo9p`8vL?5dmJBip#pXm#1nz`hs$Tmyqyc#`CU_T_Z8C_EX4`xg@D8sCZJG3AQ{ed*jQA}`@MTZ=9dJEWG7URuknzf*4 z6j}|Z0c+K3d2Q0Zqvr*`TtFkLX(nPBX9-j_Q%a~ssYa#E9Gqt*hX@Y1YU4a96l(J{kQ zQY0m$O+8-R11pBx zC0puu7{9*#%*lg92ZnCcXyyos*$fhp$s9|Jv>hbQv(0*KJGR%vTL`7RId&PtdV)2q zbfzyP2kkR^uN)qe#-+5ooMe?LsL~FpE^rXV!Xy&#XoTh%MS(cEOhRdqKv2J>bGIv$ zfJZ`0>j(v!6tTLfqJWle6s16bXONU zQRk2hve!GkSsg+q*(G4ja1um?fCKT^Lu3tNpxYP*2upYQoTy&>1n6 ztaPFzgSSYdh%-{YY2bi}kkxCD*GsmnLDF&ob$pOenk_>yV6)3J3kqthw#=>6Wu*R{ z#59yMhD9d!*n6n$z(Xf%g7IF8SiDr)k+1H4KF5rp8awq`h90~dCc5+CV|DrLb#0es z3+5p~i(#R}<89Sf7BA~HL*Xu&qQqUGEFKycYo)moUC%}x2q^*v8A#&dF0@D*1`uJX zy_L0K>M4~kqX@Hr$7JtA+F}J+LBBaV^l<80PZ29R+|INxoL-h5D^;O(lrLk zXaQ+O1Mcfr^29;Gbe%1tLxwYyE1e4xZR~=i(Hs;SHJh-4Qy71*R&HmME*u18L01gx zd|>SYSW@|{BH`#0h!-(*mubXe$&^H1u(rW=Iwq+sFB+te!l!oXc`1mPn05dSflx># zXY2q@VFSv6JDGMZeZ7KrqK%?*rf~^pHdL25kG*t>o2au~(ISOIL>!n-QmyGT>eyOx zCbqmuz}gK9?-{Tw>zpkCud_9Y8I_8a-Y#e&1zTwy{-|?I1}hq*sE~j7*;`O)8IGTy zm3AowaghduWy9eSsyvM-(Bg3fs>R_&h|ZGa_<;CyEnAq;z+Qgl+_`3kmJ+mqRe_p) ztH_nTM_&mrmnfcU{CG9l?KK>%VB*)Kg(U+wJL28ChF$JcUO!KH1aN52`hGG zM|uIB?NiVTL{)wyTPQJ>k7f(?n&k_{^H`p-HFc_~mnL4XRm_|ajbFt>HQOxFMsAdb zwsXo%!E={^hsoZWt+MutEp+IB`V$vjuxuT59@|Nd9f_$!$N=RJlV;^T#GGb=N2S{7 zzO|V6LUp;oKQiej2*hoPXcBQk$R2NksjNko!soMfOUckQO27sd$^cGg?3_UzdjbV_ z&;{vM#5b~ZZK5VxujNdQeu7e z41qCc360lkQy{Idh)pn@l{mJ6R1mGb+vf@=KzpW|1Bh#`$rqRa4c3xNM^0~LmgDRl zSxM5Nw*Zr9GxzYFm$>rO1&YI3%f#vsJ34DXZ>2T_&(lD^c=M2ywE(cYeQZdU{5!=&9YiL(n9gTPZ{WP zIJY26Dvg$4ShF@^B>G-1o|Mv@5e*;^<=~#cY0awkwb0!Y{?a~$>Q5L>TZn@-=yTQ_ zTN+r08m2)a3kgZHQd+sg)U4OazW}PV8fRxhm{UDL+KM#Tti%{-=$pf8Jw#B;^wHcw zd5Gp&Z(+Si(X>VrTCX_>wl1mo{vVGxSJ|&kSD0Y(sEG{p>u>;Tn8J>&8YXz|?Ru2L~!!fklhfHbB zY*atIsA~$VqDe32Q$%|IMR#1U9X&bf934GtKRY;lyhodRhfTO|si#HnDZEUG5Q1fc znNBRrS3KY}By^76qH3QnJCjbm=B!D>kT~&eGc{v}w-k3+A(!2K8Fk!%D7d zR%3_R?KNI>#|?zV6Y#oK#3o|76~$ov0$U0o*F8#orfzCuYv{8Xhz)y<{#n1#%yz*c zta|N1cEPr(*LK*2vX!W?3B>L}y>@i;tn=*X;K-o0f7T~2x?@PDAL!m?1fntQxI-qF z;D@CC)yK5f5Pz)*zU&2toM2ZQSiM&16;@hZEAO8s)9I2YL_oW+Wvy%6zIHmwaWCp~9&JZs6o zkhM@$X%##qP$Z*e=ZteTLO2FpCBh)6UNb0}7__@23gl8k5j@09nInTM$y3~hfuO#= zq>Y6x2&`dUTXWnS!Y`02UTVH6MF7{d`<|fF{g(`2cJ|zP3<9afh#fj&yk1ihc9pcT z$2+WJMY!xWAoR&4s#Vggiup}rIjh&;$yEc3Vz%NURXiqU=2-&|>2c?f6zzC=(j8LL z>=x8{WGkEh@=w;l@Yas@Sx6F&sLmZL^b#_PmpA~7v0mm%MMMHG?>Drp6J4bkITO?+X(13@SpBlL?AjYkd zrgeUG?u#!EjvAA3sy*2xdvGl@6v`USj!yrJ?~;o3J2u*jN?ejDTMKMauT{-vy4KG~ zu*KP9N`4v&ea_t#(KX)nie9rm8LiA1liRk~atmjB>$S4&N*c9~haUF}uSGffFchio zV42{yVm&AL`lxf%wCaZKTsFvL-AS(ZakGV5mho^#Vm>0yn?#3@f$LQW&%nzi^Eo^d zW)xR?v@sL2@6hhs0?Oh#b+>Tf?;SRcTbf!cWNSfS4dbnrh6;by4aP9{C1VK)IGK-` zbYy;KYAtYqn{g-J0?@V&=Rn%b(n_qa)Blw)Q>2nnQQNfpgFr#idt*Y_b=~H_qcPcxgAU=N06712nl;1ag&ZBMj11gCa82UGed3* z6n@YRmRQdmlB6cWUTIaDqAkziQoo;?`b%p?hT0HEGe2X$Ueh)&L;WTHXawv+^^~9k zy1Q20bM_)o%9l}s<||Kx2@g}WjaEGfmu)vFOGASDMAU26oyN*ln|%2ShNnnKlQIJd zEr~^-ckeNor16TcXrR?`Ok1yONNsus2TWx54g&&E$HMeQ6RxxK75Skg!<>#Z0J4#V z-9JI%+N-9nW{arF@0r;*TjUAZ1NR$}cfVkdD0;luZH73Iq!}y-hqg7c0L%9$=T(&mxVcyo^~~=bYl{6wOWs-~5i)W(x(??_+8B*8&b*>ANY2Jfyh7pROUNTvuW3hM zJfIj`fsAb1s!G0DK-EUKg{`S_%eW6nc-wSCIznFuExF#y=CZB^U2r9{uaMG;pZbZ6 zODpm{*+`z&;Uc5qdhHG(COI0m5K6SHgx!po)x0zJj*LF5j37#VM7%giuh;Ity4tYZ z6ObdF=4}`VNNvR?nkZn|(NjRF$9vi_>TkA!m^6v#E&}iRI}Vy{tvG0wm8RggYun~t?0EzD*-p;mLM3aq!a~Sx?n(Xx!rOj ziWv#`4Xf8eaL3c}Ga(5D$v~Cb-!fk=REE(N0g4->!Hk<{9h#uationafQ^-c z8GBrsb{6Sc+;d!zwfqyax!~cvUULE2=VjyPSGi_%=g2mA^TuipSR{rM(5s>}mMIOb zE+ar42Jcp|Zflcxy{1SsjgwX`aAn2pLxp+V)qEI4%YaOUziwp)G~yT9w`DB9|N$XClv6|O#mN&%N2hDwBH$slLNWt>LNhpA{Z1$VE|SA!zuZ!i|t zYYp^N_ZBpsvqmA3K>go09dbG8z8sK#_oAC~$HrK5@O(~}XUd56SEHJvw?UR>u2sU8+)tnnazQNpsqV_8TPtsfjL?G?5ZWka3N?8qOalX zNk_z)kdSF;PP7VycuPlm?>Np{3YXJ0dbU9X2v}C)n5~3ryVh>znW_vZ$XpU-t6l?) zw=#6&W2fB`d|+}>p8?Blf)iO@ky^veE72m27kV`P&aGzUV!K|eKsVS|g?>cG?wPw= zURF0(GP;qrz|+#2Wwq(>hU4y(&9p6>r+vC6m{?1b5|fFDA{Mm3250@f^m#oz=#bOl zo8iTvPu_ON$n3_|$vtGr)x2c4RAQ2j0?a>@ zSiexmvql}w%v7lzl(NlKDrK@@VcR5&E^MHJ*04&i@rp%fV02On*4c|62p>+AJd~~h zyD-iC+$${P9ak~6aTY|0YW^BuWT;~T&gu1lRxWcu9C+UI_51vi~&mk=<|$DRDx!xon`UYTR#O zjZy!zey8Rri&^#hGanI5o8lldPQx$<%k?Q<(lDJ- z$bbm?nzY2Kj@S0^Rw>;t$IzT zz)~E0crgJVq0`}DJRxtouLopwmUTUQLAs-N0;D`FJpyw8-#{ z>ep}8Ym_#HVLlQY%o?Qk+^k@4WP3#o!G&T@HmRI`gSon)w?1|E(s2BYq% zr{;G)K6^2kOonHp?x_VxCWG;J!`@(`E)ZP6F1i-7|q)L3(QSnqJCq z0GWgOgURsas72lk#=TeF(M9+9@N{_bu0>u9FGhpO1d!MTYx%HudDFJDdocdD%#>2hM5)oYg{g~jps@?7oz*_aH*)5Je`I4mTrBgD6mpYDpU12^mfr_1g39WayBB=`(T2SM9l478wr|rCcBp zX0IU@ba&LR*Q(w{jJ$KGj`bbGImASVL|OC?Y1wY`Fsx2bl}{Qd{BXH}$Ti;&?+Ep+gmA{^NN!4M7!u1pbw zn&IgH33~L73`hOpc+k6Ok>1&8GWeHE9H&JFe;T|wKkbg+weUQt?}nouOazXfqS4bK zWE|7Wfd;3SKq^21XOjz1dRyvGSeK$ppndg|I?uz4NsDyH!^v>;vR(sXJ{uSKgPY5& zRpJ-@v)-lp1va4tYbV1OWOCViRj=W?UylZF0c)?$E>HX9Rrk9Ac|AINJ2FIkem0p5 zapTC@3rGysgQnv_cXBrBK0kd2y%Y}uRH8 z$iONF`b^hV=~GEy_D%daTH86LbcZa}*&b#k`6rFr@7Cl)yw%i2V@$0ph!|&9x#>2_LTqMB7 z)G1K^xOh7_{cb?^4v(7T&DrSUmEz;4r)O_XGP}Wx7YeoCfoVpa>MVtyLdgXAslAOh zv2R#35Y^}`;{dQ=b4!xTQGYO2)9+45S8<-p(~GKG@>>HfD z<4P{xA*E{!cvE-u^0NCfo59)WV%#0S!$}nK2pYKpFs7*cIilC$qxzte@!(~5Y%WV+ zcM3IU=Yz533932Fv|YGwUR;hx!^x{bzjDXSG9MRMOcxUvbn?vqP1o6;=VP<%UiVVp z&^>f!+{_E!oQ>60+Z~a!(Ey$k-VM5A(tU9;z%zQ*>s^k=1DkSkP_N3w7X6LVATgNeg>`&HbYWCZ>4JktIA?(0szo!qF(Ff(|2{f z%$eTFS>!}$=``#mHwC5vqGF+@RS4@sdm|>Z;!Ku&rwgHCIu)7=1ntG<6&g+Tm|)Px z=(s5maYii?v$pwD#Pyn<-CZWq>a8$)dfXu|2cyBbd#e9=NJfHm;SH%%Wwk{MBK2-U zaT_py&a&0yUX%1%7d&#(-c~(C8|w!ILEE%&ZeqDwY8t^yP6<}Npn(Z*Q1oIqG2>m}i?i`U`A$aAK-a-JeB1)Z%u+qH)A{DGXx?V#T zQ(^}q_TgQT$zo(Ek8{DNt|#PMmpvKNhhtpNJOhoD6g^BzM-FE@lO)f z=P9!eX#-d;mnWKJjkSJ8d61$nna?l_5^@NKjuh8RWZvH(11UoHz{n)#H|l7{TqKZF z6>>|>0wMesk%@?xt$K~Uj{+ezNo(iHm#V=njazwV0P5){0vacazohg=XYaGGYW12& zQ#gs*Jvwvhcg@d+VHzhrbP>`xf2?El)c&8++dq=;Sg1X6|EoioCWS`@FX#Bg&cL-E z!z7%DZ8#E!Rui30qelZi6LH9?B}}wT!i5{#@NHw1#F8a{FJ^xq&|4Cx0miIHF%LZ+ z1 zU4|SUK5X=+>rHYI(@;` z=@*W`67&q?LlsyEVL;CmNdn=SfQAVT6H0mkjVb9Vf?l`kHD{O1QVoLjE1|l^S@z<9 zzECvCh>e z8oz!H5DLKk&Uk@i* z!7t>jbl#pY=oYoEB~27pLoW;a!UNu7^_rap$ZMG-YGpQHIavsyGX`v7evo<%lk)2f zJicZ$Wt3^f&|A=Op5@OdXYg0#G}qqWQ;~%*x{L1+rBqpQU{=Zjul*Dmkf$L)Ew)>F zk<|=Z2kd$Y<~6w6-0Lqd8di#J3|nLyynMM9JyeS-eBY z(B%m_D~y|8w5S3uSO6%52lzBjGWSJD1f_UB%iECKa42MwCSmPuZM@BxG}ua4n{wlY-RzQ0edBIe^vl%vff#zrh=v#cC+I@#yFz zp*H=uE{%(EWm*50^+^ILQ|GLcBI}<|BJ8}>m(AEetfy9>VSg{08Ooj;K0x>C>}+q-J1)sz&1@R{uWoQG+gxyVjg$Y$J0 z+HXTgTtO%iEv<|tN#9XZZb#r*I4-vxqGrHoQ z2s=?Yf8ZKpchvtoetdXTsQ-3+c<`nE+h_UwZ|9?z_1gcS=%PM+)gP;ssQ>>@|NWy! zkKX==|L?y&di3b;vwkNz8f^xwhXj~@La0RNBw_IKH@|Mnm3uLuA3AG5zz!~gUDeg2;xJ^H(M{Nhi^ zpWd9Fcw*V1zL>Jk`(*^6{^|Y6`(?Cb2_^5BK`2k&f7^f-C!su1U+*^vG)Zp0ZT#uY zIq8X*ktdzUorA_d*9am16#KK2asP$x9{aOz8;c}~PWJb2Z*M!d#~l&R_YeQ@hd=Be z9PJ++wPSzQmg_K~@7tmL9Re|M`Yg-Ep#BY&_rGm4bQ}EOKnb5^BmMvEy$PHpSyd<8 z$NEr^x>~YcW>#fYZk20QHci%j5jWq9%6JjcaU(MGWp^v1 z&WHoJfS{iaAUZV6;KC<53T~j|rvf4hgDiuhqa(QBh6>2?{q7RW+cLAdtDEZXc+i#a z-R0bK&pr2?|GD?Z4IlGv*+I8Xa_W*G)-&3KJV|XVMQ)1F?~rb<52dBN)CZVhJ+1Su z-ch-|o{8;_%KWdLx_aAfPk8*?^we7C34eX%PVZ~c*WS_I`RHHYrT*lHUh_kZyBPd)3?um8QL|Is_1_V1^@@6_o}JyH6m3-7PI z;U}MZ-TUufb;p0Z@Pzt{zx(%}mVETR-}d=0c7Oh_-t*oUz5U()Xa4!G!C(4a3x5%R z@yz${_nz^$^2gCT-u>bqd|dtUFM8t7y!W;@zW*oO#;<(;OAPU)ovTmV_>A?Dk3Qq` z`sK}E_@|G5_zfHGSO4jUU-w)4Z+yv{wkx%_{`q?@Exqh*m!AE`&%NTUJLVIA@3{wm zI4yt8o4@DW{69`S>&cJ%fc76>`-+!-ap&sgU--%U;TIQ{mrlb#((?P zFZ}S=zxg#kZCriA$N$G~efkHkgZqV{))A<^(}Av?dSaXH%*}T{C6$c4;0-@W-?|KIyR`eSqMuRZQRf95Y=`S*8y zo%_!(e(CqT`~x5S;LcNC^v1iwy$?V0JAOO(ymT3^zxq>u_7%z}cV<8Az4*No_;9-S z;vf0ocm2v=JmX*g)aR`4dF|J}$9nNQ|MJ}%uh)M06>s_WH~h*^m|ysp=l^jie)2_c z`qbBd%IPCZ-3eI z?*E>(_wIf+!c+BE-rM?vnIBX>@xOlfZ~x=-PJQgDzkBAzKjwbqWgq#YKM`N{tl#*q z&o#dOSMdA3X8B|CtHS5M>u>(^%g?O2XRbf_nVdWT-=qrEk$$#~c-~Q0c|JC|;fA!t3e$(%? z^t&$n@$K<9{>)o{Yv;-LeAU1I`%i!Ny`OvXlg>_jKzzf~-?{(ee=|9K+h<<>#sBba zvvbdT{69VA{#X3cZ@jAx=Q=fY0nRho{^{#UpkNd=eHy=HH>k~iv>j!td=w5u+rPKfL%Fd^q)6a+P z-Y?bumHMAH-~P`pefl4K;omLo|JsM2@Z!ZUefFInf9lhI?yH{o8tqqCCVREFKj*)^ z`E4IRy!Od={+aX1$G!1MuX*LC{^wgOVCUJtd-^Y*_<8p!-+Pb$)89Jr`OY&xRr!ml zH$3TS*MIf*pZnr>-v6W*KKGBFXgwjk-(LNn;2)p$v@iY6|Gn+^e);}4z53<9^SbAp z{Vlh5_D#!we&;v5{l7lx&iEbA5&!LzKm4f_f9|%w{l@S3@DslFwaU+5c$xm^KkmQz$Nu!L zGr#jUm;c>w{PT}L>(hU*e*YhQ+rPP8{NnzLzU}^s^tPY9=N;Fq+ZR5see*M4`_%Vb zo0rgM{!{CTfAYHa^Z)X9fBH*r`O+&s`G2ne)pvcx%oE?$_yT&1_QOv<^Vi?_hd(E8 zefuZ1+n-Df&M!UXAh$rT`43-u+_L{e=f3%GzV|DLXPKK>oc^hE*S`JB>W05;pB(?O zyW?tJ&<+H=cQY~I(fCg?WJ4dse}*EL`0wHP+>ZC!V9!PS=YoT?RS}55GIbzJS{3j+ z;LcVhL8>w|GYT@vqA1q!Ub~tCGtc#R$6_m*O99XA4%)$Y++L@D$nQ3AowL{;KV}PTV~oqui0g3P~)^qZW16D`34^W>`r znlwew0VypCIv@nd-+5J}f19c-s4PbnR9cjN(ZD=Qpwyb|J8gqjU=3${ZB=OxRy#06 zsW>K7Rc}sNeG>5l{}4q%^^V)?q;rM7w)uV4LDW54&F&e-B+(EQlBfVlH(5DJ zH%LL9r3o4^HNgOqZV5V&G@aC9-z`bdfFzP4l4%Ooz;}(8QPS_4&N-u!U~KnyB^`QN zbdq*ro|2d(Bs4HDt0Mo}lod-bCnZr9G$1RcU`<+tD_JoFb<)ylRnwqF$XH6IDoB$m z;mLpzL?co) z(5K9%elj%}?72M21WXz<((k%NCxIjwps6#xRDf=)FuBi#}#{-epd%YH~^ zs@p^~#-uDNRH_OoB1s05E0Lunse%Exj3tQ(mWtjKR5m19_M^b@gYQ4l%1Ne`^QJPX z8em?tCRITNO-&cHNnMbDrV7d=X5}NX@baG zvWP%rLy`5q+!*9S$AbV)QV)#~enC>Vr*tQdWQ zsA+<3s){O^7OF{VvDM+MyjO#HilCdiY)F<4nnU#jMbb4{GeD6CQP5;vmqghF1&#}; z^M(EulADq$sHUmNx>-yv3NCA}kXT@_Z%8D;v=r4+Olp`cQPp)znbbrZGL#hH06a$R_)U`LT73!Il(3 zQ^`!3)J#FLL{-s<>yaeE(ly1H)MP?Ql?($kNvf)tnk*Ih$;+yyU>T~Rku+6M6kRfD zqGYP3D(ZxQE*PRAifU1+lA;Kju1l&(+>mOSnr`ZVsH-HJk|7mSo06#rqG_3?(pT7$ z1x2(B*__lYK@)XLm-ykW^~_v*f;6SWM1mA#oOxrD|H=EHo`aWg}CZg@id> z(ha3Axha{lATnw6(U1h0iN4sLDGG*UiMrlzPz+13WYe(JNlB3fRh3m!Bi>OJ6pM`d zq(q#Zq=~WxBwZ3@S<_8vQqm+r*A+vT04bp8l4@AR)TSg^L<>b?{tAVO2U0Y{GW!S@ zQYDj^Cs8DmGf%d3K@vF$SrjBTElf?&3{^5j4M+raSc+n5#nh&xX@YJkhN1Qq)(t^6 zRaMa^O;b<}QIib{fHcjp41l|2z)7z zvZf2Bp;(eA16h#-NfR|wEt)x5Qw38q4NdE_iL$Nmw{|4 zf+Cr^VN7b8V9KIyS_Wv!7IEH|YNO$8)Xm5H8frl4wyp-K{vEmcsM#^|CT zTe@i&U|zN)!B9*|ktd0ZRCF@5gsw7pXZKsF6Q)+|ew zCv{y=G}*L>QI-u|P&G?al;RAONnocDqeWzOi7d^W6}}@ zlUMEz)!L-Cl z%0=rfYsAmWhOG9PdRf&3OOzD?VGD)H%;!EtH3dUAR6>~GB~F+KP?t=Ra3LvzOw6=0 zDUncB)nroveW|*jYnnnvNg^OzHFaWLR6#a1U6#PSEE$5TkqI^_$(A6SvMJMfKzyJs z%lag-Y?7fXlrk|^R4pV~7bKbKu`CG|Qz25;V&bIZ!~sy=o~+7(p-QrrN z6D*P_6;qqCK|Fx0oBf3gc7ima%etn4(MIJMOQh)3)X9e4H!_MU2|5c`@>E5U1f5JO zh4#mkWLc5>Qbk>`M9DM_FkeX4EaDe*P1nG@B1?i!F=R2hsYsTfh@xUz#bkvH0n^>W zlrN_0f@mt1rJ7*Am|OtPg=Ezb6ic;aO$LSb3ZS>ZToE`Ix-uqN)&)^FWYIK1vzV+1 zx@D-ktOG@n1(~5oSr#nO&{TuSP8Bq23yP`pic0Yd8OcI&Q=!v^YGjdystY=?3ua$? zh18t6`9gAES4?7usrD5^1I5$?mEd}{PfDgP$iouNQ~P3rLUKM>&0=z4WKClCX;4+v zf}FWNP0G76CYi2mnVP~BI#13gxuPk8$)i-o5G+G7Ed?kf05=R%mWruO#n1$mxsdn<%u?s-bAKs3NGAW{5gaOhXWvDh{L?1a(W)f+-fk_C%Z{2qC;p zN~%nv8{Hzkqb^LO*(voFy!BvCc`=&Cx2{A8VshhYgi5pn;7Cvc1*=3?qd zlW~ll(L`C0WZhIv8ZTJ7B@&OUiHe}6m@$)7U#cdUx~6I*wLl`1bWM@6G;ThoUf<|vZU#f1~ie*Xq9MEo;t6}vY?T%Rf@??RaOL(VHSz_I=b4S zs*)fZ1pZN%EGwF1nN-LcLr8_xrfNunMnjomSrVUe2dN37p=pW%R7(*ghGQrYmkA;x z^3epD&q`SrEJ+a!QkYmb7A?v;fm?KgQOt6V;i6)pIt%O@(LA6wYu8b(f zz`RK~A%K3;PzA#O5))mY+4x8LTXc0EJ0NyOEmfl%c>x;kuDM@)?3z9&FWhm z7|q&ovrUr)i3KIPK>&my6GhiFT~Ha`Du7o_*9D8%Dpe)pBI}9?`l6;a7L3NVyR$iVw)Z?sqIHFq#bfx z9D1pa@6OS?= ziB{~_(hHQ2X>dSQx~^a2@|CqCs5UzE#qswPC|H&?Sh^NQZWl&lrxb6rMXxe%06*|i zktfb#ktdN0IqSMkL?jP0nl@cvbOZyst`9XhK!-nfGLC{g+qBG?5nLZ7#gypL%&FFl zGG!L)?gUY{76tqLGb@`?O!Ju10+__XP+iv#lbE$fWnPP*<0iNPR3_GRB&6^F;J|Yo zFwtx_2Nl!xF^Y)=AhI8!ouZ-jnISIaVTOx_iF1(7PlX#HYBaKmEU2=n8Ir0LyUThy zQYXd_LoSZSPGBc^azqAXkH;0nmG@|BcE+M+D~Sn7t(?Vo&NUOwaBv9$r?jUZ1_b za5#0zzHo7G>%zu$XF6!F9?tAH{fnNhtn}dKq6jyw#6Aoz%{9*@EqR5ud+~5)|Kfgl zxOL^C3^y0O%bSbWTgpb_%)}mA%lMMFu3S7M^_Sdp^1`aRKYxAdk}Z3FtIPVZQ~Ex6dV5@+V(G@6m3jm>x$PH)`p9By57HWv;T6>l2u#&cJDmfYIh zg2+F2xVF*hwYmrE&iPIU$}875Hg-jLxY*mcaB&(c8`HKwyS}g+USE&`33g}CLvL$! zYg5{Cq{VX^SHj&D&sl_r&ShseRM3TuS!YIz7TtJxLkyc6Gb@){{^C`~b1pg8okd$& z^wIRWi)&pcUR?JsZceXkpqY)%<;^+u@|AFHad)A2S(dI`KJ+@9>npQs(`^aP%!X*Q zv$S|+eSckyFWZMx%GQ;0;)=9!;cC}b?9F(2ePdB{#Kn$1J$q?=ePypTy)nHe&RENr zgR_rTPeJTIeJ!OM_*m${u6Og>INJWplBNwl|0`=o`TWPj^2x@&QJDZ|$9yUiV0EUs zGPAY{rhJFJmaUzzYXpv}R+*TX08^W*12rl&`XW=<@=ya{WJf5*0^G+_G&Z<|dUFmz z&G}=k4NxUi_#69oQ4h>bgVWjT)pml2w&I}B3+T(u&r}Ie?1iWSLWuEx5D|(Lls0Hl z))crzNmW4hs)pmu)7j? zXt)n6i|JJcgxcKH0*C?+@w*A={WF&&k>1P1uIQszOOT@3#S=o_DI7q_2IBgI(l^H4jTxz>ZCZXRbVtp#m2^_g?Eu?LaEv10 zVm`IlYiEk><-P7EUhI;{Ht+ai;MdY?Pg)QoT?NRu0|zx5t)Sann^OZ zcidyN_I%3xNKs53CJ{Q3)g%Si=q0G5j3y-$)9eu@lje>zHiJXImXbJnCJu8w&cKk8 zP0vL~u$_rD48h#=QHHR;ObaCD&$+x)Gbyl^%QT*qQ)@3Ob7`SwwM<_MBEvwKt1V|&FY zP4Sn~@msNbzzf>0pYd`8064nh&Fw@gt`V9wrW;Wz;JN9-wewTc3?bkf=vRT#1L)L| zP<<+iJIIgu)x1ZQ1^s9ui913IV%H`V1Vk?;9=6UYF9_3@wb`^@-d=7&BoR0ecUl3A z3jVbf1RjEZ0amaJkk3(C1H2z8nZBZ=0o)1pw{g-+W14Murvc(9A+-w0xKRP%h>mw+ zYPTJF=wLuCK!Q<3Ehl|fC%5k)gl?3*otRz1NH+m|`hHw!bMraEFXS51FU4sTL)XLL zbjr<{qnT!^%@Nrk+a#G?Q_0>N?E39Aa-a?%zn7E(mjcqI7onvr6uXcqc)_(%f|P|} zy`mH3qw;|3=liBPeJHDwMB(w{pA9PP2 zx<^Xm>(!{ke3h1mwUFdq(PQY)* z#*xF;4dW4oc& zG}`VSv5CEWu4D%th+@ zv^atgr|(mZ(shnw=E*un5p|tuJI8ah9HAZeU<6AngSp!d#6`xak1evsaV44Z>045> zEZVIb;XUJMJoD5CjFV-C9e|zSIOq;~8YX8l&X_JR_2`AY7)8vr;1lpl3!Xs8wA@$; zPkA11GP|cbq-ApvyBO?2FG0n-^6kLi@mxDTIis9|qe1x00evZj2hKBpa^y03vCD{8 z&fzD5~SFrQVCrJ21682QXW6z(;_HCVLgp5YtB?hQY!Q1~UwH8v1^~FQ^~o zEo10AFmgblSmwivy&bitH@McC1MrO4G0g4U?f8N}8fi}l^rCV)Rg0)%a2&=f8mGXK z{IPrxGNVM4gkca7D3NLeYwubVBr(#IS{H^Pimnk?buA@ab9{UZe&B6`HR34yX%SLI zO2-ZHK3-j&Z=xukT3H-5omUp~Rgle9Fx6ZDtE=<$^&svJalqVs@|)d@Qtn4>{i9#l zX*h=bF*AHM4kFk_U?E#;Iq@8CdqE3&LWm;l;u!fh5-_9I^dQECC8|OyIA&FUsBF>4 zkghIoG)JvaoOCl{xW5DO5CKgn?w|wX_gOJ0B`EYE%Q=&6t;_kj~(oQ89 zJ%s%^+E(;$5gkz&46azxio9Oxb;cnyUOIc>88?kFjM|9p?qM2eW+;>|?bo2wb^YwU z9f6Mp_D%*D10T_MycC@oe=Q?_qfQtFF$02Zmn~h{#7FG&4sMx^-AT+u-e2K3dGl-i zPi&C+3CJPQayp#<0bI^rUU1~jVOoDR?SI-Io>A?Geu)PKXxk_pURU4jAoePk0I;b6 zSV1teK0gIoXeWpe+ad70YzgORlW`1zQQSTVgh%>j2i*|*y-@)r%b_|dfNb-2$3>n4 z+#SZGi#gBen5D>++9(i3_@FB#Bf0QnXvb_NAC&+wW$O0-^TRR{?c{!-~9Ed{e{`UZ+5r5t5;Se zySs6?)DGHn7gl<3a~3bT=Mrc005`kdZpLF%++W(fsxBPPXj`s$urz(HJHNKlSz4Ql zm)2&Kg`Tv#w06;5JlyIothEmpH`j0YJn-V$)PB=n^lX1Cyee;;yDBg4Ih&feDsN~R zPyUu?`-@>qR`t0HR}bc|PbCXe;UU~~64sY>eQxIJLCfEmU!UF3R@W}Zt?7&B7rGnL z#s%m6(v`)nm9?#fjdd-$tZca}a=f-7ZSAg!TX#D%E6tX4PG7yg-rLxm#T&b`-IePb z-OK9-q21Na*&Cf*duGMI>RMNAKRj5Sxf-p_hzF~3IJ2g=MpCR_Sd(bg8kaDDy4thOL~`r5{>veLB=w>D#2=eirRBd>H<^vmn9>a1_gFUlcaIoya_ z=cVS##;mp?cA~4BPOvpQ7j2wBI7I7(26`Tn1WPufD>*54@?jbGVcIkRt`j)OPiX+#?LZuUQQ3G`1 zIK+*5s&|5q;)-jNX40Gp?h9=NP(TG zP{EA??7=;u1D(T;i}psabR~A%y(lQQ;(9NLgNOtw`_PL~BseH5-j`8fXWn) zWaC6fVwCtR3;`Ej2wmAr1*{8_CWwy~bNQ(IjIjT7o$F>k3v#6Wmko9J{s+}irPBUC z9G?lWk?x44ub_8#QY+BE9>AC6c(`BTHQCNfzLE(X7(-?~DtYQ6H7@z@8eg2uQ`oNB z`pSF*)QM8&IhD!;JCNjoFp0tdBj9#nn=K2wzMGw2LQy4Yxs3{7`Rv3%gy>_$LDXx2 z2(?`tM?HZ(g(2i-x1O|Ill)Wby1v_mY;_=pZQ=&CnyiR|q^p`KTB2sryfE>+<-l|8 zUIWbSEC%s1d#!S%vMY&M`)P{}(6%GN4J!Q%@ptaf;h$S?(+&y|d&g$r142m1*83c`oK`2~&JcPa!Dxn)BDEXTA=HAM8V6<+KHSGt zrHJ%uF!CFK`~&xK!-d^OLy{F$(+$%SMX^E3)Lq!E(ZX~TIw&H|!XyqBC`)|4MTmM= z+yGLgGBJ_v*Qw}s6bxM_1mOt+015R zM*7or{gpz4GzlIQl0=rqARUuIjjx2I=W3Z?GWl~sffRn&VUne=CF-d?6u~xHk6n+y zYqbG%@qy6pqHYlNPDY*xa}^?SBQ9{9QD{Sgm!Yox|?!L4jw2YOcJIdeUv<#fiL`-Ap18`B8rhQc3gX8aDiMt)5XQ?<(4zB}$6Wbl+Bp!+;0TS8*sNy(?cB{h4m4KNLhI6Gf1{ zj-Rx>oOs?UKabC9@n4{uVEP{HF7y*hBYif7Z)asrhSxipEDIAZaB3N1sFSWR2V4sy zcMry>mOAY^rB6LZm~-3UE~Ey!y%kpS66&qy=dUXk8;zH|^!pm$@qS(%24vf7zFM^X6D^NI! zfdxB?!2~!RaLqcy3p4r)FdWw)u`f%$*Gs)9V}7O^#=U7b8pC_`x_;Mh*ZhERfg*fN z7mAhYc_jjrr^3+dG3>(jhA_k1-EQFX1c5O&Pk*qXoS5J*od*ysM{YnzB0Jv@2gE;N zg4QvLD--Oc^Ti^KO2rBGePXVs(}U!AZq&TDlgMKjv`)UJx@ZW7a^i_U+!WLNJ=z)i zZ8i$JY@TFCCo*KlJG>k?g@ag_bSrQQ34H~buvnR*;KIOJ4x)ImZ$X1pn$Cd`>}v#$ zXkq4nh8o1;q~TDyzs@(nX%La_1_w!uU5AxVx57`)2hceOJ?PsgN^75?4j_oqN5S2g z5!iR*4!3YweU5bJmh;MB6~)DaZtTo5^c|W=JR4z;hF8Fi`<=~b`cpn7^l zjXIJP8uwW+4vLu@&)BP^KGmdtlcKHVqLU?4re*fZcPrF-rfNbIWdii;N+ESXy($y*a8~3x2$R{)uxuy5@s#I6jBtt#(wUlr&r`Gl zt`rIv?7bT{KvfcCK@rp{H}Iq+6>jS3iLbAAd$c_=+5|rN?FeB!(z#E7*&r%DKzqko zAPJHQdO-qkCrCUegGGdAPOFw9YOv=*n#B(uumYK3r)?0lKN|G3yr5l|MOmziYF(7; zZkMoO<64JP(#>GM&8CD^1)Fsi}g(P)D2qg-%AZr13gheUZaM|naT#gF8U+mOQV zwD_C)rO(TE|h^n;fP06e$r#_4j99VYbt)h_$V z)*~7~lFbE|Bt?iGl{!&z;=>mM2c_7NF1Q8`fD|3FlgG!0K?OJO2M(&SCzRa4uU952 zBxRK*1W|^7)&h@T+44Z!%+?M1)V@v}dt8IQQ;V}EDCEe0a_2%Y@Xihi(R(+S1xAF% zf~4>D3CNqFY(YPEYiSB$EdAcd1E4wIjWdvvvzs2S^T8^&@mV-UoK!!yDV($HBIr}- z20bs>2kc5u8aDSoa>gJMDVI6BFmNgZbQ|E_N?$y4z!t-J;CXifdqhHQ*lh)#Wz|zB zU86-C#8Ts!)__qvTi(lV!9B~MPnyi07OT0=*?|-`-?CIzs}@AB$C z>VP6!1Zg) zy^xX|8>W|aLDqR1u(4F3k>VeOl7w96#O}ZdmY61Hc z__ngT1mDulwxr9S%4?x`A0Y?EVXkt9wVp>Znlv}C$AJHfs`4P%&xjkME~bZZj?`-Ec04g02XgfNN$i~){e z6w_O9sC)|JLc;UG4N$(65G8&J_W+DqZXCg=N1vh`3Ln`r7Ny?DY|+gSBhM;MWP70# zgPWnP1ov9O0n1=(kCLEBf>h-OgfIF`9KG8)f|KlSlN998(PCr6%CDT*6xcyGOz4^{ zM_bvVY(M^@Xe~ux9J=M8iYN5LDw>$%u#;7y%XxfRp2qjUj*vtAGxRXS??fY*H7xGf zrnmiJL=@c%_Rm!4@;+ObrC%!(?C&yvLYkf_5Bzra#B^nNBbbv-AJ1S9auE3mj697{ zdEvgbH&W&j>hY#)T-Va33OR+=C%`n?aeYLWE+LC;S_q&6WGBRj9WJ74^m@1&^7pP$%S9ilNiXUFr~A-d3;Ku9wY?y5=%Nb^bY1^CvQwmiYpx#$ z1l8dhC0swlxu%!5xfoQV#20X<3Lqv9fj-UQ`YErcFqjVPT@=y#+a}U}HYk>=;!c%) zsdFN?^u7;Y#3V5(^7q^*ppZFx6ru=4T8Iuj2>cN!gpi)#5Bd=BmyIhkSZon94%j_< zn=rOJ#0k**1uv~ONL@+D9w_sH3%l&b$Y6&pT~;?y3%GO&#l0${n%y4|xQ;ELT`W8g zoc4nlrB*b*U4THo%>0OYuAakRP?B{=5y#s@wz*SMNqElHZ6BnTTodd)s?{cP!$ zJ*hKucS5GK?ZE`6(1y6vi3xz|(^jry1GI~CRv`7r$Vs21IZey)I|s7aN?N15LJtR% z#2kCjMu6bp)#a(?47*imcoDJIC-dU!Z~CZLz8XkK(C5V1z=3Ke!vxn5#Bog;IH=${ z^()7G8aQcH8=#7NI7ZzDZ=E;Z$oOv@!FzR*bEF6W#xb<%f-m(cM1Ass=>-Wz(M0qR zv=Y~&PqOi%HuOB?6tr!H@9?lYP)P%-kS&t#1jP9g(bJuX)2YOZhcKwbhR^R*Tf4fw zwsdJ`aeH=dex?EHdoUt)sLm~4efR)M|0vbztx5&;kVF?yS zkKIoj`ISn#8%3I_Qp`CU1>NdM`$$YRiU`^su$0hoMu%%BFz*@7dUnNDp;!%uZhcP@ zB%?lo{JlLGF@#gwlWI0Usj-55hXdLi@DYd%Am+N4YasxFAf#W@5byR~)Vm{11RxVb zBTob1c816!+8Vn&5dNiT1h{8Ko8$o2?%)!911{UVi)bzq{ zVqs5HT)R&^+L;mVi^dHEHPAD;QIeZuV$-PcJk!@XxQ}bZEHbM<+`AifA4l~qi~^#x zsIaEb7h4tr2Q`2yi}_-I`d~r6eqS4K2K2JN{sn#jVB)xRCt91JYcbW4N7Ny?F`s_;uGqgEB&yaE*X{RAVoFV=We?UXXYie-6vj z#%|VoCvx{lfY?V~u(2!bnwT9Z=8^q~ap8-DQ*j)*tt9S~IwP3ga@Sd+TUW%rJC{TEocoZ8xN|-9bb9J}C!;8xmgQ zo6*S8hKWh)NW;`ugxeRk$T`No&=PzFvnGz1gIzzavuyFG>D9j?n6CKR{JyL)?MX+r zCmq#ZC%|cq1V?q;fe~`*?AQ$n6KM?QC2iNo6s+$<)^eJZXxQCQSh3#vK%8LJOkyHYrvp5k$pI*5(2M(@RlX$n{{`8CC@1 z0O$=!xHu|oM-AZyfc`e+XPc+JAl>~Y{+4Mv@=%Pn3w<9qN%?`mY_a4)PuBE=A&*$E z5m$aK!-f>vcy22@nVDCp-=6Y7rA5M^N|u}YLh2>6)Qo99;KTDCFa(s>%@yDjm;9+p zHcWF)S_cp$LEk!gD$QrA!CxLhh3sN7p{9wfX>;66kD6_~iT>+SvjZ^Wg>vk;v3;T- zqT$Wr(%MV|tg&-wIT7jz=m=1d%EE(u)e;O#c_>~^6@XyRp)oGB6rw1T_atQ_TZQxa zqT4R&34LSBYQ ztO$mkwIJ|fH>@^5zo4qFGo(>fH|FPQNS3Z@h9v8{rpp6WJrckVi>*q*7arE@p&_i= zf#<;xBWLXJ^y~Fd=XeKQXE_)#zi4h}+>F_;Hh`>-$~hPk6VD)OBn}PXFh@+N=5R(X znqgI|#%}Df*-=*zpNqmHX4dGrMdx-H5-f7W%=H7ho=4gcN7)z9*Y@#@!WIs^Bu1lY0Z_#; z3P-4Z{u$E(D2l7vL!KAxk86aM-Q)ctQ(|1P(Q-R67wrfk|3pkkV>uX|ao5OEKA};~ z&U9CKcz8^e6W9l1oPE%4*gOo0Vw`yxVS1|RNqZuFsXJm$a-24%D|F-*xT>80gh5(gv81(A#VICU4}%SFgZY_xP#2S^v7XCEtz8xWm(P>DRjknoL|F)6uAZMFQLg;z-@RJ5-Us!!M z|N6q}B)~C@(b*SP>5Kc3gPa#u@4NHa+uITJ+vu({XGVg<9CIGQW^sm$A>yGn@}1cr z>caSlViDS*fT?HG4E0GXGLbFsV zB@8NIPzi%Ze{L-pG%+)E&Qz=t3JqnD`7ylEd&5wuTnrlilu+oFheCMQ4Z~x=P>FXi zSY>i50Z$2dO29Mvb87*fa_?*W-j_5I2;CUo875xhof7Zdx_Bo-^bCEu`;`(nIR;u` zqARz*z>(cbYnL#ngh96q3@W$3#)6=mu;`MUBaRg7Tq$isN7w9K+l(*7#hhV?jkFpQ3;J6DbT3gW4kf@Q$BAtzFTSS5&)F| z=#~LMNIiCT-i99~ec*37Gfr$D%9BUKpAtshx-be+e^hR`r36k6sJJID_t}o@R$9AU zO)6KDZW$2tSlMSA3xOWMYtBv#f#mYJwBb()fgVK=sN7yl3k*P^a#w9^x6;}r4k~fb zErWv|OS@_}j)lfwd3|y$RNh)N{3)@}EsurD&9svNp7O!7@!d*mm)kkzcFu8C9+K^x zBVOEfatA(q7^igLr31fp9k|;q_j8H_PVUp^y5)Y(@TXkI7)!TY$GBBcP`RHo76aXc zMGU3f&>8-e80b-ifyxb?w7>usDmQe-b}Ox20-+KJ-7-L^+|YS|ukAWH7%CTphCd}3 zy5+%8xubJ3#8W;M1yZ9ZD$SRtnI%eQRjAZ$l&n9lAJc#SGm0$0N+Y)&VWE_mkxH06VmS?$#KPB?IwUO6NTlOnq);O4T3mgJ}l)7krqo zZQFM22ah0bp8Ia~V)V%J-y>_>nExIo@ep`t7$Nuw^UjMwyqI`i>7*a1la8b07$0rJ z7S$M%xKS&NiKyqrLQ_&)KFo6Ef+54Js0_j!R$q zko(duq^Cp0(JKqpuIrCoc6g-v;gj!O+!}GbAwEPr1QhF^hzIkb;^Cwxwyp6D+&nlG zqR2-6s4(@`1w_MVvTqm=jo3*#8W24SF$eAh`)jGOnujfRWMN#`-CukGM!P7&;}JlP zXdX#mMH0o@c)+p~A;bX-pEf000joqFM_`sVOxlAB=p|?ws9i1qlnVeyJjgWct!~)i zjkue)TmiV1yz!%V1>kzn!e#hhB#=4Oi$M#Qv45Ul#{R{EW$b@bc_?Fl-pC_4_Ls)q z(t87^8Oq?l4E~FS^5B0AR(Z@v{)0fJ4EsSD_77Dq!~Tco{*sfsx)D$8mSO*`HPPf8{fOU*>22 z?4TQZF7$1*Z3l@T-;-XR(Bv8Mct89oy}v8#IhYDV&$S^_;V<8ELg|=?8GS4T{N#9ULI-d%e~o8vfY4#z2W2A<(an9 zjozGHV(h~ZcY=5u$3XqFRxbVN z!}HM94fxaYy4B(Q(w~Bd!=Iu9_R7ODK1~T^?sSHVri@Pe^Gk2qSGn}256=TTH{ean zXPAfcOK%EpVQ=~vh)w&P=>v>RD`VTLV!MO7FxLP@9LSG*j1LD!1D&nLaFjo)#&q0c z*B{|ZtDcMFQCc+GOheph1uz;oAyrMNFRGd|t(J1IY7FY! zUZ$yqLsR!vDgaCX0PFQAffF0LE4UlEv`e0GvIu3kZJj}pkjZ7z;lWF@X zo^u*N&Qc<@=Ms*JX*o1)fE<|eY%j2(H;Tn1@*1EM$02Ui>*xS>Lk|gd(5*)(46qvq zQLi2&92YqSAP#ns-vFmhjV51fL5y_u##^biboJ<#0BGr|9r!WwV`k$km5B+kf_6}Z zd>er{0O%k_kq~7See?~zPP%yNUG)>=iJZ-c_#qifd-jARG#M}xC4E7 z3WG3myD;hjo7PDpih)Rx#ig~G2JZ*qz6(RJ?|L4QgdO;MD2kCohQsw;z+SRNszqpr zsY0V(cLEy=ZPt_!MD4muY>?;CHtKyX)=3Z2qOR`}-3npcq0@vZe*@I_U{v?qR-G5D z(>yO|<1{a5r+GAsK@mKnCeLA|$e5Gq=KAdhsH51ckdY5t9&*6G8+Sn5L0~8FykOt;+o@Ir zJ}3+s(KC#qJrp%6Ogq5@SR?fk&jVr7@?0D2K${RqA`kR}1SA;InGps17)6uhw?mW( zM96U?WXG7!S=5EDhq=-_K^M9{ZzBqVc$>k83=m&nU8zgw3RMtum zwYP~iYJdgk`d}$)3t4&;5GOO`bX~s!CWcgnSXna9vT^r_BF1&naJ}uuoupNtU@g|z z&zkGkvPm+*IAl4E3bVlj-C&833_g{^b`thyVLJ$k@+TNY4LVkn5rR%5h}vo8B<^hY zt2%9wvQGtH4=BgvpCED%Q_|EwoUEp8BaF9cg|yYs?XL<$S142`{HE<7*xh#NOv`(V zob4cLL*G4Qrwh|e+auB9w(ATeU}Q&RUQbMb`RS?Un>MdfW6Z5KGs8R3^@#b!F^pp1 z?od*c0G&Xd14AJWx*l+e`QC$`>rfv{$D8D)?t4%jCx!>Rki)F@HiJHWwlZsRz{5~c z47ryz2I!GP{3v0aBYbKPwmZlRQG|s!^z!bn1)Nt}z96B@L#M3(jzDq0q|(j$D)3G| z7!Nf;sMQFy8>2#M)F=7{kjj5>rhy4?4IQ|c1Ujo!o34@ZgQU3}06`z5g#gnz((@R) z#7$A*5c&f$C$x!Tq)O!a08&tNjTEktfxAYmPJi@Wg!x_tvGmFq z+@0P)Zp-zZZO12#C$4k$Ie0Qi&Jyc_Cms82w--ch^2H9igYav0VQs|Z7|{306Dd3H z#y3aL384!4r*ZQXl8`%EA;;<-k>e%QYk(^GR;9oYkPRcuG|>(` z57}|5u{&MB9)~#?00B-~yg=fUe+gsPSjsgzYr-Th^2a(AkvWfJ1f62EmGjysj=7!OeoQh8 z$L0}Z1tS>Q9jb6yJA4dkbP!yhlm~Ig#k3dndMbevUn1P>yO;r;ESvDT-*N3uUwbYF zQQ}iWoBCa1R#IAX@hJ?ThXW7>7`qfb1)TRDn3|ubKN-6O5_n$TAd@`HTuc-D#E@6a z6l^l}06|1oJh&A~m#(s;V`b*~K2d=UOp=sDqmstoR7?R24$|Dobk-78q4tdzXCWvbgw%Fr zq=KmJIsoD#@Nlz8g%_iR@^#dr-N;q9F!gdy+%7?AqiCjPfi4mK4x=SqpGF>v8D1f-o7oE1Y%TD;9%!Ks+;f8@CDm82e^+gSg-C!d{E)eqtrYc}zMUxO zQZCo$cuiVw-Ca*tj7CvSVM81c|4pB6D@ZNZDn_0Hlpc;zw@+Xr6u0QUG8{41f1SWp z6~M?zd{tWfhMiS^JI8yg8!^u*?b1FM?6V)lM0nAI(2k76NpvGEe8c0HRxC#^8$A+= zEb#**%-*8V3wm7=u4k=RCMGJ`kF<2QKd_i|TPPw^lK{IFW`kCV6QU-GM0SKgx=(e% zC4p0KoyW<`!(zyqO+20 ziU)>f4pm)Pnx1I@z6Xxj`sDZl=EFN>(`Vo-U?72EbiSB$6csy(+_={a{1_cDGJPrh z^4p_mTnKOsraTv7Dz8p}WB!XD*E*_l7`Xvy4%i;Vqr z5)br__A1CiTrxI+vz!Tr$c2%}%;Nw7Ze|EVq0H_g6jt*6{2@CDfREz+All_~w121} zSS;oef^<~{xPB{0dp1X<vxuA(g_Bp28s|>b4`qw}q%5x_0ea1q`Djw#E=8{uCw})Bs{3<$M$*VV1O$|E|!j z<8BxF^l%!efhtC^4Z|w`b;^d}wvXa%x|hbsTRhBmu83&H9;G;HbBt7~5mlif;8K*ydY>+2L5i_~9YNd?Xs>69 z(gaD2(`bwjEe~s17uHwiPvbKrP;ON2xu*u``%Z=ioZw8%ha03@dqk5-8mWeShkXUe z!-$t879cK6jrA28l@de}7iK#tgHbw2>7qEmMDcM45v5>i$anTIs4fN$`v2K`_pZ2& z>``?7?oUzEc*c;6)ZKuwr|%^95R4N}Fy;VGezSbDKrK~wS5T`Il>{cn_p{$syB;b@ zrAIfIJO-_mn3k$`?RxFnwV#|j>R0v>$mbk|sW8Mw$M0SrT%5c+J^%XIx=B@*CMP9Q z!LQq}d)bHK&u%1<`rKD6DeJN|H>#)}o|F*fpxM3AB`ID2rY!Z+j1%L4&n|{{^2g`C z!pEOeHPg=|R^w-SB=uAm=H-Zb!M9%MMLtfN=SC=+4^y=8Zc*x8aV~I*Z_t87S&A7* zSokV1A)><*#fM*eB;+*6)n>Cw%zopgN|FM-6LA~iRtIrFwdUkO7 zn`i#oLq8HCLg=Tx)8oVA@5bmPZ<=4nrHCi^ z```Z#J6-DO7#8dhSTo%km)V@Y9I-laBe{TtI<#yih(@&+?)0J5d%(qYO6R6l_HYviz5gpB?vE^t?i*Z z+TD5aYWT0=i+`Eme($0BOFqr}-!QVhM;p!if3&+Z8kP6|@WqR#{r?yb?Eh=B7=y}u zNAAv~33Hdl1YB(e z^U{3$$eXIIX2DqgNtY0(+x$J^i4I1&stvXy}mmE_yS^;lgEe!NGy# zpt3L|36TQe>UV}i?58x5X@YY}F_|KoD7vy2$BMLQku&Gq-PD`$3SJz$SNgnk2^~nf zR}g39Rqo11hS9(s`Zc2|F3D4>Ey(Ep&g51!qDK8p5~%7n1Dh7nQ8^qb{g1Z@>kCvQ zJNa~-$$@K~u<{5yqBr*G%H>`?xlxLpJGM}wrIt^@cIu%QQxW)IerYu>2w`lc2BYhQ zthiXpCT2^nog+%GnDh`$@N;H!*AnVKaK}!WmSwu=P)H<6ij)X}^&)(eOFMZ*QLTZ~ z(Jop!b1B;$e~s2dO0TjQ^{+>L)EBN_eaj(eN^LjV4#|z;d7zpz2{|HBfIsR_5c{o< z`bC{{zv(DgPrNAD3*)(WoGsAKa0A_;$?gu0e7zRC91W*9%@Uz)^Wr$6aYEqg5)-wu z!6Sa+`3*x1pYtl^^Kjpby$K0PN-%TxP7Y-;=6>%n)EAYd>oq7k-K$q(H;($q=&@i> zTFN(!Scm!(oO(qd_Z&E-J#E;evPA9h@kPGgGKSKSi$pVHEH=l_=ysTn0f zTFIu~tT*u(4wR9T_P~*<#w=!Og1yB)PQa}q05-?QaN@M0CaALH5~@d%nHR@6aC19) zRFZmJjfNoh$cNUdiEuXx*V>BcWElWet!`5fPjO89mTO1z$W<{M{6h=l^PBh8XefBx z1kVUdlUv)D^3YXApu{g*YS_A5T{Obv38|IRE36dTWHzpkGca)il+5w7D7usRTQ9l7 z=?TcT?zNoqK^}uJtpfyOQ(G2y>&hD!7oUCk6dBi+W{khh1a%1&N7WL%AwtX@%CE%v3-Hi<)u?yp9U{_Q5a~x!$2zJ6ZP2t5D^-TlRQrW(_*=%l^Ry$0a4iUu2 zUY61Ye|J_WaV~_(aZBSJaBiw}^HsL<+8j%|+)l?ZBC!kUS z6gCBF&w$30!mF{h3;e3SL>~a;oZdvQz0}iRH-zldk&#h&A;;&X9NsaIatT***c{!? zDzU`-d1W)ImN8j5FO~anD^aZ7Cr7y89MkBO(zF;@q~flld~wi+K6I$RiTchd|9@e3 z6`FB16!iJ?xUC$x{_vh|qJB9zZU5&&+yd*KD9(s3n(vQYH5%76%oZ5-JyS!Wrc4I^ z*Zv7WRiry`1*^&yGZqXJUc}mFp3j1EEH<~8y^5VHDK%&8qr$Qa=uH$-FK|lHe#+Hl zF&zY*!FqGq+*4Q^i?yv*fv+8Rs2~)2|BKDNtrxppDhRy#x+{ju(*1UoF~V(|tPZ#8 zmNPcYU_zn+o6AM)B{McgA5h=%`BGn81tdXE+$A70`sY891cscC#b~Muvpm8ZbJ@I) zI_#Wkry92pM0@z8oz9+J;oD90Ox(G~UpGO;(RIEb)N18(#$o8`fGsK_^uRX(xx_QH zu4UfXn}jZee$c?3zsz^NQ0ATD>A07B4rtGdG;SQFViRSrx;9cHZmxDp(_v<-WW`?a z4^QCK7A*QO!dWgxRt#Tt^X z!+ghpVI$M3Dbj&B7t7X?@@aW{aQ^+f*JW~Z zba-}NDtNT_?ZJ_aEH$kJ5$GzXXB`$#9+#}T&H;yuANP*lACxiq^hw$cEDO6dx_M)7 z-W|O@IIZ-!Hp{`lXsKU`wNo!`8O!s*sn(vlt_{g4x**hbI^3M`ss59-JP& z`A--8$`ETXYUEE8td)8C0*!S<(e`tyL%%6?NG|K|^>t68^MDLcR*h2g1t4 zR)f4Zsm+o5D-qhfR}V{Oo8UeXSxIE|AgxAXjkR4%U@a0pRByXoD%d6|U9XBUHTh6? zyn?|*tUpLOW3jZ9G*-2NWvJ!Dp}lzh&7^{vDpLv(V=GofqFD|l{}dZnirtS$bj1oi zsD9>^{E{rz$}t(Y>{ahoW~lq8BlPz=Lakh@o?Qt1@)oCaYPpOoar@E$J72zvH6HZt z)d+got5ysB{BCznmHxDz9qP2VtA0wAv)b_eHN=<|wxIc( zYdKU}&b6h^Gnx04%e88L=d5Z|fNbhn zUca;;Yhm1>$Xu9TKmlPS6SHU?%*=yUGGOM@tL}HmkJpNV&KPGwAkQP%K$a}Zg?$wx z|Dp8@1vQA$dE}0W{eE|4L<6_*$5Z4qs;3QwVV+m!nNh}69oE$>sT!YE3(9NU`rKnb z;9FI;{|lp0f1~nxNox3C z$!^;^4Mx)G!mzGi;ak>R{thvkq~N;PI$G|EqvYCjy!y|e=HCzl*QSCk6)8_fp5x?U(9`hpzv@sc7U;5XbsE73Le?~BP=BhO z(J-RclAUz3b`b)43^uI=p*+=J3r?kERVxg&39fatbuKe=j0=3{vWoCZ&;AIC81&@@ zm*|gW)lfOroA{D$#u+~vtmPk)dFs}UgGHR)z9z{-cBIrYxRsW<@0#$u$EBt;-!Jl? z)W@OMHR6P()TiMXo$sI2H)>=mX=o2(+SWrhgn*w6*LTxV21nQKcW*Av4)))l9-jZ_ zV(<0a!{dwhX9uSn%>`c{p6z{mbZ~Kae0YAicO)zBpB{i%z`};uTPey9OzSTsu3iaF zf55jT6EIXAFbMSE7E=xzE3+lQgfYbYxx%*=;4*cwx!y&13CLvJa4A@B@K5&6&VG7# z`nqKTiiIyg==SC3OttrCnl~fCban3X&>*ezr}t)<%}8V+M&G@;I6OW(-#a?GI5~R% z-Qn?B^Dy~}g>M|Gwy@;Y5s(OW6$C=2@!|wnSHj!#lZV~2jV;?}6slM@VrdJO(SGn{ zyDI86Yq8rZtcVPCD56^a>AN=mL6l;*1~<8h8z!Uoo_M4w~)9h5@J`~4~;f@hNEj6G9kIf5oYWpp%ZM= zK@|#E^iTZ0LmD9zOISfP=)mf9UlmQW5~r6ea`^P1XU%3e1vn86u#TJe`E$?wT|jUN znBEkU7Qm%Y{kF01a$rL8eVpX{-jY+)HXT2R)hJ}PZ4r^#s7 zVyu45IWlLz;n!TR4qe4tuUJG36tVftFH-I@H7-NpkE9WA zX&?(3FUpjGUy**nerhq^EnuOGjge{jlGnD`xTrRKMq2n9Mv8EGje4sY>&2->@ln^b znvNo&RlQz_oi%+@7<- z%Z54uL4FAA*kuRWidYgd<3-Jlf2VRoUV^*HH<%i4!y~DIuUoektB<4vV<{+QKH8^Q zh=m(d!v7jCheAhI%RydDAkq&TqYwT5&u9(x`+V?-&xwo->6l=&cXEhkykO6iQlSrh zU&%CBe-rfui^3qb$~8_VP-KQv{taA9_#Yu*Y5(VvwMb#6>qn$?%;YmYL>0Rjb&84s zL?6mcmjC*_w|nL3O8+N(!lKzq$3PqX-x=-}>HpSfd-Rn5^HH8JME`BX{adkwR-^GN z(Nwu;|8PeH%O?DqBc;M(po(z}do8!*+PH|S9!x}o)1;x2?D3(Js*dW3tW2ys9q9Kt z`|=A(MKNw`uX5_DW2RwI)e2O8?_K!&JuzbO~`1{^y`tL{YvcjSK-zxvdHCWtr~^GHX5Tl2gbu3#*q?~3Hxm^U`np?yxBfo zLzl9b=Tam@li6X=X56kT(_}`fCSK-2&{SL4$g?*IUA!S7W@l-V`DvCIl0{LZdvCPo z^YfxYM*~c6<5u@`4Gq)~xs;PIzM5a-5U1tja!pXodImTz4C&2#@;(kYCG8BYSS<&a z!HdHv#mTi7o?)LxL3gOu+J^RLdziOGW4V2l=BsudJ2&59C79C6R=10X^nCww+|s_> z)9w7fkMytg{NEjx?|-A0+qcq{294hSS6E5`CB?6p8@jM5~- z1*PkWMze5c#^u*p5}L-ZTDz^w>5S}oD)B)djNd-S_8KP%o|2F6Pmg3Z@tarE=fE$F zLNxFE_({n^pIl?~e6)C8QP-P>pYjJRu3spLP=B*;D_LLx4O>q>BlXskA|I&LMpT_; zA97dTpUdVzIK+!h@z0N52>#3})Ul~NjB z-Yzb+&z}eR#zK&m9$!ooy0~E3t!$%w;lVQ?bR7Fb_w9n z+~sH0!g?@mp&VurP7ec1Fo!G&jaUwTmW0S*S5x%=iW8Gx*dy$x4nIR^mZIIE{VyX^t~=$hGp=N^ zelc6OfhzmM{Cmj9OnFQI2s5@NvvfK(6NE9BEdOB*b%A0-cpB?J-AmJ~!hD+?mT zjlQfx6V87oR_Yijj*aLz|CWDvL$fI0!wL6(^k_k|Y*>5^QUhJuA<{O z=FdOMLEKFLaU9ay1&-2t34mMZ|IV;X|3@!hyxe`F|BvxB(SJ=PELo5({yrOBJexMk z#NLZzHqaFRwO(<58UeHE_y*NLB_$+^|A=@I$e<}@9w=Kz3;rm6_Kx{HIU8QN+tgQ{O8m2`#z2Q{~UWk zh#7NKq@vYs0d4Z1(QvCI{~7LX?>zDUkMS&J|KH^6Z=MLX5eM3?2!)scby6W|DZiq7 zfLhak0aFx3`K2ZO;mH^s(+F2M>!mqRDYFumA^QsY(~cIBz0DkkD} zv5bnVp$IpO!nv2sj8Jnn*%*Ick&mGzmFIRq8sed`d^RhaCV*Nj$Mxc8K z?fQXY{XdJgpuHRS6N?rtJME1ye~yDJ)J|e5G@AL^k~Xone%EA~)~Mx%N56qe`}B+}dq*TH%ya zy4H5Jyiid&vr~0xHc@12wx`mHujG7c%xzJEV#@=CiaDE#7=M3$esXd0?)1C_sG7&U z0S!y$f-Vj(!H zLV6Hsq9eV_SCT4Lq$Hfp#8Em%Le5oe3dyEWn($M_N7IBZbWjK-kc(+>_85{e15)j+ z)f677v!YG3nOCZ9F!wAL6y*Fi&ZAo#>iLkvr9PAxZt-Fz7TLxgPYdb#oP049Cqq4! zNhz{g9aoS>sXXf)8d}<%W3*G{nM(`6I_33KZ=3A8Ry0phaD91j%5v~WAuRaO=n5{9 zm6Sdal@d`oP;-F|lCmbQXefvnTx7zGk9ae+d9iJ!Bky0IbS zpGEJV#Y{krMt5_8QjJy31{9bFG#@CN26t0#y4q4%v~L(Lx3cr4s-He7!Mt&1-a`<- z(xt+BEOJ*9iY=$tkH|5Lpm%OZL+w!~F`pvn+<4E#(5a>bng% ztEt$fu@f(y^9w}hMpOkWaDGlHl$-Kv<~1Z;0D@qs$_mt{j62xcn0hsdBE){P6;>Uz zRe*205~RoBRhX^3@zp7v>}Dv(^3dhwhlSzimAE< zrlDkcj5wW^!W(8b^XmM`yjisqIj1aD;U+Dn3WZWCt{+$~<=O7hv)rU9P2>E+%(rWv zv&-D8g+*z8$n~>BtM#8~Uq@muP?*yFS2bHlKug6HZK=Su6}IAq(8TkvaMAq3f{A$! zRqpJPkd{HzQ<~xfOk(9NLQ%GusBlgu3Af7(DyBRJX2%`yFk0x^WNp@O6B)<8z;aN| z(-ho)3Tj8qw#zzi#dh#tZikl1?voM0pXh14|4GHkvikn=({leC?pE?Y4Y#+S{68P% z=_>y#iSkPP{zGfn4C!9c=wt=ve;Hj^qt~V=($U?tq{RM&K9{sm;@$5~FB|uNOoM>1 zB!g(;lPs9wl>z~_$^W-2_CKQ+qo@7OJ>O8oE9)>HoH$9X!_e@Lnuv-rTS%dMmRXL9}A$HMAfblf65 zW!U%WBG#^mt{290uN3D4Y=m%dlF%s$K`6k+=y^c>E1V2u&acfRi&C<{>i6^R;AIU1 z{1}zNKkuQcHH(^u_YCjF@m{jXy(GLi_W19-Wj-05`ep4%CwTUbSm9aZ$FcI033B(C zb_bdS|C*5m2d@(v?^m33){xA82HASR*!DGy>!whWzuw!wc=zMM>FMF?1CU(rfB){M zV|fHQXz%E#S8}Ov&~smfqJOU5DCY_NB2MTp*iUhw-}sE^zeRvZ{WG99(T$e`dnboE z02L1{{SjJ+kZJtuoU&Bjqw+!EFAq=li!V+NUmL@eMSJW$!}7pQGJb?Vf19!Nlz%y< z(J7^X62nI%%03p#L7Bbi7QSb39O4CzQZIxg+sqD9bOof``cPj(Z)h?h0rEt?ymXEs z=@*)DK&~G51<}dx1bgstjCNnV*nZJNXv#!t??-L4&N)jA?_Y%LXg>e1{YQxZwKW`V zRpWm><^O(^r<4E3qs4!O5b^Vxjb&i}2gO8n35-6#3)qdZHU|8V#86U-0F!hsJTGKLT2VSh?PykWBn ztDdt^wZV0H)S*{Ap4vf?2Q3jqa1kHldYwB*4Cx7%A6szRg-J&r+_+ z6`BE)B0f2%S%}$&Na`bPq1wep4)S6mZ;|4>|L`1tOmPIcK_Qw(&L5}(WliI1H4fgnGgN`&u9(x`+R{ApA%%b#`-kDXz%1u zTxE-c^`WmruCe|m>Il-8Wp+CbZ|8~O}2mVJ$SlX}jys(@tvySS5u?>rCg=udi zmI(S#Y3zv^`MsXj^MAruUo^W98_=r%-5r+g|6e}oe;?;rPW~^?{s%eOzZDDXzxI6R zn@dLhR#bnC#GskU!KFb>PelL+o=DD32OdlhRkvX+T1QsAscdbOmEGCo7wq%9yn_nf zeKHhTlp3d~&k~po#mzRHD z(UliR*N;rug(K^`*!wlZMxy1iZ;k0$V@)Af@~MG3cWAP^gCpORIW`+hKR$u#u>bEZ z0cw-~j9%=N=@^q5_JY}xbnJXWh=KTdYSqlv< zde3lTCD;`u5fnf17`vfKU;>WiyDD&9y1s#&>9zo?E(!HnuZU(huTt`7%ifUdD)3?_ zrHe54KQyZd;S#t+*7oB`sPm_KTF(Fbr2W)S%lW_kV!Ler@pAa$$^PR}p8E6u;Uo3@ zz83sl!tZnqxMMLYo#E75OgzTCfF>@XI$6q{GB$G@?LuUvOwx5!qBkYzL2tb{Cecj3 z6r-%-#X&4CoH&a@nK;2y@^Op?g@L*n4PC>Zv#&GSoMqD~`H1?1KKlGwZ-4Cyb(4@3 zkCA$z9Cur1x|nCc9yuo^3rw^0V!_5}^kO(1_KIE-z;PO;LONg$mMx!aBbC^ zf>YS)oq^)%6ihFx4VzzW$pBj+)|nzX6-j05=+*neXwSxvDNZ6UJUo$IF z0eSE-rVI)j)>O7A9_7*-ZRT?iku>>FXA0bf|MP@2eq}bWRsK8LDf@r#Y;QgBe~79By4M7ZS}}pC*_x*Qbj?nKVd1E8irW(bN0QwmrMmDNu#`*#5WS z8Ww_6f2yV^w3n}Gr(~*+qadb4=8fWbr#QLx!lrRhWx8R{{KSj#xwy}%DutI#ZCPuV z0vgR}q&O}kGgc#CY_iZghEfd*u@O><`EzXN%yWc!iEcxahHPI*Ol5KXV%%}6a|o9B z_oZQK#wEe9Y)CZIE6sS-6(18y^ZG;R7dnASlQ{}Y(Ny|hBp$%4(ss85d=ciL+5xbP znkE2$m=pTTKF#NU>ZN#^h3tMx;Fj}$XY{ga|F`>;|LIYlKbHTWvEV9xfW_qUXR_qk zf3e=RF_(KWd;1p(y;2RD*lOZ4$6gSMq%04RHGTO!>3^2Y=#?gNzXInMMk8n0Chhf? zLV@{?hT_Bty(R%pmPSN3YysAQ%ac8d%^syXM*zC}Y#26PbqV_Gyh84soxfpY$273g zo9o>5TlGd>ZOZgRoCMPQw$f83+MKr+=(?*;8|HXFM{&Q#d$^QFso;7shr72D# zhEj^etfQMbj?g3{A;iv!J^#v^VdnPM(D|G&q>^7CHpgLzH~|vWfkd-S5G$nQ8iU}) zc<)6)Zw*Cw2FC?Il<<^%#DSnqf8TJ?yC}RxG=iEOB^2WXg(Sjm&wYJ%ahB2q_twxp zT`XvXe%wDp0ZCZToso0^{}<@@+{tgr0RFFD%x44sKlPJcM}r*D#PhGR7)?otS??>C z-Ne1G+=+M9`^rrhaqp}DueXMN^b$fdh7MmJu%3I(d>Y`MD@e1j)Q^Xi-=h)`JQgRJ}WI%EzQs3qjmWH#97_14zVcQ{3-IHu?@ zn$lkH^77KB5u+jQ@l%FhT`BT{K-o1x3Ib+8nvry#OruA5cGoFlXR;cL80HL!rWm$sszY zh=>ouE1SO+qzqz>36UZ&q3CjP>&O?E$@hM6Peihjkj#DkUPMMzzekd({vgULe?zCjD`7n-1JArb2J_T&rEfPBq=MKg@n zLvn@D^~l|Fw~_M=y54e!?r@{vOz))}l>{TgkQenx#CzhUWD;UDNw9atv5@d0i~+%g z7iC_EJRdGSfc_dfr)Y%+D2o_QQ&8zO;lCRXj=eC2NFw}J&>y4i;c$pPqdtj9O1$tj4!zqm?9(V<{W01dZlb=l|IOcS^S4uv zgjs^m=Lu$W8V3C_$P_M-+(7(@=+MJEbgGJW>fx##{Co*`skk)zG)nQuv>vhIf+*Ii z!>g}@xc0|r=jGNW5^o@0fPOVKfAggxc2GhnG@)cub*SAT(8|&&I+0b7kWcX=h%qvY zP)q}6B6go01Sw2i&V4bG(xh(x@OBP)QIr>LfsQUqoKsgE4ZKos)>cd5m3lL@e)%?I zDVkt@V8Ri8xnaTUl{<8|mme_$FE(%Ojlzq~J+w}N7d3m{N3&CiTA>r zY)@ZqZT;)z?sPH={^gCfUrk@V^u1m0U;oZ07`{hD~b0>r*35ZpN#WPN#`x zh{##`f+TA;;FTs>BmM7!7e9p>VceM)0EH7Macl9?4j9WJSHO!C;O=;ViTn+4_zFeB z5C)s@K;!jlc>j4+Mn?_nUXfVNnFC@pg1_w(n!{cex#B!(8~<7+T92@cQucJ?N_8#8kKL)wHRi#sFHb zs4F03;#GFuX`mB(K|lnjqfr#vi78ExjJSw=8l@hIaKctb4Dgy$mhOebW4PrWf5*p$ zi3GuX$^_L9o-;JSsXvg3fz9&w8n04z_I7@Psf62Y(9tF2J6M%7gp_B1$nB#>LNA}F|b?w0{BLN=B4}*MD57uP+8!kFk z0_XBPrc{WnX@n6?(1IpdbQMQwLNIe5ie9FTo4+s>=SOG7k*+C!FTAuJQ2SMX|K$DP zEnd*%R$C8go1sBS7Nl^%+>Y zBRHN9g;yI+qMfq}OV@5kT#Wj}Wb=1bZ zSojydwm{kJMP!OuMaXsEd!awaK^EeqQ5aH@hg`j4NLNMcG@avw4`ig$zpQlgGVrSR zT(~Ub^`2prXJV5Er+jU(lpjNZmwJWr_u`MsE)WfT)w$xQ@+xTkGQRdN`4M?(xK3Pd z0ABEE`KNBY82QbD9^a3@74gzz=7%0xRLWm&4ZkC+&SR}-Ng1G+N7I_%I&X|z+B$F}i$V7zi8=F37mC&s#xqJ~Ai_L>0DH@*_K5W}2-MULR1um^w4Q_MJGPDF%kPkL*KO!HZ>+liKUy z9eT^p9ONOEO;A7*Epo0bH-*=|l=KE(BogeXm9pNU!y@S-3_=phvYY(6BB(wUr>3xH z;a4tY^^Qp7ECj=wQbZPULa(7;Q<^M14s&&4+|(UT_>MR~eQ9>*OudC8l_Q&@S48^( zhM6;n`*V5|z4lVCNyr1k3}di~0vbI}`P~3ZYDaH4+c76G@>0Z7FG;f)LV;zq>ZGOc zYS8Q6Azsw+d07XL(R>gh79H;$x}0R}c0!ky3)JFe)$6w7m3p&6`OA^JJ#v>fxT(d< zs@HADtEl6>Lzn&jeXhe*ysXOHcD#y;-TSI<3wSkLj;nZa?!R&`M*l?eX1ww_u`HXr z7lODv#Rh{5R-rZJ??oqYblt7)9XbHX5{|A(Ld6~P+DnKK4aXj1817Tb?Bl-IsOTDe zkKQD-!l{+b)xgI$_O|Y;WhQlXC0Zu&NoGQ zus!H@9rB8bPl(OCzK|v+!uT}2MI!tXTr5F{%qwemE8xZ&tWFH=m1*GtYEl>tV1}43e}Ao-;8s`1OLC77j@Q0& z3vNKI2``8EKPv3cOB4QMvy^>Tv?#g*2K8 z`M>i1Q04D6k49d*R;iSfr03!~qcU1obYh;+Y&J(}9B!<321)64N~WYyu2_$ku52xT zuVYdB)SO87_j>we8!uTIDd&0i;CQtS*d2PUi^@w`t>w^z;UOVO-2 z8(BVp_uvMlltnr#k*Gzmb*J{*bB5xCEWG5lQKxiIyv%3>t!x)q86LgfJ3(HS&T*6y zzgEq4PpPLR7D63eJ)cV_D$W`i(mZ)O8jKESX$0hyF2YOj=iEf;oG=9JlklmTV|0aY zMM21PaOoCU9V5>{_o;+YYtaqf^M=-HK#{j&7@2plQM>OF>!5?E;?=>J;=Y2sLTrjg z1CJ9LbTsCB7`(cuZ4_P|txg^Uuah<#R@siJxXE>Gxk0N^32MBSw8byrrBdd$`V8cX zL7P0u){o0yGw+t)1+T~rnI$9`T)kqBY_Ms?RPk!?87SjblqXs78o8q_cWX74wTM@P z&p;WkHlKle(yszuCk=iAWxU!P1@0+fQh2o*UgUV`qRr6nsYsQ0iPQUiM1IZi8xmr; zjH*rzIK?%F1nCe!%z;OIM5iX<*5aVw|%mj$+ z!b>tjqaq?8Y~>igKU{^=Z^f%%=x~SB`fYL_GN7YN&e;HyKy1H%iTx-R5_^--1t+!a zEKM>$%@Pw?F@j2Jl2R3XF*UXTVydDTN{B225i{IQ-CI$GS=T>E^#2y8a~c#hIpP)X zLneYO1USWhnqQq|)Bxt9pGZ1KKkc3Ge=o$%l3L!7Fhl`Gp8TfNESo~Mbar%baDqrG z%7I^l7ly{woL|pygjk4i49CIlkYDU*6bRufK)oz>j9roVJY+xOgiNjGb#Nepj62DM z-Od$>Q5r&=12R>&THf4M#)(u+kPo3wmQ}vg4LC6E76ugLDID$^57E#a~+zZ_b>_ znLGq+RAhlHf)ikl8y5rT5#ua1=Tt0&1Vb1d?A?3a3FcIX0@vKe;S}OWk}1K#W_5yW zJguB52d0WdOw1Btxu(uV?>O=|go*jfQxIrw#%zf&lw=V|yVOF=7+-~l>2rp>kWmy< zCiHKd@BzNJXz%CGde5;smjTc~GM~(yLT@gs}UmXz3@ltutn{ZnRF9lfOrPHam=srLb zX9+W3ql8{=9s%%56KUYpVIu3tOJLAtBJ))GP3ReTb(qN2@G4GZF?oI+Zf58Mojfp0 zDVX?J?!$XoN^_%h6=guC#Y8E+!jW+yeV7nDmZXMN%2g=Zro_Bk9-#)j#2wBqfY}%K zyYfKQL4VNkifT2OM(7ra5bRAM|JoG((juR&IaB zd?1M%hf;HVNI9m55-JpbYVI{*Qp8drr4OJ9K$Ha!2m+Vd(0{ z%WjcUiGYw^t=Ab$C^b@N9TBncv;h^sWxCii4*O zuO{=mdy+f7quxmsX8rN-uBhbHcEq_DvV<2Oul37HV&7_LW(!{SOy^c|_nzrnuFQHa zEI#6dE;s{_F+^jWc>Ke?t>){}m0JWBc_w2J_~b_J&V1S;Y+Pt*9Gf|N?`am)Iu#zLEf)W6cVV3l=VSYCE% z)#7F3Y_DAF-ok1+6(z)Mi>qB6hY)3hLFhw z<&YXCUU>o(8V2Z8nAizBXNnTc8Jt4-%h5ezc*8*_{F`wTxi{RTAlwJ9<|MM7c`E(0 zEl7I_XzQt9L9@vp;;xL_a#<8=(JbXwaEh&5)}v{^`qiM><{;6ECgg-|a#F8D)9x)% zgJ#zp3$wI7^}V{Q0VDvnG^Q{VBA}!Ba-FO$6D1rY-$NWi-v`>&wVL0*pE5xt!Eu*>o+H7(ay(_pcl}5JSNwoRtaIdkT*~D(%p-6L> zB_yRk2V#=jyuvu{jAk1fYC$u?=?zV;#3AiMbSfEf`ZC|?9y&IQK@JFrJx8Jm&7uIM zi8q}RUq~Nl#F_Uw)^bcEA}(8Xt6T6qkZ5+mlV)iV(Ui8KxgulSw$xf>i@30Evy?S^cpg;-g=9$X9SrT_mGS( zBhvE+bm5U`jO0a^L^D?ft@r5yiX@b#7g-XHQU4$7aY9q-({O{02ZMjCi|QLX19Ts1 zKm!+iL0zzHa>4N&gHKIQ;?LWb=ac+^AV@nCNI9r)$A^O#(E53cGQ({?NOX!S;fi{_ zA7!LeDNnzR&A^ss98Q`5E+E*MWGTd&1S0OGLY|+J1$KLfQxwrC*Qi%3d&vwk0`p7y zj9g=31Qdz3`Nds^_i=lArkpC~d`KLijbkLE_rM^5RnZ9y#^BmZ1|gZ~JltkE8S`^2 zr7p}`sL+YA{^_Xu8pM|ss{wn#yC}RJi&&8ca=9v@6~9tZHDY5l$XGI9b1%U`UEwkU zD#7ug2q0sW?wx~ohsXazQ+$IK;I?Lln+XarXyiHRqHl3XZ=fQh3qHkCmch3c{uqZ| zByFWUs5hrK+P=c`=dzt~KCO8(d^V+Rh*;~qfm{nC-XZi0qtO`M^%NQS)XPai-!Rtd zk9)=!*L96wkflC`?93b-xblEaMyZAgIwffcIYiHRzqQ!EziAfANWhDD6F(SjZSNF6 z%8bDMF&gRDpW!c&L!#Q(HQ^*h81giC;t6cEL2y+p7k!75grpn2JxJai>x9vBkD&?1QBh&ac~!poe2?)Ri^vq+(oEZiduXz|BS%Vl zq2OOLFJ#))QwUcTC>*89ZH``meJV`67)Un>=j(+~lc~T!fO<+%K-d)=4WK*`fMmF0 zhEpUoD0$;R!QiW{5!pL{oi_-D(!4P^`owtYLFo15i@lRW;kqIfdD5S6E|Y#wX&BNQ zFz@o`c;SuFztuXsrCBlqAY!fu-r!T5&|k2hI-K5r9!wH1^5>WhK8e2^5_}#2{J|&w z5B!$H{*BC~SOmcrM^BeU8525mj@|RYbE!ioiBgqA$VV8HTlDt***Ra7oagp@ant(8 z)*CtdW-EL|_14%#8dv^aY!Lt~u_(?@K$6iQAjwv~b$V)*h=oL0+b&2- z*NbT&{aEwj;217b`WxO2C2x>|JB}RW6eo=H^dc%mgat3#^F+KNexL?mqy=cyyGXlW z@hw)fQ6ZgEz6ElO_!)kakTk_nPn;{lX%v`b2vuJ&{BqI0a9mfLuLMf6r8ocp;-V_T zG4#xMB#8{!fCK4b6u7gVw8Yuce3m!)ka#G;LFTIv5Q{8K z3FmYR&a8Z_dPPWl&axyCDpO8o;)KRH32)JYBnk8*_jYo7J;gzn{ZI{7#*4|1;)oxk z>rwBDM8P=s%kM34>hTkfpIw426nY@dN#+{~$q-fYn5#Ibk5PZr?T_u_8-ULWVX4rh4|Gr#63qr{^48+y;2r6?$7f=ra6QpuH13%r z=JL<5Kh13qjD4|=B~4;wFH`Xz`15 z2@-;rW4@wVAsMMkTuvE3-f{*_aIR?mOt82#LEk3yhUI}H-XCsM8Wo_%0!rQ{;hYam zW{3o?40$5`0#eG~9|mZ|`4!*~l^dq44xjT|l490^2TpsvMdi-kmYFMqs z$8ExQhFaB|yycAP2G#q@bQ*Q}{wUYu@0#k!01kyZ>Z4I_LTUJolnM=GTqHE{81W&h zs4NIC_Of(tX)!OX_i?$_dpoX1O*IPTnkUuKv0@C=*zm+dbL<5;VX_+kyq|xqKwEgp zl_cV@PRuRy*82#YLJZ4tCaV(m+LR{%tc4eUgQf(BflMl)ebR&)X}*XdLo z6@@vrT|qSsnQE%p%1d#{^~5OUZuh0B5fHKMEIR@BuQkLId+uk=#)~7laF|pJrwXM#V8l#ZjYTa#DJ>OsT!CmLq70U{+Y@ z`B(5eBf(ftxhS%RFiGb)=}D&Gf@tyL8lw4Y(bike*S{3F8b#voMDVE&s08nbS6`gf?tUam!=bx zs>Jhxz+umyOE8vY2kf0hSyUfusj5$6PNT=@`TzXS|2$W$AHBlS7(M?;KTg!UEDos` zfJIZ`#3=|>VFEzm)f4yji)AO$GI8cyH9}C6sm^>=aikB0?}dT^#7bJ5FG(ke%wtG| zjn>tg-strXBSe!xIFi{b$~xGcxtl_YH69EMZJPr2&Bmti*egg3Q;KeBri62FQ!o@+ z4T?TPeIe$vm|jQaR|adDG3rM%5`7d$F#PGN0>x?x=F}cLsh7-fI!1$Mqt-eZ!%l){ z_~RJ$Idc7;)-P(}@c*p4Uu~4tlUJ{pR!au>y4R#(&DEzBMtyrY9IA%Unjps_Ew?yB zbjj*M;2ckQYa}R8CyXJ_Ara~I;6#_Wa>C5?GJqc+K)S5cK&(tH3ntxzHISw%s2h?5 zfXkF2%LQL9OTwF?dH6K+W@x=*vYU-!62SaeJS+^0L9t6S_kmvmT*&D}{0qu|{hY61 z^tD>VKCp-vgui-ral!lhX@FCIAe$WUnimB)16}8H4nShRG!RkZvsf4h#pocL{L-o& z`16DC5Z$LQZM`QMa# zpMQYf97cYa1z53=-B!rBqC+=pm_)p`6ArAKp1M*b80?gqdM&Q9f@;5|0Uo2_&W^l# zo9gf8DecK4O{ukEg=wRPN?%Y0+^L6jZfSHT(?uReDNd%IkJ0-6+2MxX);22Oq5ZQ% z6eI)^4Y@NHB{)q8zRuT?YU;z@Z&`xT5BL`S2nUo3yK7Jjk=LIS3n;9*>%i60@fmSM zQ<^9^9xu1idD@BqNfeR@SL_UuEK)7^EQ88l`HUzoLSR$^?fQ(koW2vPnT-k%Br`JY zrD;MYS(?kh)Y4Hyv@cJw#jWnSx=uzkz$e)xBy27^eTt_!7`a%lt{p$Y0W-`T_)IIC zB}mfb97b}6g%VuySWHkYn85@uXo?HQek7V%=damRe=rH@M5~rXCOi)MLIb^kMROrs z0o_GlOmV^7s>&MZHDBsu!7!}X`}Q`MqS-73113ZT5KhfQ()vt!A_@;0Fd&0lJJU8* z1w%NSahVFt(fixe^S8hK?P@d}z=C6g+;(EH&))zy_z-Ojhr{9S&JO%L91hF>j&@(} z{B5+eHQL!7?e4xD{cSjUv9-JXH#B^R#@n8ZrC##4;l0}`ckWN}6nKZNo)^dZ=a##* z>kfMXj`_BXe8LH&!;fvj#f^dIKTEw73qLX~ywbb|F93!(*pZHlJ!JSH<##v3ZpWvK zMHZ3tR$9n#9-lKkj##EWLxi{O?zms|0?hn`!~!M5vkz>MauY-(La+;_l|XcxgkYwn z*lur5InGs-I0il9bMWm3JjO0EAmm+xT>ac@mu5&D7^ zjI%J5H?%&m%rfdz(fLjUfB?yaPZu$baFj9^NnIMKarFD=3{A5zyhXoeUI;o`sO|RF z)_O&#a1StPh+yao9o5`D{AEhR(5KHmaW6QKyMKl12Ble{wkf$#iVT( z21M}YU{jCtSQ1d9av>0K-ZRd|n{mR{^GJG$5lU}Ely@Mgu?T=C3@jaVgQcbjdByO3 z-|FyvDr_I9lZ?p0?~afDBLKq{YvEmi-J97Xe!XyDDG3$e&77iuLMP!8B2nFgSfp`6 zuGuDd7TkDIT7s2Q8TJE9cPEk{dJ`E4ZJOq^QeSdI0+5tv3>(8z7{xzML_mS38N^WU zZosrK9=X0ts`Fu)$jh;LRyWoK!k{W^qE)0(Dy3f?GXM$(Z#G8PLw9TB3NcUaP(4Ow zKpPu675`C%Q02oI_4^WnA@{85oANSYdJla}6K^k>$(>mSa~P3Si;jdZL_|{Jh2%G^ z{Oby!iWSD_!_PgnA251qsVPzFi)bRI<4_JvVs_RN&3^P=(;WgNJwA@h-ga9N4kwT`zfG+G`YUSU=c z{qbcc)M7;mAQ-PP`KeaSs=sURr+z@5bxUp=l~J1)-Yc#9DVbS^AP>{` zXuZ#yEOor3i69}?p_cQc`Fu+jiNe|%ddv66!b>H=yu!Dzk#v?O1yjNRsia18aHcd6 zCXyt?)m81@E<%p5p^;VW8DG#P?(9%Im`Z~&v1w%`;VW2T$;C$DG{^{$_|4a7s7WQI|Uj>1?ny+!_vsJA>iY zfGpyKUSl{Jos>H196PF2FD4F&oE(6|aUHBl3`sPD;-G z)*&@`W^*{JJh-4cjaqThoV{ooGRN~dQqTDWKX1V*C+ET(zcAIDEQ`ok>ddHz#E&#_ zse%JR1-KDz%Ch2Hc_>I-NPx&x*C!0+LO_jz(7WfS0YXl3c?%b0?X4_IUav z)ym~R&!tN)=mj9Z-z&X_b)9n%tDFEspoiiBV$$%>z)Qsm$UMOc@ERw#QlD?`Xjl6? zW`YxfDD3eZb@**G~nk!h!g2F%-2_8{Fpz-K^Dqe z6TknVYr^l(0nd>p5&WQyT2MrM%{)4<_?2kOW$5GpL9E3kUK!nZlU zq~cJHQUBoA%nR?}?#A*0AoCleKKz@%#?vYG`GI*%&qNRL-3eH%7%z_Lfr!7oK5}Kl16D5+algP;dKl#}prU4rS8Z6Ve#?{uwwgVcJ@$zbJo6#ri(fMEYx zZOCviVTBV=v3-=uXcbZfbMhm2pxj2@g7`*`Wra_^!dn-3K5mY%Re)j6xeh?>EyqmR z960C{d%;f$N%6bLU#_Pj_(ew!XBohHXdnUw(mow97BaI!ftr`si(587RI@HceVgdy z$Nh?3wmzVw-?bP*%@spH8hI2K0%wT3LFe8HOSOd3)Z~&XW-Z{5u?$>Bek&ZI{P!4b zeMgppqRfhb&9#jj69o)5_}}KMZ;U!p9@}^Nwrc(Uro0eJlVeuh1SFan@UlpWYS#@Z z&IS^;#&C>gVYrDRT4@e0B8cc7A>l0H&nZ=Q|5_?!Y(W>H^;x`yXoU8DI^(_YqQFZ6 zl(RVqefPt`CjX57iQdIHI!itOYQvm~wE{Y0J|IiYiIP|IookyCu~20xVUzan%DZn? z8^{WrWkwRb?202{!PVG5XW1kV^g*YcMn@TcDi})CD4b_Rd(WBJa7Gjn5ugERe__`c zvZEf-XT#V!U+SwO6@1HyFj3`=2;sy`5wDSZtCS6(%<(Ye?BBE98`sb|4ns4DxRmmH z%D>PTfheX{*Z{#$FL+^CEr+HMj?0?ipgQokG?Okzx!Zaoq+(17JZj-6a7BZPIH8lW z=q|PVJ+Tv`8t$h3o_-*1PzcRs|cZX%?Pg$nhpa814%VImUt7Ml)E-5b-BMBec#iMiU&;n+>%l z&8qnYqk*{PaWEB#{7sp-^$=n?rqw%uByq9`0|9hS#mtbKe7Ev#AP5KKSka_&PM9(Z zg^2!Mh*h_kI9tGP4Msp{$r^>Cw(S_^Js7$=1}C`q$k4Q-lP?QIAiaNzP9 z1v18CZ^?TX-}YIG9UV+^kZ%xWg_etXMH{(z%8#=#8Vz$%<^nH3JH5U2mdKY1$*#5F zV!aP>&(Q1Ra`uG|97hnzbPfjMa8iS6`RTFbXbi-5^q#t6i2&r$kA-g=o15R!HFknwr8tC79ak_lgB^5V4`QjF9KKFT-7T zWx`5fvZYBu7VR+zGk|tqyx88!Umnxwlv2|Z6JCFp&@46!Pm8a5dI{Gb@+GPw$M*1~ zz)(Nr7JkqTyjI%4s3dARA`Cdz!xKI!31;BGVpXsZYW>bh^e(2IOM0p-_cKn6}B&XktDmdTXdW;Bqmwui&vP?m(;mU~+M zcub`$j1WKXtJw$RH<`*s z<{j&;t@ZS~Q+PG*nGqGoRcTuxxR!)t1{gD}#8kwBcA;DYKtpl_{|Guz=}8Aj%9u!l zG7O4}CPhs{CQ2)Vq8F};*wSQCRJPb?K+?1dDys9eWl#rr@-C~c$^=)ziJSLpqAY{D zfYnwdMNs>yT*(B)GyHnHFr_^u032`*cfkJ~B$TEmNPdf$vI5j1uqLDF zLdlleE1FFgo5<ZOBvnF@@MPfwJ)^F)%E-9;6@B z3!jF<3P_hSl2oX47F9xL;a7^SBsBJBo^Uwk*q&3}`(CewA=!Osfh3yPBX$r(o(In)C-s z_)##g5SgWQNWAK%gLYN8ZjzG*j;eYYMQVN|n_cAo}jE zCn%j+zpJ7E_z4j0|7#>A`wyZ!(9kN{fZVs6lU*Z$z6hjezcoIVNA?nq*z#!ocC2I8 z-e53RP|n@JctkWhl~nWn>CtnB*83{;et!cwV3-8AMmTWj0@Fy=l>Kl#?XOKjEOUZL zoFP;rI7stT{g!5%%2G7RqDcF3KrwlksgabX)ci3V$_qYcFrd^a(c>lJu_f7MM;Yetg)~ zNnAigCF@@|`eX$0@xl-}W+yjXbd0g|LgL5+rYYrf2=hm?w01E7<^}>|eMH>SEXhSd zc^(wlW#T-Qk*$rJk^@e=U|`}G?oV-fp8|j%@a+IRNu}HA4;aiC!S+K25WiH1)xUqh zx8Gd$1l5LPQsG)bLw!I9-QbBqFOYnM5Jjdspk zNDzspG+781*qd-Np_l;W>~qWCEkr`3%T$jGQ}))d%6AN0(+4-%3&&ru=KX#AbiqwjO837@El|OlHprxN)}XK zr(PeteRuKQ>A}JI;qiBxJyN%??{OH?JSwLFuwQ9YL%WMRqnLVO`K zDxnI<0a z51}}!B53+u7EvptTwe;B4Nhke_tItwB~G0xi<1x|PN=WVYU<)585*v}x>X&~msMNY za9vfE)i@ddEkUpN7(ZsPD|xa!c$lmFYW?K`T-An6sxF_W*hvo&JE?wLfA;`N4XCXW zMX4U#Bk%N(N;X@|dSEO7{+5 zXzL|pc#87$6y>Ro-Fmc8Pt~UX((#_UcXzpPPo3d*iTP9~ ztops8J$3HfDj}ab1GmS0dS%3Y>I~{B_|xMCf9gCj|Gg2QIuFs~hJmW0^+jSqS(&5O zfKZ5d3)fqCztPCMVQ`O2Amc*uHrFL;lD*YRyrjA~OXbUqV6O~sRa0jAnA5ZTJB@KSFJi48Hc4_l4h|3c$f|svcL&{e<;v<&9NJ!?O~Stc7`>P{Vwh3_R4 zM=#0+&U4*(`I8;RLJ=E=^-JLo6>sZ>)n{hZ8gZ+k9*8;QWi?Qy+=xVy0tRMI6e&Gn zXkD7)z#Zb?hqDc_Z-p@{+CM(bOZZ+$e7dm-?Itqje4sl>y7&8D zD(%xaJNFzNo}m51*QYQKUa@wscvExejD z=Ts+#Og9$RbveS?z4XxJx~**+zp(0)nK+^-q3`$v=ED z|AhnMH;E*>RtpI_`yIx_cb$Ogi^mB;OqS@GWNg8Wl(TLpttq1(Fx%FRfX;YJR)*)4 zWnZ!;^P&k=4YxZ3P{?~;UXkE;y{D@pWeurE_mB! z8r%?fgT*F`;wtU9DWha#>u2|^2H7W})f5g0o;AB4X7JJd%I}DQI#gEQ@xdrrj>9S?9_M6<%5% zZ=giB*&p&nRdq>4X?@vzpyr+w94|LEcuY@meJVR@bK!96(>Ls}LG9U)oj$C~XVdCo zrFO9Mty+a|m1#sD-K)xk)EXV2RI;z~fYP~1=K{3~7bw&8e=&*VEYwrt5u|pva|^2F z7NiNyClWFzhf~{tIVE7aL?qpr*w=q1_Rt4dU!=dD$`ziNt^6@_Q_x`<>DD{( zRXfYp=xD3ls5Ri$ag$Z|Cr`##wnpFDc*)iPTb&oR29VA(cDZ(hn;^D1K!L0*|5PCSJ$0d zM3Z3C>4&om7BXX3PH_5$O);O=4L&4F#5_K6ry=DXJjf?kky%as<{g8Ym3@hBL*+Y_ zI#E0UNd#WJ03+?o6vbljvv)#4)!xzBzJW12$Bo3PQ2HsS39Gd{h~3za_#xf1`+Km- zp$~n5EBO4GuGoK}E1-O(KRS6|3BfH!ymF`yAbwe{fNwA{pdfXnl z0}J5ARPsPh(rT<9GuUD|tPvo*&S0=hD5{^QTi7Q+e(rWDY~(ySy)=0tBcgcz@oahq7kp0a(LzoGDm<{<`bwJp7WZf>u60%^@ zSS?SHgrO&rQi>R7f<%?gonq(Yb^#VHP|nq53gMCm>!qX3zKDLvqZf8qcMV}`+ZB=K zWcv=r$o1L&M|k0wkV%n9q@I_8lZ%UzzQ;X&E*amu6lZw1D83d~#{F;>KxHfx11FZj z+9=Fh7zA{femS-j9vW8NGv#pEiF`5I&wA;y%D!J<&%6}*1)_9xdWx>}QuI@X`J&^1 zSezr;*&$V}W8oFM1O7#~mSShaXN|5QmYfn0q(EgubvexVggb|{GYqKOJR8b)ujxMH z3OX^20YTSL#9$MIDTA2lE=eqeo=XxZ5DQy@n$dxIk!Q!SDRa;qx9GZ6!08-GI`3x1 z|0f$dmSXA_WpJ4#Iu0@LLj|G|PnpMs)0$Q~?j!^)SXf41yG|D;p^TZJfMrgpf)j$@ z$Q;JEK88DKlwt~0m^-=i7B^0&=kZx~e+B6Onh5N#+1!!05p}4;^RDmgf`yubk1-|y93kFb4qeCCQt}ocSZbcKUrph$_4q?QHq=K#Me1N5X zqYQ|#bIt=4s7&NKo|ncsWKLLAt}D!%8+Q~*=y)ERW!aR@2g~ux231HmGxz2PJr~k8 z|KZ|d0f}>=EX&k+Vh0pIipE$W(|3va1sxSu>Z7KzakXKhN?VEa41P-Y!hgv?{zYT+ zHetrRC!Te(sFOvVEb3&@mnn;C>)w=LdiB`7qPYgm641P=}xAP>D7`&1K06xe2n5wD0M=q6H1*>`p*(dg4gJ4nQe;LjbJvy zC}hwBNWggbe7OIeQu|nBGvY?Y9EUmPoRu#s&JaDNu1M!Z>6M$}P~gFsjz7EBOuw;o zVU)uOZaRmm1kkx_sc4uSjDI-D$p?k<5vMx@Sioe%&0`nE5UD2}1L=0X>tmciynD32 z---HsKh`Abccl<7GjkX014U!^J4Rob?Oen=QDmyLU+eTPBu08y&PySt*OCy0#ef#Q z^fCm#1(&8QkCzkh8(oQ_+3X}@?htt)lN|_AMtVv4%w-u!s&!mWn0whArsoN1XP5#& z*_X%V08357?k7T}XSr|y!cGqU2P_aKET;`c81j@rmzg-cly^k6lbN9%UrHK9Y$K8B zB18mSN;8FC22m&i1i{HzY8B-@X2dtGt%VW%J87XY{o+{kW&7`>lZi=XI_k? z|F*qqoGIzH$GDVZnwYK$=Tt(J*$(X;Krw0G0h@HgbXyec zf8mMU9L%Gxh_tKho+SuqQ*kE6cr+y*QAd0P(v|Cr(GLc696BZ8KSoJl^Q~wKg*05L z_hK=n*8T{8Nh-z#?P{lIbb3bP4s?2kabP+m+mVqM+xt4xXo473e40d%aD^70iLj!S)(W^7Z-I{5Wi;)n(>whd6j&n;Cj7M>n_E+ z+q5maX%n^r5#Nk%)Og@9j~(&}=WZnsx_aG@4)qV?(cWd%#*9VfZNYLQdOX^7=T1ztI4uM&A{MJ<_swtbUcDWXPh^QU zMx)W_=-`0;KN^j4|Bnw3_Yb}qAMA|}j>bnv&&S`4#z)VO4!;4T753BmB$znyH>0K7 z%6IMydG7BAz@LKQ?<`=kSM(f9}0A=KXPTvu-kwXc=d}Ep39ope6mygc-^VeH=8#pnfI1fO~ z?k8BFvzYYY^XHz3dP&iyKWRl6dg-45rpWhx7Tf6JoV-7O4X*Ce&^TlcSw6YN!U;Vr zgX%M(fafp>IBNb><{iPH|3+jI>f7d!+(irt7Nd(!4{-3Yq#F0X>H!0-OK4#Lj}uaOlRJYK0hl=dWQ0(E^o9@MH*zd z4{EQ^v)^7`ygB~$Rc^SL#jxIN1)%Rl(F@zSWrMYo-W7dO>?mXGpFj7lD~awNSza(& zlCK?!a4kG(ZwFHp-#W1eHf6T~3n-T7r2NmGS@zi??B@CK#;P9y5diRy=u@WYA=G5kv_4TS*-jE)oswKWD_@O{ zY@gBfsL1yAA5KHA=A#W1kppMe#zMQHO?%13Tcx z$3B_#%*ijlh-2oe^WO`WLWz0V;30{EHf@xj|Bgm`hx_{Z@80Ne{JcB=UB`2OzxypX zP6(R85XN*jv;#au|9U(cX0&p;aAxqGGwW0J>1J=ZcQhQy zhm@(pSO+y49_o-Dd#Jw3r*i$zVGzN%_1gcYa{ce`?eFFNKb{{Q?se;b z9S>XoH~wP6-1Db?0IBluVnK(+ox_P-{=47yUVVz3&`UG(OBZ-XJ;PpsO%${Pg&Q!R z`QZtx$ zdX~wE|4;Bof(WdEqoGgLNNP5)8pEiSU&}DsTeJ_OR%acW-(F?yopS_aP4mVL}rN14?PS0+K6RPaudAh-j6Bu>C(iW5alSPpytfLuPY z@`Oq$%6oAdz8#|lR5RUh%dQUtj|V;r{Dn`r`Jded+!CTzSb^E4iwL^gS`0>n%BIpfc7$NKv6yFu6dIrhRUBqnH=hHo3 zA7tYfB9e|VKR_DB^Ix6#8j`cX$z;4j5~7%?aZngBk>_&ZL<5e&gbiU0P+RFbSetszW+j$P6A2B@`HE`ay zep<+wPD?7F0G6VF6o6&+tqm+U^I6Bs=e%UnGqM2;Dj-#TV{j#1)NXQO+nU(6olG*Z zZQItw*2K1LOeS_FHYT>MlboCP`|ka5|8?(O)z#hA)vMN{HC;mu2W}Pm4PTK=&g6ta z!HW-SOlG~ooHe<}y^hf+ojm^h*6L>43v~u&Jhfgy$DTj~i?s%}EfYEI^daQIBW#Pq zTLCjlZH-76(%a_zPA2&Xp7wSQ&JoM44Zo@BMrge?!X!YCt)-Mzavd)vU+zdhLAr*1 z5O>;7ZjXN<9SFoa`c|95HN?-RmM~)1cgB1Xf%llhVDLARKKZF|MCTv1El=I)pN0k! zHKJw`b5pHJ28}LxjQH2B842{_bz<5*^3jK}nMCoeI5kIPOWRxw>HN>0)?iAf zM&xU=sKOR(V*xLir>dg$$d%E1$23MsB2_fY8ozH#xV1RsX&Q8u6MBpAYnYZSfwZ-h z&BxV0J>;QkZ7W)C(q${c_orY=mpv|*$QJTRjY}x?)l51>xKm7uaFIg;BhFrR6vS8X zDB@wkp0gqnFnBcsb}&fx3g_+4NSlZEzJDA<5T9)O;UWdRyle@Bc&9$*>Y-cgPp^0> zWTxaHWECiPB>oH;MVsvO(};L7pg383rn=yT=9r@1{~GD$HeHxn93A_KfN7!?rlfQ6 z^A^qd%X!sZ>9hB9Y`WO1R zPe00OG-8m=Qc$B+4BBs2Rfa_gbZ)50O5~0H2)sA1j;;8Ybl2o@q;9alM^`KL-5`Sw zIT@HtLOtyXq`iOMsKR9;-?a~6M8x4{5fY7wlwJEYGz_|R0uJ8%vQceg?cIH96A2Y+ zt;oUo)h?j3Q-kOeC)GN?PIyc=s0bNeV{OVA`we zx1Wn$%Dcb)1f%Rsm2wOrTc9V-5?(F4@&i2~rTqQOyW}K?8X5VQrlQh?+41PK(56IM z>+ovDbC(rnEK)tpWD8*F?n0%LZkl%+q~^+w9Lbn7Be=FS!HC9!t zJqV}rH{_D~dzgxCFh{l7AY2n}&JU^zD+qm`;EQjX0-|RlU5`K-5gYl0E>2q>{FDjJl3( ziGGj%QGKKoRDTAkId@mDZbf)b7hQ$*MZfp%-}c{cer$jA^eB6R9ElQ|?3v20O7=hAB?{Dfuoe5Hen($0%{-kD1y9HSgO*Y+)S*0kb#bIDU#SXJGrK8!RAJ+gT5&IeVA1nxO41Ode-47q_9((s%k8_n&rRza z%YhvGpcpEfz&Ewqz^aRLVBl|0r`cPOyMX&^Z$m#bnTsXU$%L)IJXQ!>(_$u&bRb3wAWrL^xVHb+l9-8A3{uV@=qs6Z=O+bs{q7d>>H!Y^iRU2f z=K&0GUDO9CW82t3&i-<$i9Jy-41CH55&q*1)P>CU*G@}+2YLfO&33uxK)f*`Tu+u3 z(_Ns=891!NlLoL!uyG}I%bDEEBjJ(dVy>G`_^ z$a$(R=cp6+u7*8?Rg4k{ze95P=>2=?llS1=gwEU)6Ec9um&6+xO`H1q8c7!;QK1gk zS+bM%+BNhy!2cMKZ<*Oc4^0L`pIv|bbB{QsNG@NbIGQr@;~mk$Jc3uo`mp+KxH_d3 zMqKgtZcIVS>?ZF+GS~>)2_8&wPhQX;P6DYqpI%Mel_FLn?LpDUv8IEe@qRDB~w z0|E&W>%PyV>wN8O@0S^K|(NQnH266v~C2e_8Uod zi4oaFyK7m_^$Mrvm4Jcx14FFv0rqD#YzT|{!PDNA@@Yz_H(TxE%_s;idd-i|%t2mR z_4{j60Ym7XBY>8jj^`gzY*fOoNN7*st+8ti%Kg*m_}u;Vv+vslM``lDSGYW^8O7az z7?P9@%|3%Ba`^R(VYW_pn5KB9s&C@ZPj}2X7EHO6_9-kj;SbtgUUAmU8=&CYGcI2q ziCFB6i5t{om#bJ&KI!-`x*2%K<6x(=z&+S&WDi*i?S%!UQ~ca@y3;h?gSCE`d~2FIz+wF!8Q*Msqv}XUd(m^Z`x@I|nUR zOE%T%!lm3U^U)Q|*<}ecry?1`!!WNcp_aqJdEZoPAOoq1e#KK~Y(gMKVa^4wt5YQf zGY}z!-$3rO%0ROdDi4LvWD?){n*~2k#UY|{4A$w78%Tl*Y&Ft2O-iZ#)P^}GgY*w{-^T#R(YSI8i3jvaQ}|to?e>h z$~WrQSS9Oy6=SUi-x_1%<$ce$MTYVRYvd;)%A-A{<%-CnSokY@79)FMBthD4@}GHB z?Yfou!f*$R9qJ;7g%*^hvT(wJ(gre`Am@PX`rkD}Qcw+;RMRPxFv>iweyUO8I<4s7 zogzrtY#UveJls6K^Soj{8Kuo3YC5YUgI=)ELV;XEKiXw6`C}h8OT*-6t4J)RdGGq| zL>}_)Jso9d_9r7+g8JBWWIMxE$|2Sq7wVGPi81FW_aI-%I_WtP{lkK_ZO~|C zmNQ9{nBCEN0vsmK=QSOxXu4K&oH~tAp{(0$I!t`HRN42znLoT#Tn%X^Q5r#xFYAUc z6vF+dFz+fA023*!Am4>(JWQmt^~O_`^0K&T(9!HIAo3P$y8}r9oE|9rB=znMO86=+ zS3pNbMO9F5Rk3h4OvFu0wRd!RaGF`Ug*qqUiF)3Xn#f{8An}P-y>q_g08T*FN=M*N zfzJky+DF=b5w4~o=VE#ce1$#&Ocn5o)$x+V5&{|PdueC570!4OrpBTm4Dw(-Ou4>p z4C`V_1%VKW#v#r;x<8NsVO{~y#$7*>x3okA628T@*3ob+(B)_;+n+rQt{*B`+=t$- z`c?Wa-*Y5`?w0+^=-$B=xo_B$QGb(r6DI(dtoY5$wNr7|#zMydgS1lCr zp$I@uds-iXM#0l}qNTVoFRawQ=00rb0p2~AgQHS}Qnm4$gybii?;*a}r? z&%21SCOT0e0>})b7mQiPjqTTx%5J^g(Q_Ubfp?M*W4t2OjQ2$nXAX4B8%A$Ms3nHNc5x-D(GlkNu-Q-SfM7QVm zpJx`!tT)pB__v_3ZW~wdj$lwi9?9W#U>wR*_lvNtH=Tpt?+53chW#rN497CU`vcrR z#KhVxcg-dr_0hS^If~cf$0N58d{mSH?cvUg=UEr8_U0jQm*my%y=!lya}YJ4o{t`9 z;}6fbZJ#{#p+MR=b9HG(hJ>NIig3%Yk3wW~4N>Rli<$e$&T~w&XVr4AZLk zk)oo`oz)g`ASdDr4Q8)1u}+C5w(`+k|!U*EUw*u0R_Bf0VBZ3PUGHrLRo z)oQb1al^daKZ}MrdAT(E>7k=9g5kk`N8zxDW~NU!_HVB6enHfKu)Laq@+6eOa9Ai5 z3PvI^Bm?DHjE7%WS-&c^7+0Sn&7V8L9j`o+X)QZt>|hfqa3obE|J?|TM140Mo_wmE zlN%>c156+0y^)x$y_&*4uUP1CPsbo6(@=>A%!+-!#a(aGhUS~vIOsS+@-^`0_b<@7 z*HujBlWnILqq~FMqp|uoUDhfmhSs+H)P2Jw z&3!r}=ai-i=*zOFMYwuf4>6d<9dz9rlr)uUUR<;n1%JxAl4k_cUx;C6hA#`s*95_I z<9=*_yfN)uF&Bb|-lD5BKK;0o%5u&Dn1j)T>Qb@-3QCH2{ayD3Z`S_5P`G1I7o|2F zLz&8I5AA5IFQDZO+8@1UyP&v(z=gi;y-ER)_n-81ko5kb!e{-ywgsry93l2s4EUsn z(1yJDPx@*4y(G7-sk7(@n7imCVky6S`e^b$aA%`v*IYjI z0r>YIs-L~Xs>2`@WQ13ekq9D?;bgPaC$q}$nxEzM97ZpL%}WWmwY7sjO=XGmyJ9 z%r+SD@I!o8tyBcO{}L2-LLInJ-@4D{Xa=+ZQSElr9@7f{qE9LeAFE-q>#m1WH6tc; z(Km#U=^R^^VSOqQ{)F4g{k?h!o(K~D9fs=7dvhnx>G9enUkSABkkng}L1ay(9Mu69 zY)!afbcVMS&Pd2BGrQ({kGeWT;e$9`H_}d?#GCt7g{ak-QKWN|k7}S$? z+`kXvQ4aNFM^0R_LW8aFJBF>o0IUYp(w9oBh)^4FT$Cx@M=LxlV2I1T~E5@gY1LsOuCCBA^KR$(uu z^e11kZIZ+8<1kK>Xcr};`h5!6scIuPRTguaa;L|e5+&-7V86DEtv1~)rP$UX>kHT| zXT<4GAKamKwXo{1XHe&JN%=3C$9d0dn*t8_z!6NA&Erm+MmQ$%7bsm%T`JWEPFyMv zjzK>rOXpAirBjVKHofOxABd(ue4o3l#w)BNQ~j~~5-eQZ%QLa>q64F>b0B$7-%=ABbZ6`8?a^YcApa2k@i5 z=XmCsAC%xOz)K}r{+^m~IWniue%7%0*Jm6)bh+q`c#MyqgCz7ozAR{ninJP1lNNOi-?s~bUYy&i4?0#`OEMX zp|RK!(TX18_HGO2pFxjQ1MwJaVd+S@xZ^@Zrzs(Xu?OkF{aG zAr)bW!gOp7yW&%D!h@9lrKC-I_36B1Oi*80X?6-4f1%zN!$_WY=MS^AZBmzKqPcJs zu=~~44V-;bd#sqHCo+xj#9G3E4x1lK()FRr>HC`QMtQk51gv%*#toSt?fQVoFAU>r zhm2x7s9(C&YPaE z>uDfiIJJ-i;zj|}9|k=?!QbXTOYg^nzKRYK$k2g$l`7{RXL6v~X(HN5r%u>?kIj;` ztQM_|AmT5Zmm>#BqJoaV*+ML+9RX}r;B&j*s(upGmR3#+nt^FtfERWG_AYhk31O1k z5`q-Zr&Z%X>AIj=bP@6T;x9FVJ^A_3_7?RGm(K}>$XR}-KeL+zQHx8%{P zuMT{Ua3ZN+nA5r4uC`r%sIn&j^`L*>dbvL8w8aMXP{mRvYH0(Xu^Ab$K>F@wb{GAs zk+_Bntc`R^KB|$DGm}0Utuf}zJ>1vX(k}I$qv91R!?0%~3YcUS!m&;Bg7kq^54|+~ z_nG25wXW^-UY`5n1$6J*R@ViIAp6ZV(DEJbQ{Y5OdKO5w9x83^A!XAk?m39grM5kY zE-`1hq-K}K+CXh8#ZB4m0f8SC;JM&ha=rdSdf+K7rwghSPIt=Wg`*kifS3y@bz z^h@FV%&<5P87hNn)>*b8#iP7ozy>D=SD}6sRH-9vPHW`y$X65fp6#Hv*>4@ltH7cw%EOG|LiACARN_C9ad(Rc&}M|V z+L@rg?=sXX%<4W3;75lvi`MGo55etwthbbz&)6s=v>N$@#H|?!y z-)+UXh9;uAij6)UVB|}Ny;WRQr_%I5BbL@qC}=aYaPZ zy2PQ{<@^1*HxxJdomnVkYbOrvrXs5&JYT{!^PP1OC?ZjUM#~?V-{UOwIrHyir(prK za?7y@5)b&GI)>C=5tpd9pIi7>5r#kHr&VdtEauM;*B0@+-TuCb<2C~|R<|ok(KIEi z99oj%#Z;t}kd&@yq7KEp?Bi#^ESHiZ8Qhn7!W$-ugJkO0#r2=|)AqUKM4=g8&K4+@uNrh%rQlj zHx*u~|11#`CQy{qmGXDkPfJS3tby7V^snqaDIyluTQtR%?&g;WP*Eg*-KKj}Z3PN5 zY=ZE?@98E5^-+xoF; zk5dL@WsQ}B;Kkflz2#54>GmCx0^t+xh$hDCceDB-$EDi#!4lcZ zBgWVT^weYDI+1(~l|9}4>!juv7tZL(Uw8L?iaXF0q9VyPy|$b*C@=Ewi zphLI0pOg6gAJX55?=>!ZH6)}-+iq1j=#9&_Rh(o+aK~aIL**3rOXXoeN8FDd1>iIA zb^CMoUYYv8@2CZIY?@JRPQvr{F55O$jWWK-^wjOKcA6yC+gxt*;VPZ5TqwMzdI)+1 zdb57c-2eCMPcZ&K*v@Mz?q%$V9Mk_J6}(%$IF$}fP#k0T?i?Hj|2u6Dn}wKe2(%=L zfTiC8iXgXk1C2nSY#?Iz#?Z@ueNd!BZ`3xUEZCZB*4@G0)HsK0t*l|(k z^Krd;?BUpxeWH493oj@z2sogHTZ5Z@-$`X^^L&qJsP1+knH8?Wx&?me1a;KAtB* z1ZG8hFzP0tY2!(0?cti}DAj#T)^D&ux10&nI%mub=@gEv2`3AT8%ssFd?~}KmrcfC zjv##DcylS}a8U=T7t5RS7Ll8bRL5VZiy+815aPRbU_54VGn^VCPGn!;kdTZc z`$H}kRBK+abmtdEaze;wQ1^k$XCQfBqtUbME-`=W3BbkJ)clf*Skp^LFhL6qZ*06> zle(r3T6Z*LuBy;Liao~#T1tq4-t^I^F^UVm2VHItvavN;pHFP4RLa-A*6fX|=AkEi8YxT! zYBvkK?9J&^G`9-uzZE}w9tYQkR;iyJ3E7y+J*%3u_|E0aa#fSUEAd!W^Ie(^wDnMq z)P4&If~|~W#fpFb_NVV36b{pRTnl&s{sE-K*pKZmDRz;K%t~j*Tg%B+9LDvCOvj{P z+^xg%*sOG?c%1$UUKgv(uAV4$_$`#^3X2_7!jfFScDbGkW&+&HC$QD$mfvLzNH!r* zK%l{`H;}-4iYe^{)*-Vi7HM{~yB92bhG1@?viqWpcZEA$5S@#E8;Z5;*u>BD%+MRo zVzcNKD)9L_5Jkogpu9DFtuo}KV$zYI2_*HqWe&W|M3HGcWF9dAs9dMQ#tTT|Hp~4Y>3@If4AdwQjc($)y&#BG&{8;6C<;%}{ z?`^9jSylZ5+TiC|r{4q-#&y3N+IrhugVYoqmEkcW`mE7^t22eyachT)m~{%Em5QXv zqur{t)gBF@B3)%_Y`ri~t|U54(W!8jxT$mh5dS0g0g2R^bw2U;Tb4c>V+h^^9Xne} zqP;d-I3lY8nU0JvvyHhCs$=ZGXmqu621rV1zZY|`k-G_g-`jygxN7g_|K}@2h$KCDdk`^)LXOcq z&UMa^Av~-Ju4k{rlx^**kWji{b&`Z$jk>d9Z1C2IhGcGada~G8z_B3$$HtkAqIQhD zb3?BRvsyvXjZ^E~?*ZXU*6SJ?Q=FX{f6gq|78?`8u_CNP_MXXLk`r?&f7BxvwgW z2xf3ut#CGTjMP>97v;BTK6Un4^`9IzNVt@6IAOR@PPi|cjTrB!uBVl&84^)3EfTaj zi)7{@AwOO#t2{n1c{Cceq+yo?PyAW%^eC$6VFr^QX_-Y>FH3k%N7hG{ZI7mO=#(+W z2Cy}0e)ZMH!6!K zpz^L$l+S$vbRko-mNy1%eLh;E$X&w zS8Os2jNf!j=BeCE3%{1LDQl)QtCFgd`@D7|5XbXPN0&Sys7BOuNJDJpO|4abs`mQp zyCNgW&`%0{NM^}0_GHdY+tll4*36%P8y}e3yKTGpTQQxT7N=aw9zMfEce8DL%3i*y zb0o^^6kjc=jp)+v*@|qGiKJs7Ji{zE?p-(Kn6EkhvKe;8Bgdxy2X{w#;EP;2Pu$HV zt2aj|2xL)npkX+RuQVFD_kIEy-2k@8QG5)*wv!kl1s^_aOObVGA@#^(4o)+%OV%Be!VtNG)QiIyJ zJ{pfd6yqBIe$7WeYV~Lf6z}1S`n)%5DI)}RTIimo9cF%z$mP}?x|PM9oU1h-*jw&O zapX6fyN^(+4ZkxqNgXD)KP={42!obO&Qru^r6eKOX&MP-ja)}0Ji5m{b)~kVfr(|q;U~^c2PROGI&@GWZd%r6dPpz4Haal zTA$s#ZNws*vcslsOGSdP(s+|3{*Zo_5=MhJ$7Bz^&`DN zC+TSWZBZY@s0wN>KLb90K^>-F&YEG6{-o(W-T1et+iL9)_isS)R%{~1@Xr5bjm(($CK>o)Y4gJR(o&WjbjSd z?vrqvG6jkop{TY{vapd;xU_q92diN+50H10_rAAA7}gD<9Dly_udC?py3!!GKC{kL z4X9=Kti-PRT_=n~73u%s$B{n67#>K0YT2efH=3n-4bpYowU#KZqXlhH24E;Iz0UkI zW(8T|fV>4~T;2nf7xR{Dous+t(Wp=K_*zra2@s)?Tn6neEJCoT!Z!4DMjR|!wYHlG zn9h&ppw*6)woL+gE3i0FZN09jIe@6J&+y$O0zp#Av77Kt#5)!(A*S6kO&w-O$ zCunX9Pv{ASZ~L1YXpxJZRmC{^mzO!qx-EAOr8piuCKDe-gHULyxw2sf%gKeXiZhU; zUknavuuczMVTQdy;{L}8q{4{>(eifcW0zL9`k>?5pS>JBrWl$EL-+gz`IYBA^n~j> zE(tOxWC};G+3(GV{){2puM>4vaH~j;?AkVXS4?Z!dQW5-@JGg10hNp`1O?&TzaPZy z-l+!6$Xd|iXrf7ZkE6uyOzTo`&tz7}4v^M2-5E%C$+*b;qnexmhzsvqKMb9l73sq> zqPI;M`Q)$6UtJg$x!<5&>kW?@?I+Yp3(&55wyuAB_lB2eelj=Vb8SMay#^8y9engY zA%Bqr^{oQ6S0HnZaE3k%ZbbD9oD$Z3)@0#&2G>u6OQKlg9GgqCWv@Ox&yQbeo`JoU zUyV#lyQkU%=i`x`jJ5K7S$b>vh0mEK3($paJV>L!8sgi2R(wTVT z%rB2b)xRXW2i$=nwelrNAk`ofI!$rrviZQX`q*tbu1HJR@~B z5nHJ|mzE3YgLftZqr9OmyPyeL*>t3aN$3jPwy!gNuD-90|5>mahqmHnqm{q+{1ry; zO;cp^&%y9#S9+L1oi;1l#e&9|BbbJAOJsg*Kn9d*^b_I7 z`LZTPX!u8=Qt9B_B?+eRj$NK;U@w-~J+{I*sqis94&(@oB`zZPsU+YW>ejWeeE^NyF4VlIallp|WbqmJdG>NxUmuR(NNKOO3Bo5ixEEgNMdthLjkkozDP8z??mrgb zx0!{3zB_(ZcSaHC(e4=pA(R72bK6G{@xqOoQy`gwDxC8(UkTmE?mAuFQ`~ccE|^9N z6wI^+E(DFd!|Ki&ga6I%svi(0B+3dkER51m3(f=&I6;?d?`^y`VTqd))51!|^$GrK zvV+QU?`Q-IOze9ZfxAHt;#NphQV)khfxc12yg$G3g7FfH2OJ~c~Lk;r-9WW7HNdek9O&j zy9;G7(FzW4UD{h-i0oDR^<>x|M!F-m;BaZ+3Bo`?h~)AJA#@CBo@2m87R381HR`huL}DxK$l&dqXAgM6P2Zunf0K4c2P?->&fW{J^< zSV4Nkb4(9DIF6){B=e48a~qF|F>5GKGf<2z-AH9L&@C`2b^-@f3~F4iY&}NB?)WBq zkl;LpxpPvsA#pa27!6$h%2$K0)hqS!+kd*eT!H7+2_vFv(2A1!b+CFzGJ0K`A=}ALns;M zkL+?L;Y}GfIL>;dJmjpQ-3Sp(vHJ8Wmj>5FMSel%#|8A#MZ5pNnT>P48%^?cLa?noSvRl6d#U^>3o{3Jpjgwe2BErs;?9b> zF<=Vq6iJ4P;i@pju)6q1h$L)SSj!02Bg)`5z~_|S{rYB4p&~#BL&m6WNm!(P(cpER zy5A=|0OWgjx|_Ux?M^UaL5;)C2(HkI<6_o~dw}+e=tCJ)uBT=`_+TNN;}kWQgmnya z&Ys6CXAUxn(_nWV05J4baWy>ByDFLy z%>88jp%dy|Cnpm{caJU^@mr)s-KKKB9^_ItPCV<%+Va7q8vNbdKniG?Wf9e|QI)@> zQU-fsyfAJEvhNK}JpS()lCfwBUB4bEoCinbxq{>6OqFx~SD= z5r2&DA``e0VrhF#oX%muZQrnmSHwk5lVyBL&1ECGhJ(>6i}u*>k=OKJ*qKN?xI+t* zelbdNeog5ektU5K-4a*+3NAs1!1S^+3-8He>u~x09G>5|*>5DelF5IJHU_(wm7*l* zQDXcnj*h4zgV8X}$`e-MXtoEMhP37vZJJTq3$bn@Yt6<&&+hlrqo;-y-vnB`;!0T> zKQGdJnmX*+GXFwQX~oP!Aie7%kd z1>W@qW0kBBp!C1HvB2Ax5fcB#w4*i0p@F=C9`VdP0MkT$&qGC0&I4V5T`&Xtq7K1q z*AX-gsCtOO($mvDr^$@0joDoGr~v&ui)vijXlY~OxF#tpgWZzf;=%8}B=j5-#D0_= zg{9w9c3!7QZA!94O`c?tA9GMlW8YDk!q2KqWmYP&FR) zX1Eccge85qluUj&nE2+J+8aRq;+L{tRZd#%Hpoce7SFSthftNMI`KlNP%$l?{s+UT zZj}HowsC4UEJt4jDy&Zwk*M>Ops70mPagA)Ny?2UCDV{676G38M{?#6c!E>KwVcw< zC0|mnFT2Hxtech{Bsf^__~D?|7#5^QQBJV+V4fwIK%Jc2u8W+Yq zu2>mTSxk~ODH;w!EQ5>GTBpE&Pgt9pDq*4--ZsQCBV~r z5%wg(4FMH~d_k*Q4%;P>XmFS&v%H=DcuTmoTsvj)0a5~BPv@Fx_Y*BNStaDsyP2Lt z?nkL%?46&5bWyL~r1&pz9sYDX@#pixXJIIr&>gp&NrZvy25|p@NGTx6A`PY$Q|KaC zV5M-409!FO$J{H?x=B3`BA|XE?JTY#-LNS4(813i`>>yS|7(1&@JV+Z$dZ^}ISR2cDpx4 z*mZK(+HwgvKaId`YK}udZYazvH%@wQEfoJ}k^7eD{sHhsnXP~mQlD013|9zABBtfN zXwWv(g`^Ww>%}M(YhW!6-QQ9BnOGzyXh0{iJm)*QkrO1e6@Up@li<;buv5puj0fMq zZ~1X8y`Aue2h;DG0!i%jJ8(`&58K!vm>xzP<(mS>mtOilb)uyW*14N@@v>+T@D20V zk2Q_9^gUCIUwo+B-^xI|5@oH8sIeECOM<^Bu6K z>aPEQ4u_)7^0@XV)LD%rWGpJ`nu_*5pGuVKvQu`(x!etBI^#wP&&~K|B$*`A{{a;! z;W_Cy+VBhQJiJQ%kt+jwej`z71Y#K*l%a|gW-?}_f<3cH{NxVENknS#%7y7&K?E8w z-q@iXFpgfz6&SHBrA+rPa(JX^MFVY8w^e^S>t7 zS4nf%rJq8tYd6G&LwuR4=C>T{PzDXI>vuLBw_oSlw-x$8aE*UMYauDrvnCy3Oz?(j zb}H#04c1{eEdN{;m zQ_5V)FB!F3d3(>l(-cKBnURAyP!2kCXq}<v_A?E zD0#ym%46($EU-IS9(6V5C!3{o^D(0714P6@KI^C7(N9{JIJ;NvcTyyBN)n-4Z7>Mw zLcDpf6wv%B=$c^??WX7xe*+*wuiPm3`XgQQoC{&)@#cUUF$ZvO&Qp<7f3M+%!89t; zdd9ODzg&I4P#?e{cBC6F;m4$ai(rLxs{BqgEra>N)_na!h>jDJf?a-*<27m&k{)+7 z6kSnCkgSzK1Gj)o_mwOERz2H4Uz;T?kMOQFpqX9r&53F$HSDr5Y(FAp%+_dNIf2Sh z63g3B$tD8N8KE+ZnhlE=ou;A^hana-jjzPUpYB|sxD^9;FwrNdO{77Zhj4)X}sm~4N!(1HBMRGrxRkJdTXoaOlY0ba){-rLm$}IS&z+R3wrg1?UFmXI!E~N<@_M=H jd90%GVz$al>#6wcHk1AV>;(e@1A%V*{@Q?nA%OiKf|4qT literal 0 HcmV?d00001 diff --git a/charts/federatorai/federatorai/5.0.0/.helmignore b/charts/federatorai/federatorai/5.0.0/.helmignore new file mode 100644 index 000000000..50af03172 --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/federatorai/federatorai/5.0.0/Chart.yaml b/charts/federatorai/federatorai/5.0.0/Chart.yaml new file mode 100644 index 000000000..e4e354a11 --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/Chart.yaml @@ -0,0 +1,26 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Federator.ai + catalog.cattle.io/release-name: federatorai +apiVersion: v1 +appVersion: 5.0.0-p1 +description: Federator.ai helps enterprises optimize cloud resources, maximize application + performance, and save significant cost without excessive over-provisioning or under-provisioning + of resources, meeting the service-level requirements of their applications. +home: https://www.prophetstor.com +icon: https://raw.githubusercontent.com/prophetstor-ai/public/master/images/logo.png +keywords: +- AI +- Resource Orchestration +- NoOps +- AIOps +- Intelligent Workload Management +- Cost Optimization +kubeVersion: 1.16 - 1.22 +maintainers: +- email: support@prophetstor.com + name: ProphetStor Data Services, Inc. +name: federatorai +sources: +- https://www.prophetstor.com +version: 5.0.0 diff --git a/charts/federatorai/federatorai/5.0.0/README.md b/charts/federatorai/federatorai/5.0.0/README.md new file mode 100644 index 000000000..928231932 --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/README.md @@ -0,0 +1,109 @@ +# Federator.ai Operator +Federator.ai helps enterprises optimize cloud resources, maximize application performance, and save significant cost without excessive over-provisioning or under-provisioning of resources, meeting the service-level requirements of their applications. + +Enterprises often lack understanding of the resources needed to support their applications. This leads to either excessive over-provisioning or under-provisioning of resources (CPU, memory, storage). Using machine learning, Federator.ai determines the optimal cloud resources needed to support any workload on Kubernetes and helps users find the best-cost instances from cloud providers for their applications. + + +**Multi-layer workload prediction** + +Using machine learning and math-based algorithms, Federator.ai predicts containerized application and cluster node resource usage as the basis for resource recommendations at application level as well as at cluster node level. Federator.ai supports prediction for both physical/virtual CPUs and memories. + + +**Auto-scaling via resource recommendation** + +Federator.ai utilizes the predicted resource usage to recommend the right number and size of pods for applications. Integrated with Datadog's WPA, applications are automatically scaled to meet the predicted resource usage. + + +**Application-aware recommendation execution** + +Optimizing the resource usage and performance goals, Federator.ai uses application specific metrics for workload prediction and pod capacity estimation to auto-scale the right number of pods for best performance without overprovisioning. + + +**Multi-cloud Cost Analysis** + +With resource usage prediction, Federator.ai analyzes potential cost of a cluster on different public cloud providers. It also recommend appropriate cluster nodes and instance types based on resource usage. + + +**Custom Datadog/Sysdig Dashboards** + +Predefined custom Datadog/Sysdig Dashboards for workload prediction/recommendation visualization for cluster nodes and applications. + + +**SUSE/Rancher Marketplace** + +Federator.ai can also be directly installed from SUSE/Rancher Marketplace. Please see the following how-to video for the installation procedure. + +https://www.youtube.com/watch?v=mBAPCCAH8kg + + +**Additional resources** + +Want more product information? Explore detailed information about using this product and where to find additional help. + +* [Federator.ai Datasheet](https://www.prophetstor.com/wp-content/uploads/datasheets/Federator.ai.pdf) +* [Quick Start Guide](https://prophetstor.com/wp-content/uploads/documentation/Federator.ai/Latest%20Version/ProphetStor%20Federator.ai%20Quick%20Installation%20Guide.pdf) +* [Installation Guide](https://prophetstor.com/wp-content/uploads/2022/01/ProphetStor-Federator.ai-v5.0-Installation-Guide.pdf) +* [User Guide](https://prophetstor.com/wp-content/uploads/2022/01/Federator.ai-5.0-User-Guide.pdf) +* [Release Notes](https://prophetstor.com/wp-content/uploads/2022/01/Federator.ai-5.0-Release-Notes.pdf) +* [Company Information](https://www.prophetstor.com/) + +## Prerequisites +- The [Kubernetes](https://kubernetes.io/) version 1.16 or later. +- The [Helm](https://helm.sh/) version is 3.x.x or later. + +## Add Helm chart repository +``` +helm repo add prophetstor https://prophetstor-ai.github.io/federatorai-operator-helm/ +``` + +## Test the Helm chart repository +``` +helm search repo federatorai +``` + +## Installing with the release name `my-name`: +``` +helm install `my-name` prophetstor/federatorai --namespace=federatorai --create-namespace +``` + +## To uninstall/delete the `my-name` deployment: +``` +helm ls --all-namespaces +helm delete `my-name` --namespace=federatorai +``` + +## To delete the Custom Resource Definitions (CRDs): +``` +kubectl delete crd alamedaservices.federatorai.containers.ai +``` + + +## Configuration + +The following table lists the configurable parameters of the chart and their default values are specfied insde values.yaml. + +| Parameter | Description | +| ---------------------------------------------------------------- | --------------------------------------------- | +| `image.pullPolicy` | Container pull policy | +| `image.repository` | Image for Federator.ai operator | +| `image.tag` | Image Tag for Federator.ai operator | +| `federatorai.imageLocation` | Image Location for services containers | +| `federatorai.persistence.enabled` | Enable persistent volumes | +| `federatorai.persistence.storageClass` | Storage Class Name of persistent volumes | +| `federatorai.persistence.storages.logStorage.size` | Log volume size | +| `federatorai.persistence.aiCore.dataStorage.size` | AICore data volume size | +| `federatorai.persistence.influxdb.dataStorage.size` | Influxdb data volume size | +| `federatorai.persistence.fedemeterInfluxdb.dataStorage.size` | Fedemeter influxdb data volume size | +| `federatorai.persistence.federatoraiPostgreSQL.dataStorage.size` | PostgreSQL data volume size | +| `services.dashboardFrontend.nodePort` | Port of the Dashboard service | +| `services.rest.nodePort` | Port of the REST service | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```shell +helm install `my-name` prophetstor/federatorai -f values.yaml --namespace=federatorai --create-namespace +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) diff --git a/charts/federatorai/federatorai/5.0.0/app-readme.md b/charts/federatorai/federatorai/5.0.0/app-readme.md new file mode 100644 index 000000000..fe6cbd989 --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/app-readme.md @@ -0,0 +1,48 @@ +# Federator.ai Operator +Federator.ai helps enterprises optimize cloud resources, maximize application performance, and save significant cost without excessive over-provisioning or under-provisioning of resources, meeting the service-level requirements of their applications. + +Enterprises often lack understanding of the resources needed to support their applications. This leads to either excessive over-provisioning or under-provisioning of resources (CPU, memory, storage). Using machine learning, Federator.ai determines the optimal cloud resources needed to support any workload on Kubernetes and helps users find the best-cost instances from cloud providers for their applications. + + +**Multi-layer workload prediction** + +Using machine learning and math-based algorithms, Federator.ai predicts containerized application and cluster node resource usage as the basis for resource recommendations at application level as well as at cluster node level. Federator.ai supports prediction for both physical/virtual CPUs and memories. + + +**Auto-scaling via resource recommendation** + +Federator.ai utilizes the predicted resource usage to recommend the right number and size of pods for applications. Integrated with Datadog's WPA, applications are automatically scaled to meet the predicted resource usage. + + +**Application-aware recommendation execution** + +Optimizing the resource usage and performance goals, Federator.ai uses application specific metrics for workload prediction and pod capacity estimation to auto-scale the right number of pods for best performance without overprovisioning. + + +**Multi-cloud Cost Analysis** + +With resource usage prediction, Federator.ai analyzes potential cost of a cluster on different public cloud providers. It also recommend appropriate cluster nodes and instance types based on resource usage. + + +**Custom Datadog/Sysdig Dashboards** + +Predefined custom Datadog/Sysdig Dashboards for workload prediction/recommendation visualization for cluster nodes and applications. + + +**SUSE/Rancher Marketplace** + +Federator.ai can also be directly installed from SUSE/Rancher Marketplace. Please see the following how-to video for the installation procedure. + +https://www.youtube.com/watch?v=mBAPCCAH8kg + + +**Additional resources** + +Want more product information? Explore detailed information about using this product and where to find additional help. + +* [Federator.ai Datasheet](https://www.prophetstor.com/wp-content/uploads/datasheets/Federator.ai.pdf) +* [Quick Start Guide](https://prophetstor.com/wp-content/uploads/documentation/Federator.ai/Latest%20Version/ProphetStor%20Federator.ai%20Quick%20Installation%20Guide.pdf) +* [Installation Guide](https://prophetstor.com/wp-content/uploads/2022/01/ProphetStor-Federator.ai-v5.0-Installation-Guide.pdf) +* [User Guide](https://prophetstor.com/wp-content/uploads/2022/01/Federator.ai-5.0-User-Guide.pdf) +* [Release Notes](https://prophetstor.com/wp-content/uploads/2022/01/Federator.ai-5.0-Release-Notes.pdf) +* [Company Information](https://www.prophetstor.com/) diff --git a/charts/federatorai/federatorai/5.0.0/crds/02-alamedaservice.crd.yaml b/charts/federatorai/federatorai/5.0.0/crds/02-alamedaservice.crd.yaml new file mode 100644 index 000000000..2f807b63f --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/crds/02-alamedaservice.crd.yaml @@ -0,0 +1,3597 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + helm.sh/hook: crd-install + creationTimestamp: null + name: alamedaservices.federatorai.containers.ai +spec: + group: federatorai.containers.ai + names: + kind: AlamedaService + listKind: AlamedaServiceList + plural: alamedaservices + singular: alamedaservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.enableExecution + name: Execution + type: boolean + - jsonPath: .spec.version + name: Version + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: AlamedaService is the Schema for the alamedaservices API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AlamedaServiceSpec defines the desired state of AlamedaService + properties: + alameda-dispatcher: + properties: + bootstrap: + properties: + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to + pull a container image + type: string + type: object + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + replicas: + format: int32 + minimum: 0 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + type: object + alamedaAi: + properties: + bootstrap: + properties: + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to + pull a container image + type: string + type: object + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + replicas: + format: int32 + minimum: 0 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + type: object + alamedaDatahub: + properties: + bootstrap: + properties: + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to + pull a container image + type: string + type: object + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + replicas: + format: int32 + minimum: 0 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + type: object + alamedaExecutor: + properties: + bootstrap: + properties: + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to + pull a container image + type: string + type: object + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + replicas: + format: int32 + minimum: 0 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + type: object + alamedaInfluxdb: + properties: + bootstrap: + properties: + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to + pull a container image + type: string + type: object + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + replicas: + format: int32 + minimum: 0 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + type: object + alamedaNotifier: + properties: + bootstrap: + properties: + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to + pull a container image + type: string + type: object + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + replicas: + format: int32 + minimum: 0 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + type: object + alamedaRabbitMQ: + properties: + bootstrap: + properties: + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to + pull a container image + type: string + type: object + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + replicas: + format: int32 + minimum: 0 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + type: object + enableExecution: + type: boolean + enablePreloader: + type: boolean + env: + items: + description: EnvVar represents an environment variable present in + a Container. + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded using + the previously defined environment variables in the container + and any service environment variables. If a variable cannot + be resolved, the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the + string literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists or + not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. Cannot + be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, + status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified + API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the exposed + resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + fedemeter: + properties: + bootstrap: + properties: + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to + pull a container image + type: string + type: object + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + replicas: + format: int32 + minimum: 0 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + type: object + fedemeterInfluxdb: + properties: + bootstrap: + properties: + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to + pull a container image + type: string + type: object + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + replicas: + format: int32 + minimum: 0 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + type: object + federatoraiAgent: + properties: + bootstrap: + properties: + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to + pull a container image + type: string + type: object + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + replicas: + format: int32 + minimum: 0 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + type: object + federatoraiAgentPreloader: + properties: + bootstrap: + properties: + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to + pull a container image + type: string + type: object + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + replicas: + format: int32 + minimum: 0 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + type: object + federatoraiBackend: + properties: + bootstrap: + properties: + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to + pull a container image + type: string + type: object + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + replicas: + format: int32 + minimum: 0 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + type: object + federatoraiDataAdapter: + properties: + bootstrap: + properties: + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to + pull a container image + type: string + type: object + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + replicas: + format: int32 + minimum: 0 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + type: object + federatoraiFrontend: + properties: + bootstrap: + properties: + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to + pull a container image + type: string + type: object + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + replicas: + format: int32 + minimum: 0 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + type: object + federatoraiPostgreSQL: + properties: + bootstrap: + properties: + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to + pull a container image + type: string + type: object + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + replicas: + format: int32 + minimum: 0 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + type: object + federatoraiRecommendDispatcher: + properties: + bootstrap: + properties: + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to + pull a container image + type: string + type: object + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + replicas: + format: int32 + minimum: 0 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + type: object + federatoraiRecommendWorker: + properties: + bootstrap: + properties: + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to + pull a container image + type: string + type: object + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + replicas: + format: int32 + minimum: 0 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + type: object + federatoraiRest: + properties: + bootstrap: + properties: + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to + pull a container image + type: string + type: object + env: + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a + C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. If + a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + type: string + imagepullpolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + replicas: + format: int32 + minimum: 0 + type: integer + resources: + description: ResourceRequirements describes the compute resource + requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + type: object + imageLocation: + type: string + resources: + description: ResourceRequirements describes the compute resource requirements. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selfDriving: + type: boolean + serviceExposures: + items: + description: ServiceExposureSpec defines the service to be exposed + properties: + name: + type: string + nodePort: + description: NodePortSpec defines the ports to be proxied from + node to service + properties: + ports: + items: + description: PortSpec defines the service port + properties: + nodePort: + format: int32 + maximum: 65535 + minimum: 0 + type: integer + port: + format: int32 + maximum: 65535 + minimum: 0 + type: integer + required: + - nodePort + - port + type: object + type: array + required: + - ports + type: object + type: + description: ServiceExposureType defines the type of the service + to be exposed + enum: + - NodePort + type: string + required: + - name + - type + type: object + type: array + storages: + items: + properties: + accessModes: + items: + type: string + type: array + class: + type: string + size: + type: string + type: + enum: + - pvc + - ephemeral + type: string + usage: + enum: + - log + - data + type: string + required: + - type + - usage + type: object + type: array + version: + type: string + required: + - version + type: object + x-kubernetes-preserve-unknown-fields: true + status: + description: AlamedaServiceStatus defines the observed state of AlamedaService + properties: + installationStatus: + properties: + readyTime: + format: date-time + type: string + version: + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/federatorai/federatorai/5.0.0/logo.png b/charts/federatorai/federatorai/5.0.0/logo.png new file mode 100644 index 0000000000000000000000000000000000000000..fc33e50090d9dc92ba5496ae3db538a91846dd29 GIT binary patch literal 2838 zcmai$c{CJUAII;EED^G2&yX!K%5Jib%pkIqY-6%3>&P}$#P>V41i$NR^7-h0mPe!jooJ?D4N_xHy=H|>(8DJQ!KI{<(ajY8TS zl6)9;Y%GU+?Ck#1A&z((UNi*Y36W#>8uMX((j8@U5r9Zp00@Zy{5mWVW&sF=1MnRS zfX-n9p&&|wHRAAq#m(FldC0@HZTvd!5J!Vh4j}+2OaBf?M45gV0PK-yq@i8J=weY+ z=H<8I9W5<0&ugKTSJDwMq9C&BR+;?0%kzTO4XOgW9jHY~GhcIGw=~~@VOb4-H5+rK zYCEHL*!?tqzY&`!<0}FFBG!s9jv4ET_sW08tPJmM5ew*hiwpR%rXLdT$H%v23X9II z@AT|?^)6Ei&UyDb8$#{u)Rmc640!P`6C8%}%l>-kXMCqT%4nMl^l8pCl({ss8la7~ zi_KrV0g(X>YAz)Kj{uDcc;3Ht$#T}eMcFxB@&kWDd5G@SmS>zRGMe0faE3q@KwmX= zJH6UIG(B|vYX8kzp~t7qxy!~uu?PBThFDJ6%z4^CK?k-NM*XMJ+ux!;I{jE#0Iky+ z)Ij?v?t-Vl^)88V7rI2*zO6m+2wcf(ok(#Ap4D3KnbsQgPa@#QH zz#5A-COnt@q+EZZ>oyJ!+n-iwe>;@y77DkLd-GqWevj$j?*5NBrNAnBH_4&|vH7Lb zGp-iGEFT_pc5GS%?Ct6%xa{hbyZ~tFr1z2O&-opY}q~m9tVkN4yhMBMu{Z4RsU|9;^$-^Tgh#g;6BmRL) zmh$H3Gc*iXN-n_G2;_wN(g#O)NZeGVNB$Qw+J=~ZzD!*(qf?EH)*L~~;^(703hfyF zlEiUakeR%FZ%4-|3YXTn5-$f(d8V#xQ!W6)c@MoW&Q8$0GnW~GW#lmKNYhNz*09k6|XpaC(t20F%R;O`c-wbHd+i;{Gty;fKVRfH)J{jkJGx2ER{KRzC zrgxQ$m)CdYdxozTt@9V$s zWvxkt>NYE!Twhh(yH3g-TAg7l#c&GSBZO=VQt}ppNbj|OU6d&|ot;-+QzsFbhijp# z*%TDcw3GZ?3Hc4Jz8`{@HP~0r*E`)STc&ATWP691C-Uh?)-;(J{v|4-r(r0837^>ix6%W=n~C2dcCp%hJrw);C$F zMYptm>8I9St8ia-B#92KP8x4q(eiXYiEkfOl{VOyGYb=<#XIN>yOmQiWQe1u3C8J{N_ES6L`bJUAkX#_(is-}dWPLFrkn6@zW|Q{mZ+ zlcM@vS72?!*+T#|PXNi4_(8OWq1n+nQSLE`>;E+{ z=8MKTr8duFt0fR-lodfTy3rnZh#bh&?cCe2h1JPl@FKGxyhZO6vb&~4Jl=>ex{2`Q z{tE(^zi>cE-Hj``I-gyBE=5Y`3zlUQT=G__4c-c@>Ob&HZC+w_yHiPz-}3>H&RS3^ zFR3N{(vVd}uvK?><%(eW?m2jOJp`-dPvkS?BS_A%{U{}3dcnQ=({JPJEXzqD1_eN9ImcIRedb2{6UEl<*7&8Z^N!jpo@y}*WNcx|y^-j9H;++IkSo91)`nRBQLN}(Xo9h4X`gGFo_F5} z33iK-b5((H&x|?Nub%-#r=4z&>=Hdzd)5c@#n?a#jDN$ID-vk$yD$h>#Y(m1-C`E) zViSx&)}p6Ra4ick<*hw955D>T{3^Dwd6aG3I>lqK$jJ4?wI)LIuuA*zGfYxK1NGY0 zfilm?E|YZX^=ZDn_eoXT;T zTRIt;Z-P^%Ns<~dZ#N+;XB{a@3rTx;0f}kG{6xL|{jwWTm-HP58ZF+Bz4^!(^vNXq z^cdM&*|zJ2ITeNH_v+lmm&JX5#pV(&ktyRUwVlkTsfyI!@YJLgtMQR!>g8IKgDo8b zNzus+#0v|Uec~);X13-5zH;?J)bvQ?TKH*NOWkI>Cfbrspse*ye=b%%#`#P1kZxh&AMuzBAv97gkzkUWue;+^E*2 zV={BA#5=%|k=+yToG1O^1CmYt!s=z)j0&b-LX$_QcI!H;f5OwV<`o^L-dj!!3KEnthe3`|4d=Y^e)MP0|c o&HC&l3^8eWw~f5pin93{7w|&HX1`Ql>h~8FZDNV6F~Z*Z7cBZPT>t<8 literal 0 HcmV?d00001 diff --git a/charts/federatorai/federatorai/5.0.0/questions.yaml b/charts/federatorai/federatorai/5.0.0/questions.yaml new file mode 100644 index 000000000..8de18b163 --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/questions.yaml @@ -0,0 +1,89 @@ +questions: +#image configurations +- variable: defaultImage + default: true + description: "Use default Federator.ai image or specify a custom one" + label: Use Default Federator.ai Image + type: boolean + show_subquestion_if: false + group: "Container Images" + subquestions: + - variable: image.repository + default: "quay.io/prophetstor/federatorai-operator-ubi" + description: "Federator.ai Operator image name" + type: string + group: "Container Images" + label: Federator.ai Operator Image Name + - variable: image.tag + default: "v5.0.0-p1" + description: "Federator.ai Operator image tag" + type: string + group: "Container Images" + label: Federator.ai Operator Image Tag +#service configurations +- variable: federatorai.imageLocation + default: "quay.io/prophetstor" + description: "Service containers image location" + type: string + required: true + group: "Container Images" + label: Federator.ai imageLocation +- variable: services.dashboardFrontend.nodePort + required: true + default: "31012" + description: "The port where the Federator.ai Dashboard listens to" + type: string + group: "Service Settings" + label: Federator.ai Dashboard Port +- variable: services.rest.nodePort + required: true + default: "31011" + description: "The port where the Federator.ai REST listens to" + type: string + group: "Service Settings" + label: Federator.ai REST Port +- variable: federatorai.persistence.enabled + default: true + description: "Enable persistent volume for Federator.ai" + type: boolean + required: true + label: Federator.ai Persistent Volume Enabled + show_subquestion_if: true + group: "PV Settings" + subquestions: + - variable: federatorai.persistence.storageClass + default: "" + description: "If undefined or set to null, using the default storageClass. Defaults to null." + type: storageclass + group: "PV Settings" + label: Storage Class for Federator.ai + - variable: federatorai.persistence.storages.logStorage.size + default: "2Gi" + description: "Log volume size" + type: string + group: "PV Settings" + label: Log Volume Size + - variable: federatorai.persistence.aiCore.dataStorage.size + default: "10Gi" + description: "AICore data volume Size" + type: string + group: "PV Settings" + label: AICore Data Volume Size + - variable: federatorai.persistence.influxdb.dataStorage.size + default: "100Gi" + description: "Influxdb data volume Size" + type: string + group: "PV Settings" + label: Influxdb Data Volume Size + - variable: federatorai.persistence.fedemeterInfluxdb.dataStorage.size + default: "10Gi" + description: "Fedemeter influxdb data volume Size" + type: string + group: "PV Settings" + label: Fedemeter Influxdb Data Volume Size + - variable: federatorai.persistence.federatoraiPostgreSQL.dataStorage.size + default: "10Gi" + description: "PostgreSQL data volume Size" + type: string + group: "PV Settings" + label: PostgreSQL Data Volume Size diff --git a/charts/federatorai/federatorai/5.0.0/requirements.yaml b/charts/federatorai/federatorai/5.0.0/requirements.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/charts/federatorai/federatorai/5.0.0/templates/01-serviceaccount.yaml b/charts/federatorai/federatorai/5.0.0/templates/01-serviceaccount.yaml new file mode 100644 index 000000000..937627cd3 --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/templates/01-serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: federatorai-operator + namespace: {{ .Release.Namespace }} diff --git a/charts/federatorai/federatorai/5.0.0/templates/03-federatorai-operator.deployment.yaml b/charts/federatorai/federatorai/5.0.0/templates/03-federatorai-operator.deployment.yaml new file mode 100644 index 000000000..7a9bc4f06 --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/templates/03-federatorai-operator.deployment.yaml @@ -0,0 +1,97 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: federatorai-operator + namespace: {{ .Release.Namespace }} + labels: + name: federatorai-operator + app: Federator.ai + annotations: + "helm.sh/hook-weight": "1000" +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + name: federatorai-operator + template: + metadata: + labels: + name: federatorai-operator + app: Federator.ai + spec: + securityContext: + fsGroup: 1001 + serviceAccountName: federatorai-operator + initContainers: + - name: upgrader + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + command: + - federatorai-operator + args: + - "upgrade" + env: + - name: NAMESPACE_NAME + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: FEDERATORAI_OPERATOR_INFLUXDB_ADDRESS + value: "" + - name: FEDERATORAI_OPERATOR_INFLUXDB_SERVICE_NAME + value: alameda-influxdb + - name: FEDERATORAI_OPERATOR_INFLUXDB_SERVICE_PORT + value: "8086" + - name: FEDERATORAI_OPERATOR_INFLUXDB_USERNAME + value: admin + - name: FEDERATORAI_OPERATOR_INFLUXDB_PASSWORD + value: adminpass + volumeMounts: + - mountPath: /var/log/alameda + name: log + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + containers: + - name: federatorai-operator + # Replace this with the built image name + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + command: + - federatorai-operator + env: + - name: NAMESPACE_NAME + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: "federatorai-operator" + # OVERRIDE_CR_VERSION=true means always overwrite the spec.version value inside alamedaservice CR + - name: OVERRIDE_CR_VERSION + value: "true" + readinessProbe: + failureThreshold: 20 + httpGet: + path: /readyz + port: 8083 + initialDelaySeconds: 5 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + - mountPath: /var/log/alameda + name: log + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + volumes: + - name: log + emptyDir: {} + - name: cert + secret: + defaultMode: 420 + secretName: federatorai-operator-service-cert diff --git a/charts/federatorai/federatorai/5.0.0/templates/04-clusterrole.yaml b/charts/federatorai/federatorai/5.0.0/templates/04-clusterrole.yaml new file mode 100644 index 000000000..e1b536777 --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/templates/04-clusterrole.yaml @@ -0,0 +1,209 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: federatorai-operator +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - endpoints + - pods + verbs: + - delete + - get + - list + - patch + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + - persistentvolumeclaims + - serviceaccounts + verbs: + - create + - delete + - get + - list + - watch +- apiGroups: + - "" + resources: + - replicationcontrollers + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - resourcequotas + verbs: + - create + - delete + - get + - list + - patch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - delete + - update +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - list + - update + - watch +- apiGroups: + - "" + - extensions + resources: + - replicationcontrollers + verbs: + - '*' +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - analysis.containers.ai + - autoscaling.containers.ai + - federatorai.containers.ai + - notifying.containers.ai + - tenant.containers.ai + resources: + - '*' + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - delete + - get + - update +- apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - apps + - extensions + resources: + - deployments + - replicasets + - statefulsets + verbs: + - '*' +- apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - '*' +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - list +- apiGroups: + - extensions + - policy + resources: + - podsecuritypolicies + verbs: + - use +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - clusterroles/finalizers + - rolebindings + - roles + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - route.openshift.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + verbs: + - use + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: alameda-gc + annotations: + "helm.sh/hook-weight": "5000" + "helm.sh/hook": post-install,post-delete +rules: [] diff --git a/charts/federatorai/federatorai/5.0.0/templates/05-clusterrolebinding.yaml b/charts/federatorai/federatorai/5.0.0/templates/05-clusterrolebinding.yaml new file mode 100644 index 000000000..7c55d4828 --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/templates/05-clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: federatorai-operator +subjects: +- kind: ServiceAccount + name: federatorai-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: federatorai-operator + apiGroup: rbac.authorization.k8s.io diff --git a/charts/federatorai/federatorai/5.0.0/templates/06-role.yaml b/charts/federatorai/federatorai/5.0.0/templates/06-role.yaml new file mode 100644 index 000000000..b0569bc08 --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/templates/06-role.yaml @@ -0,0 +1,46 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: federatorai-operator + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - pods + - secrets + - services + verbs: + - '*' +- apiGroups: + - "" + resources: + - nodes + - persistentvolumeclaims + - replicationcontrollers + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - daemonsets + - statefulsets + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - deployments + - replicasets + verbs: + - get + - list + - watch diff --git a/charts/federatorai/federatorai/5.0.0/templates/07-rolebinding.yaml b/charts/federatorai/federatorai/5.0.0/templates/07-rolebinding.yaml new file mode 100644 index 000000000..e72f197b5 --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/templates/07-rolebinding.yaml @@ -0,0 +1,13 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: federatorai-operator + namespace: {{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: federatorai-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: federatorai-operator + apiGroup: rbac.authorization.k8s.io diff --git a/charts/federatorai/federatorai/5.0.0/templates/08-service.yaml b/charts/federatorai/federatorai/5.0.0/templates/08-service.yaml new file mode 100644 index 000000000..843abc896 --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/templates/08-service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + component: federatorai-operator + name: federatorai-operator-service + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 443 + targetPort: 50443 + selector: + name: federatorai-operator + app: Federator.ai diff --git a/charts/federatorai/federatorai/5.0.0/templates/09-secret.yaml b/charts/federatorai/federatorai/5.0.0/templates/09-secret.yaml new file mode 100644 index 000000000..e4beb366a --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/templates/09-secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: federatorai-operator-service-cert + namespace: {{ .Release.Namespace }} +data: +type: Opaque \ No newline at end of file diff --git a/charts/federatorai/federatorai/5.0.0/templates/10-mutatingwebhook.yaml b/charts/federatorai/federatorai/5.0.0/templates/10-mutatingwebhook.yaml new file mode 100644 index 000000000..86d45f76b --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/templates/10-mutatingwebhook.yaml @@ -0,0 +1,27 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + creationTimestamp: null + name: federatorai-operator-servicesmutation +webhooks: +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: federatorai-operator-service + namespace: {{ .Release.Namespace }} + path: /mutate-federatorai-containers-ai-v1alpha1-alamedaservice + failurePolicy: Ignore + name: alamedaservicemutate.federatorai.containers.ai + rules: + - apiGroups: + - federatorai.containers.ai + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - alamedaservices + sideEffects: None \ No newline at end of file diff --git a/charts/federatorai/federatorai/5.0.0/templates/11-validatingwebhook.yaml b/charts/federatorai/federatorai/5.0.0/templates/11-validatingwebhook.yaml new file mode 100644 index 000000000..66ea71af9 --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/templates/11-validatingwebhook.yaml @@ -0,0 +1,27 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + creationTimestamp: null + name: federatorai-operator-servicesvalidation +webhooks: +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: federatorai-operator-service + namespace: {{ .Release.Namespace }} + path: /validate-federatorai-containers-ai-v1alpha1-alamedaservice + failurePolicy: Ignore + name: alamedaservicevalidate.federatorai.containers.ai + rules: + - apiGroups: + - federatorai.containers.ai + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - alamedaservices + sideEffects: None \ No newline at end of file diff --git a/charts/federatorai/federatorai/5.0.0/templates/NOTES.txt b/charts/federatorai/federatorai/5.0.0/templates/NOTES.txt new file mode 100644 index 000000000..b381d6fed --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/templates/NOTES.txt @@ -0,0 +1,3 @@ + +Get the Federator.ai pods by running the following command: + kubectl --namespace {{ .Release.Namespace }} get pods diff --git a/charts/federatorai/federatorai/5.0.0/templates/_helpers.tpl b/charts/federatorai/federatorai/5.0.0/templates/_helpers.tpl new file mode 100644 index 000000000..66323e843 --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/templates/_helpers.tpl @@ -0,0 +1,45 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "federatorai-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "federatorai-operator.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "federatorai-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "federatorai-operator.labels" -}} +app.kubernetes.io/name: {{ include "federatorai-operator.name" . }} +helm.sh/chart: {{ include "federatorai-operator.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} diff --git a/charts/federatorai/federatorai/5.0.0/templates/alamedaservice.yaml b/charts/federatorai/federatorai/5.0.0/templates/alamedaservice.yaml new file mode 100644 index 000000000..482ceca14 --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/templates/alamedaservice.yaml @@ -0,0 +1,95 @@ +apiVersion: federatorai.containers.ai/v1alpha1 +kind: AlamedaService +metadata: + name: my-alamedaservice + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "3000" +spec: +{{ if .Values.federatorai.persistence.enabled }} + env: + - name: FEDERATORAI_MAXIMUM_LOG_SIZE + ## Use about 90% of 2Gi + value: "1931476992" +{{ end }} + version: {{ .Values.image.tag }} +{{ if .Values.federatorai.imageLocation }} + imageLocation: {{ .Values.federatorai.imageLocation }} +{{ else }} + imageLocation: quay.io/prophetstor +{{ end }} +{{ if .Values.federatorai.persistence.enabled }} + storages: + - accessModes: + - ReadWriteOnce + {{ if .Values.federatorai.persistence.storageClass }} + class: {{ .Values.federatorai.persistence.storageClass }} + {{ end }} + size: {{ .Values.federatorai.persistence.storages.logStorage.size }} + type: pvc + usage: log + alamedaAi: + storages: + - accessModes: + - ReadWriteOnce + {{ if .Values.federatorai.persistence.storageClass }} + class: {{ .Values.federatorai.persistence.storageClass }} + {{ end }} + size: {{ .Values.federatorai.persistence.aiCore.dataStorage.size }} + type: pvc + usage: data + alamedaInfluxdb: + storages: + - accessModes: + - ReadWriteOnce + {{ if .Values.federatorai.persistence.storageClass }} + class: {{ .Values.federatorai.persistence.storageClass }} + {{ end }} + size: {{ .Values.federatorai.persistence.influxdb.dataStorage.size }} + type: pvc + usage: data + fedemeterInfluxdb: + storages: + - accessModes: + - ReadWriteOnce + {{ if .Values.federatorai.persistence.storageClass }} + class: {{ .Values.federatorai.persistence.storageClass }} + {{ end }} + size: {{ .Values.federatorai.persistence.fedemeterInfluxdb.dataStorage.size }} + type: pvc + usage: data + federatoraiPostgreSQL: + storages: + - accessModes: + - ReadWriteOnce + {{ if .Values.federatorai.persistence.storageClass }} + class: {{ .Values.federatorai.persistence.storageClass }} + {{ end }} + size: {{ .Values.federatorai.persistence.federatoraiPostgreSQL.dataStorage.size }} + type: pvc + usage: data +{{ else }} + storages: + - type: ephemeral + usage: data + - type: ephemeral + usage: log +{{ end }} + serviceExposures: +{{ if .Values.services.dashboardFrontend.nodePort }} + - name: federatorai-dashboard-frontend + nodePort: + ports: + - nodePort: {{ .Values.services.dashboardFrontend.nodePort }} + port: 9001 + type: NodePort +{{ end }} +{{ if .Values.services.rest.nodePort }} + - name: federatorai-rest + nodePort: + ports: + - nodePort: {{ .Values.services.rest.nodePort }} + port: 5056 + type: NodePort +{{ end }} diff --git a/charts/federatorai/federatorai/5.0.0/values.yaml b/charts/federatorai/federatorai/5.0.0/values.yaml new file mode 100644 index 000000000..4faa18fee --- /dev/null +++ b/charts/federatorai/federatorai/5.0.0/values.yaml @@ -0,0 +1,43 @@ +## Default values for Federator.ai +## This is a YAML-formatted file. +## Declare variables to be passed into your templates. +## +image: + pullPolicy: IfNotPresent + repository: quay.io/prophetstor/federatorai-operator-ubi + tag: v5.0.0-p1 + +## Set default values +## +federatorai: + imageLocation: quay.io/prophetstor + ## If the persistence is enabled, a default StorageClass + ## is required in the k8s cluster to provision volumes. + persistence: + enabled: true + storageClass: "" + storages: + logStorage: + size: 2Gi + aiCore: + dataStorage: + size: 10Gi + influxdb: + dataStorage: + size: 100Gi + fedemeterInfluxdb: + dataStorage: + size: 10Gi + federatoraiPostgreSQL: + dataStorage: + size: 10Gi + +services: + dashboardFrontend: + ## Specify the nodePort value for the dashboard frontend + ## Comment out the following line to disable nodePort service + nodePort: 31012 + rest: + ## Specify the nodePort value for the REST service + ## Comment out the following line to disable nodePort service + nodePort: 31011 diff --git a/charts/gluu/gluu/5.0.302/Chart.yaml b/charts/gluu/gluu/5.0.302/Chart.yaml new file mode 100644 index 000000000..7ec52779b --- /dev/null +++ b/charts/gluu/gluu/5.0.302/Chart.yaml @@ -0,0 +1,103 @@ +annotations: + artifacthub.io/changes: | + - Update always + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/images: | + - name: auth-server + image: janssenproject/auth-server:1.0.0-beta.16 + - name: auth-server-key-rotation + image: janssenproject/certmanager:1.0.0-beta.16 + - name: client-api + image: janssenproject/client-api:1.0.0-beta.16 + - name: configuration-manager + image: janssenproject/configurator:1.0.0-beta.16 + - name: config-api + image: janssenproject/config-api:1.0.0-beta.16 + - name: fido2 + image: janssenproject/fido2:1.0.0-beta.16 + - name: opendj + image: gluufederation/opendj:5.0.0_dev + - name: persistence + image: janssenproject/persistence-loader:1.0.0-beta.16 + - name: scim + image: janssenproject/scim:1.0.0-beta.16 + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "true" + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management + catalog.cattle.io/release-name: gluu +apiVersion: v2 +appVersion: 5.0.0 +dependencies: +- condition: global.config.enabled + name: config + repository: "" + version: 5.0.3 +- condition: global.config-api.enabled + name: config-api + repository: "" + version: 5.0.3 +- condition: global.opendj.enabled + name: opendj + repository: "" + version: 5.0.3 +- condition: global.auth-server.enabled + name: auth-server + repository: "" + version: 5.0.3 +- condition: global.admin-ui.enabled + name: admin-ui + repository: "" + version: 5.0.3 +- condition: global.fido2.enabled + name: fido2 + repository: "" + version: 5.0.3 +- condition: global.scim.enabled + name: scim + repository: "" + version: 5.0.3 +- condition: global.nginx-ingress.enabled + name: nginx-ingress + repository: "" + version: 5.0.3 +- condition: global.oxshibboleth.enabled + name: oxshibboleth + repository: "" + version: 5.0.3 +- condition: global.oxpassport.enabled + name: oxpassport + repository: "" + version: 5.0.3 +- condition: global.casa.enabled + name: casa + repository: "" + version: 5.0.3 +- condition: global.auth-server-key-rotation.enabled + name: auth-server-key-rotation + repository: "" + version: 5.0.3 +- condition: global.client-api.enabled + name: client-api + repository: "" + version: 5.0.3 +- condition: global.persistence.enabled + name: persistence + repository: "" + version: 5.0.3 +- condition: global.istio.ingress + name: cn-istio-ingress + repository: "" + version: 5.0.3 +description: Gluu Access and Identity Management +home: https://www.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: moabu +name: gluu +sources: +- https://gluu.org/docs/gluu-server +- https://github.com/GluuFederation/flex/flex-cn-setup +version: 5.0.302 diff --git a/charts/gluu/gluu/5.0.302/README.md b/charts/gluu/gluu/5.0.302/README.md new file mode 100644 index 000000000..60e319686 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/README.md @@ -0,0 +1,606 @@ +# gluu + +![Version: 5.0.3](https://img.shields.io/badge/Version-5.0.3-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu Access and Identity Management + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| moabu | support@gluu.org | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| | admin-ui | 5.0.3 | +| | auth-server | 5.0.3 | +| | auth-server-key-rotation | 5.0.3 | +| | casa | 5.0.3 | +| | client-api | 5.0.3 | +| | cn-istio-ingress | 5.0.3 | +| | config | 5.0.3 | +| | config-api | 5.0.3 | +| | fido2 | 5.0.3 | +| | nginx-ingress | 5.0.3 | +| | opendj | 5.0.3 | +| | oxpassport | 5.0.3 | +| | oxshibboleth | 5.0.3 | +| | persistence | 5.0.3 | +| | scim | 5.0.3 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| admin-ui | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/admin-ui","tag":"1.0.0-beta.16"},"livenessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Admin GUI for configuration of the auth-server | +| admin-ui.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| admin-ui.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| admin-ui.dnsConfig | object | `{}` | Add custom dns config | +| admin-ui.dnsPolicy | string | `""` | Add custom dns policy | +| admin-ui.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| admin-ui.hpa.behavior | object | `{}` | Scaling Policies | +| admin-ui.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| admin-ui.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| admin-ui.image.pullSecrets | list | `[]` | Image Pull Secrets | +| admin-ui.image.repository | string | `"gluufederation/admin-ui"` | Image to use for deploying. | +| admin-ui.image.tag | string | `"1.0.0-beta.16"` | Image tag to use for deploying. | +| admin-ui.livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| admin-ui.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| admin-ui.replicas | int | `1` | Service replica number. | +| admin-ui.resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| admin-ui.resources.limits.cpu | string | `"2500m"` | CPU limit. | +| admin-ui.resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| admin-ui.resources.requests.cpu | string | `"2500m"` | CPU request. | +| admin-ui.resources.requests.memory | string | `"2500Mi"` | Memory request. | +| admin-ui.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| admin-ui.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| admin-ui.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| admin-ui.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| admin-ui.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/auth-server","tag":"1.0.0-beta.16"},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. | +| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/certmanager","tag":"1.0.0-beta.16"},"keysLife":48,"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours | +| auth-server-key-rotation.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server-key-rotation.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server-key-rotation.dnsConfig | object | `{}` | Add custom dns config | +| auth-server-key-rotation.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server-key-rotation.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server-key-rotation.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server-key-rotation.image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. | +| auth-server-key-rotation.image.tag | string | `"1.0.0-beta.16"` | Image tag to use for deploying. | +| auth-server-key-rotation.keysLife | int | `48` | Auth server key rotation keys life in hours | +| auth-server-key-rotation.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| auth-server-key-rotation.resources.limits.cpu | string | `"300m"` | CPU limit. | +| auth-server-key-rotation.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| auth-server-key-rotation.resources.requests.cpu | string | `"300m"` | CPU request. | +| auth-server-key-rotation.resources.requests.memory | string | `"300Mi"` | Memory request. | +| auth-server-key-rotation.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server-key-rotation.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server-key-rotation.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server-key-rotation.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server-key-rotation.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server.dnsConfig | object | `{}` | Add custom dns config | +| auth-server.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| auth-server.hpa.behavior | object | `{}` | Scaling Policies | +| auth-server.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| auth-server.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server.image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. | +| auth-server.image.tag | string | `"1.0.0-beta.16"` | Image tag to use for deploying. | +| auth-server.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| auth-server.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.replicas | int | `1` | Service replica number. | +| auth-server.resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| auth-server.resources.limits.cpu | string | `"2500m"` | CPU limit. | +| auth-server.resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| auth-server.resources.requests.cpu | string | `"2500m"` | CPU request. | +| auth-server.resources.requests.memory | string | `"2500Mi"` | Memory request. | +| auth-server.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| casa | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/casa","tag":"5.0.0_dev"},"livenessProbe":{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"readinessProbe":{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. | +| casa.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| casa.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| casa.dnsConfig | object | `{}` | Add custom dns config | +| casa.dnsPolicy | string | `""` | Add custom dns policy | +| casa.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| casa.hpa.behavior | object | `{}` | Scaling Policies | +| casa.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| casa.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| casa.image.pullSecrets | list | `[]` | Image Pull Secrets | +| casa.image.repository | string | `"gluufederation/casa"` | Image to use for deploying. | +| casa.image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. | +| casa.livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| casa.livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint | +| casa.readinessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| casa.readinessProbe.httpGet.path | string | `"/casa/health-check"` | http readiness probe endpoint | +| casa.replicas | int | `1` | Service replica number. | +| casa.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| casa.resources.limits.cpu | string | `"500m"` | CPU limit. | +| casa.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| casa.resources.requests.cpu | string | `"500m"` | CPU request. | +| casa.resources.requests.memory | string | `"500Mi"` | Memory request. | +| casa.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| casa.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| casa.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| casa.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| casa.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| client-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/client-api","tag":"1.0.0-beta.16"},"livenessProbe":{"exec":{"command":["curl","-k","https://localhost:8443/health-check"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8443},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"400Mi"},"requests":{"cpu":"1000m","memory":"400Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Middleware API to help application developers call an OAuth, OpenID or UMA server. You may wonder why this is necessary. It makes it easier for client developers to use OpenID signing and encryption features, without becoming crypto experts. This API provides some high level endpoints to do some of the heavy lifting. | +| client-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| client-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| client-api.dnsConfig | object | `{}` | Add custom dns config | +| client-api.dnsPolicy | string | `""` | Add custom dns policy | +| client-api.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| client-api.hpa.behavior | object | `{}` | Scaling Policies | +| client-api.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| client-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| client-api.image.pullSecrets | list | `[]` | Image Pull Secrets | +| client-api.image.repository | string | `"janssenproject/client-api"` | Image to use for deploying. | +| client-api.image.tag | string | `"1.0.0-beta.16"` | Image tag to use for deploying. | +| client-api.livenessProbe | object | `{"exec":{"command":["curl","-k","https://localhost:8443/health-check"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| client-api.livenessProbe.exec | object | `{"command":["curl","-k","https://localhost:8443/health-check"]}` | Executes the python3 healthcheck. | +| client-api.readinessProbe | object | `{"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8443},"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. | +| client-api.replicas | int | `1` | Service replica number. | +| client-api.resources | object | `{"limits":{"cpu":"1000m","memory":"400Mi"},"requests":{"cpu":"1000m","memory":"400Mi"}}` | Resource specs. | +| client-api.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| client-api.resources.limits.memory | string | `"400Mi"` | Memory limit. | +| client-api.resources.requests.cpu | string | `"1000m"` | CPU request. | +| client-api.resources.requests.memory | string | `"400Mi"` | Memory request. | +| client-api.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| client-api.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| client-api.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| client-api.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| client-api.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnCacheType":"NATIVE_PERSISTENCE","cnClientApiAdminCertCn":"client-api","cnClientApiApplicationCertCn":"client-api","cnClientApiBindIpAddresses":"*","cnConfigGoogleSecretNamePrefix":"gluu","cnConfigGoogleSecretVersionId":"latest","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbgluu.default.svc.cluster.local","cnCouchbaseUser":"gluu","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerPassPhrase":"Test1234#","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnPersistenceLdapMapping":"default","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretGoogleSecretNamePrefix":"gluu","cnSecretGoogleSecretVersionId":"latest","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"jans","cnSqlDbPort":3306,"cnSqlDbTimezone":"UTC","cnSqlDbUser":"jans","cnSqldbUserPassword":"Test1234#","lbAddr":""},"countryCode":"US","dnsConfig":{},"dnsPolicy":"","email":"support@gluu.org","image":{"pullSecrets":[],"repository":"janssenproject/configurator","tag":"1.0.0-beta.16"},"ldapPassword":"P@ssw0rds","migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. | +| config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/config-api","tag":"1.0.0-beta.16"},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"400Mi"},"requests":{"cpu":"1000m","memory":"400Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | +| config-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config-api.dnsConfig | object | `{}` | Add custom dns config | +| config-api.dnsPolicy | string | `""` | Add custom dns policy | +| config-api.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| config-api.hpa.behavior | object | `{}` | Scaling Policies | +| config-api.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| config-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| config-api.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config-api.image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. | +| config-api.image.tag | string | `"1.0.0-beta.16"` | Image tag to use for deploying. | +| config-api.livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| config-api.livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | http liveness probe endpoint | +| config-api.readinessProbe.httpGet | object | `{"path":"jans-config-api/api/v1/health/ready","port":8074}` | http readiness probe endpoint | +| config-api.replicas | int | `1` | Service replica number. | +| config-api.resources | object | `{"limits":{"cpu":"1000m","memory":"400Mi"},"requests":{"cpu":"1000m","memory":"400Mi"}}` | Resource specs. | +| config-api.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| config-api.resources.limits.memory | string | `"400Mi"` | Memory limit. | +| config-api.resources.requests.cpu | string | `"1000m"` | CPU request. | +| config-api.resources.requests.memory | string | `"400Mi"` | Memory request. | +| config-api.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| config-api.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| config-api.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| config-api.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config-api.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config.adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| config.city | string | `"Austin"` | City. Used for certificate creation. | +| config.configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| config.configmap.cnClientApiAdminCertCn | string | `"client-api"` | Client-api OAuth client admin certificate common name. This should be left to the default value client-api . | +| config.configmap.cnClientApiApplicationCertCn | string | `"client-api"` | Client-api OAuth client application certificate common name. This should be left to the default value client-api. | +| config.configmap.cnClientApiBindIpAddresses | string | `"*"` | Client-api bind address. This limits what ip ranges can access the client-api. This should be left as * and controlled by a NetworkPolicy | +| config.configmap.cnConfigGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnConfigGoogleSecretVersionId | string | `"latest"` | Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| config.configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| config.configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| config.configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| config.configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| config.configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) user name. This user is used during initialization only. | +| config.configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| config.configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| config.configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| config.configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretManagerPassPhrase | string | `"Test1234#"` | Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| config.configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| config.configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| config.configmap.cnPersistenceLdapMapping | string | `"default"` | Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. | +| config.configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnScimProtectionMode | string | `"OAUTH"` | SCIM protection mode OAUTH|TEST|UMA | +| config.configmap.cnSecretGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnSecretGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| config.configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| config.configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| config.configmap.cnSqlDbName | string | `"jans"` | SQL database name. | +| config.configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| config.configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| config.configmap.cnSqlDbUser | string | `"jans"` | SQL database username. | +| config.configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected the secrets . | +| config.configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. | +| config.countryCode | string | `"US"` | Country code. Used for certificate creation. | +| config.dnsConfig | object | `{}` | Add custom dns config | +| config.dnsPolicy | string | `""` | Add custom dns policy | +| config.email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| config.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config.image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. | +| config.image.tag | string | `"1.0.0-beta.16"` | Image tag to use for deploying. | +| config.ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpennDJ is used for persistence. | +| config.migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| config.migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| config.migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| config.migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| config.orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| config.redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| config.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| config.resources.limits.cpu | string | `"300m"` | CPU limit. | +| config.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| config.resources.requests.cpu | string | `"300m"` | CPU request. | +| config.resources.requests.memory | string | `"300Mi"` | Memory request. | +| config.state | string | `"TX"` | State code. Used for certificate creation. | +| config.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| config.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| config.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| config.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| fido2 | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/fido2","tag":"1.0.0-beta.16"},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"service":{"name":"http-fido2","port":8080},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. | +| fido2.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| fido2.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| fido2.dnsConfig | object | `{}` | Add custom dns config | +| fido2.dnsPolicy | string | `""` | Add custom dns policy | +| fido2.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| fido2.hpa.behavior | object | `{}` | Scaling Policies | +| fido2.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| fido2.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| fido2.image.pullSecrets | list | `[]` | Image Pull Secrets | +| fido2.image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. | +| fido2.image.tag | string | `"1.0.0-beta.16"` | Image tag to use for deploying. | +| fido2.livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| fido2.livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| fido2.readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| fido2.replicas | int | `1` | Service replica number. | +| fido2.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| fido2.resources.limits.cpu | string | `"500m"` | CPU limit. | +| fido2.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| fido2.resources.requests.cpu | string | `"500m"` | CPU request. | +| fido2.resources.requests.memory | string | `"500Mi"` | Memory request. | +| fido2.service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| fido2.service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| fido2.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| fido2.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| global | object | `{"admin-ui":{"adminUiApiKey":"xxxxxxxxxxx","adminUiApiKeyFile":"/etc/jans/conf/admin_ui_api_key","adminUiManagementKey":"xxxxxxxxxxx","adminUiManagementKeyFile":"/etc/jans/conf/admin_ui_management_key","adminUiProductCode":"xxxxxxxxxxx","adminUiProductCodeFile":"/etc/jans/conf/admin_ui_product_code","adminUiServiceName":"admin-ui","adminUiSharedKey":"xxxxxxxxxxx","adminUiSharedKeyFile":"/etc/jans/conf/admin_ui_shared_key","enabled":false},"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","enabled":true},"auth-server-key-rotation":{"enabled":false},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"casaServiceName":"casa","enabled":true},"client-api":{"appLoggers":{"clientApiLogLevel":"INFO","clientApiLogTarget":"STDOUT"},"clientApiServerServiceName":"client-api","enabled":false},"cloud":{"testEnviroment":false},"cnDocumentStoreType":"LOCAL","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","config":{"enabled":true},"config-api":{"adminUiappLoggers":{"adminUiAuditLogLevel":"INFO","adminUiAuditLogTarget":"FILE","adminUiLogLevel":"INFO","adminUiLogTarget":"FILE"},"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"configApiServerServiceName":"config-api","enabled":true},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"default","fido2":{"appLoggers":{"fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE"},"enabled":true,"fido2ServiceName":"fido2"},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"ingress":false,"namespace":"istio-system"},"lbIp":"22.22.22.22","nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"oxpassport":{"enabled":false,"oxPassportServiceName":"oxpassport"},"oxshibboleth":{"enabled":false,"oxShibbolethServiceName":"oxshibboleth"},"persistence":{"enabled":true},"scim":{"appLoggers":{"ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"upgrade":{"enabled":false},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global.admin-ui.adminUiApiKey | string | `"xxxxxxxxxxx"` | Admin UI license API key. | +| global.admin-ui.adminUiApiKeyFile | string | `"/etc/jans/conf/admin_ui_api_key"` | Admin UI license API key mount location. | +| global.admin-ui.adminUiManagementKey | string | `"xxxxxxxxxxx"` | Admin UI license management key. | +| global.admin-ui.adminUiManagementKeyFile | string | `"/etc/jans/conf/admin_ui_management_key"` | Admin UI license management key mount location. | +| global.admin-ui.adminUiProductCode | string | `"xxxxxxxxxxx"` | Admin UI license product code. | +| global.admin-ui.adminUiProductCodeFile | string | `"/etc/jans/conf/admin_ui_product_code"` | Admin UI license product code mount location. | +| global.admin-ui.adminUiServiceName | string | `"admin-ui"` | Name of the admin-ui service. Please keep it as default. | +| global.admin-ui.adminUiSharedKey | string | `"xxxxxxxxxxx"` | Admin UI license shared key. | +| global.admin-ui.adminUiSharedKeyFile | string | `"/etc/jans/conf/admin_ui_shared_key"` | Admin UI license shared key mount location. | +| global.admin-ui.enabled | bool | `false` | Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. | +| global.alb.ingress | bool | `false` | Activates ALB ingress | +| global.auth-server-key-rotation.enabled | bool | `false` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. | +| global.auth-server.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.auth-server.appLoggers.auditStatsLogLevel | string | `"INFO"` | jans-auth_audit.log level | +| global.auth-server.appLoggers.auditStatsLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.appLoggers.authLogLevel | string | `"INFO"` | jans-auth.log level | +| global.auth-server.appLoggers.authLogTarget | string | `"STDOUT"` | jans-auth.log target | +| global.auth-server.appLoggers.httpLogLevel | string | `"INFO"` | http_request_response.log level | +| global.auth-server.appLoggers.httpLogTarget | string | `"FILE"` | http_request_response.log target | +| global.auth-server.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-auth_persistence_ldap_statistics.log level | +| global.auth-server.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-auth_persistence_ldap_statistics.log target | +| global.auth-server.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-auth_persistence_duration.log level | +| global.auth-server.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-auth_persistence_duration.log target | +| global.auth-server.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-auth_persistence.log level | +| global.auth-server.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-auth_persistence.log target | +| global.auth-server.appLoggers.scriptLogLevel | string | `"INFO"` | jans-auth_script.log level | +| global.auth-server.appLoggers.scriptLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.authEncKeys | string | `"RSA1_5 RSA-OAEP"` | space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) | +| global.auth-server.authServerServiceName | string | `"auth-server"` | Name of the auth-server service. Please keep it as default. | +| global.auth-server.authSigKeys | string | `"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512"` | space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) | +| global.auth-server.enabled | bool | `true` | Boolean flag to enable/disable auth-server chart. You should never set this to false. | +| global.awsStorageType | string | `"io1"` | Volume storage type if using AWS volumes. | +| global.azureStorageAccountType | string | `"Standard_LRS"` | Volume storage type if using Azure disks. | +| global.azureStorageKind | string | `"Managed"` | Azure storage kind if using Azure disks | +| global.casa.casaServiceName | string | `"casa"` | Name of the casa service. Please keep it as default. | +| global.casa.enabled | bool | `true` | Boolean flag to enable/disable the casachart. | +| global.client-api.appLoggers | object | `{"clientApiLogLevel":"INFO","clientApiLogTarget":"STDOUT"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.client-api.appLoggers.clientApiLogLevel | string | `"INFO"` | client-api.log level | +| global.client-api.appLoggers.clientApiLogTarget | string | `"STDOUT"` | client-api.log target | +| global.client-api.clientApiServerServiceName | string | `"client-api"` | Name of the client-api service. Please keep it as default. | +| global.client-api.enabled | bool | `false` | Boolean flag to enable/disable the client-api chart. | +| global.cloud.testEnviroment | bool | `false` | Boolean flag if enabled will strip resources requests and limits from all services. | +| global.cnDocumentStoreType | string | `"LOCAL"` | Document store type to use for shibboleth files LOCAL. | +| global.cnGoogleApplicationCredentials | string | `"/etc/jans/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. | +| global.cnObExtSigningAlias | string | `""` | Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G | +| global.cnObExtSigningJwksCrt | string | `""` | Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKey | string | `""` | Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKeyPassPhrase | string | `""` | Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksUri | string | `""` | Open banking external signing jwks uri. Used in SSA Validation. | +| global.cnObStaticSigningKeyKid | string | `""` | Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G | +| global.cnObTransportAlias | string | `""` | Open banking transport Alias used inside the JVM. | +| global.cnObTransportCrt | string | `""` | Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKey | string | `""` | Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKeyPassPhrase | string | `""` | Open banking AS transport key pas`sphrase to unlock AS transport key. This must be encoded using base64. | +| global.cnObTransportTrustStore | string | `""` | Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. | +| global.cnPersistenceType | string | `"sql"` | Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. | +| global.config-api.adminUiappLoggers.adminUiAuditLogLevel | string | `"INFO"` | config-api admin-ui plugin audit log level | +| global.config-api.adminUiappLoggers.adminUiAuditLogTarget | string | `"FILE"` | config-api admin-ui plugin audit log target | +| global.config-api.adminUiappLoggers.adminUiLogLevel | string | `"INFO"` | config-api admin-ui plugin log target | +| global.config-api.adminUiappLoggers.adminUiLogTarget | string | `"FILE"` | config-api admin-ui plugin log level | +| global.config-api.appLoggers | object | `{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.config-api.appLoggers.configApiLogLevel | string | `"INFO"` | configapi.log level | +| global.config-api.appLoggers.configApiLogTarget | string | `"STDOUT"` | configapi.log target | +| global.config-api.appLoggers.ldapStatsLogLevel | string | `"INFO"` | config-api_persistence_ldap_statistics.log level | +| global.config-api.appLoggers.ldapStatsLogTarget | string | `"FILE"` | config-api_persistence_ldap_statistics.log target | +| global.config-api.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | config-api_persistence_duration.log level | +| global.config-api.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | config-api_persistence_duration.log target | +| global.config-api.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-auth_persistence.log level | +| global.config-api.appLoggers.persistenceLogTarget | string | `"FILE"` | config-api_persistence.log target | +| global.config-api.appLoggers.scriptLogLevel | string | `"INFO"` | config-api_script.log level | +| global.config-api.appLoggers.scriptLogTarget | string | `"FILE"` | config-api_script.log target | +| global.config-api.configApiServerServiceName | string | `"config-api"` | Name of the config-api service. Please keep it as default. | +| global.config-api.enabled | bool | `true` | Boolean flag to enable/disable the config-api chart. | +| global.config.enabled | bool | `true` | Boolean flag to enable/disable the configuration chart. This normally should never be false | +| global.configAdapterName | string | `"kubernetes"` | The config backend adapter that will hold Gluu configuration layer. google|kubernetes | +| global.configSecretAdapter | string | `"kubernetes"` | The config backend adapter that will hold Gluu secret layer. google|kubernetes | +| global.distribution | string | `"default"` | Gluu distributions supported are: default|openbanking. | +| global.fido2.appLoggers | object | `{"fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.fido2.appLoggers.fido2LogLevel | string | `"INFO"` | fido2.log level | +| global.fido2.appLoggers.fido2LogTarget | string | `"STDOUT"` | fido2.log target | +| global.fido2.appLoggers.persistenceLogLevel | string | `"INFO"` | fido2_persistence.log level | +| global.fido2.appLoggers.persistenceLogTarget | string | `"FILE"` | fido2_persistence.log target | +| global.fido2.enabled | bool | `true` | Boolean flag to enable/disable the fido2 chart. | +| global.fido2.fido2ServiceName | string | `"fido2"` | Name of the fido2 service. Please keep it as default. | +| global.fqdn | string | `"demoexample.gluu.org"` | Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. | +| global.gcePdStorageType | string | `"pd-standard"` | GCE storage kind if using Google disks | +| global.isFqdnRegistered | bool | `false` | Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. | +| global.istio.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| global.istio.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| global.istio.enabled | bool | `false` | Boolean flag that enables using istio side cars with Gluu services. | +| global.istio.ingress | bool | `false` | Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. | +| global.istio.namespace | string | `"istio-system"` | The namespace istio is deployed in. The is normally istio-system. | +| global.lbIp | string | `"22.22.22.22"` | The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. | +| global.nginx-ingress.enabled | bool | `true` | Boolean flag to enable/disable the nginx-ingress definitions chart. | +| global.opendj.enabled | bool | `false` | Boolean flag to enable/disable the OpenDJ chart. | +| global.opendj.ldapServiceName | string | `"opendj"` | Name of the OpenDJ service. Please keep it as default. | +| global.oxpassport.enabled | bool | `false` | Boolean flag to enable/disable passport chart | +| global.oxpassport.oxPassportServiceName | string | `"oxpassport"` | Name of the oxPassport service. Please keep it as default. | +| global.oxshibboleth.enabled | bool | `false` | Boolean flag to enable/disable the oxShibbboleth chart. Not part of the openbanking distribution. Keep as default.This also enables SAML-related features; UI menu, etc. Not part of the openbanking distribution. Please leave this disabled. | +| global.oxshibboleth.oxShibbolethServiceName | string | `"oxshibboleth"` | Name of the oxShibboleth service. Please keep it as default. | +| global.persistence.enabled | bool | `true` | Boolean flag to enable/disable the persistence chart. | +| global.scim.appLoggers | object | `{"ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.scim.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-scim_persistence_ldap_statistics.log level | +| global.scim.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-scim_persistence_ldap_statistics.log target | +| global.scim.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-scim_persistence_duration.log level | +| global.scim.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-scim_persistence_duration.log target | +| global.scim.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-scim_persistence.log level | +| global.scim.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-scim_persistence.log target | +| global.scim.appLoggers.scimLogLevel | string | `"INFO"` | jans-scim.log level | +| global.scim.appLoggers.scimLogTarget | string | `"STDOUT"` | jans-scim.log target | +| global.scim.appLoggers.scriptLogLevel | string | `"INFO"` | jans-scim_script.log level | +| global.scim.appLoggers.scriptLogTarget | string | `"FILE"` | jans-scim_script.log target | +| global.scim.enabled | bool | `true` | Boolean flag to enable/disable the SCIM chart. | +| global.scim.scimServiceName | string | `"scim"` | Name of the scim service. Please keep it as default. | +| global.storageClass | object | `{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"}` | StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. | +| global.storageClass.parameters | object | `{}` | parameters: | +| global.upgrade.enabled | bool | `false` | Boolean flag used when running upgrading through versions command. Used when upgrading with LDAP as the persistence to load the 101x ldif. | +| global.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services | +| global.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| global.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| installer-settings | object | `{"acceptLicense":"","aws":{"arn":{"arnAcmCert":"","enabled":""},"lbType":"","vpcCidr":"0.0.0.0/0"},"confirmSettings":false,"couchbase":{"backup":{"fullSchedule":"","incrementalSchedule":"","retentionTime":"","storageSize":""},"clusterName":"","commonName":"","customFileOverride":"","install":"","lowResourceInstall":"","namespace":"","subjectAlternativeName":"","totalNumberOfExpectedTransactionsPerSec":"","totalNumberOfExpectedUsers":"","volumeType":""},"currentVersion":"","google":{"useSecretManager":""},"images":{"edit":""},"ldap":{"backup":{"fullSchedule":""},"multiClusterIds":[],"subsequentCluster":""},"namespace":"","nginxIngress":{"namespace":"","releaseName":""},"nodes":{"ips":"","names":"","zones":""},"openbanking":{"cnObTransportTrustStoreP12password":"","hasCnObTransportTrustStore":false},"postgres":{"install":"","namespace":""},"redis":{"install":"","namespace":""},"releaseName":"","sql":{"install":"","namespace":""},"upgrade":{"image":{"repository":"","tag":""},"targetVersion":""},"volumeProvisionStrategy":""}` | Only used by the installer. These settings do not affect nor are used by the chart | +| nginx-ingress | object | `{"ingress":{"additionalAnnotations":{},"additionalLabels":{},"adminUiAdditionalAnnotations":{},"adminUiEnabled":false,"adminUiLabels":{},"authServerAdditionalAnnotations":{},"authServerEnabled":true,"authServerLabels":{},"authServerProtectedRegister":false,"authServerProtectedRegisterAdditionalAnnotations":{},"authServerProtectedRegisterLabels":{},"authServerProtectedToken":false,"authServerProtectedTokenAdditionalAnnotations":{},"authServerProtectedTokenLabels":{},"casaAdditionalAnnotations":{},"casaEnabled":false,"casaLabels":{},"configApiAdditionalAnnotations":{},"configApiEnabled":true,"configApiLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeEnabled":true,"deviceCodeLabels":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigEnabled":false,"fido2ConfigLabels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingEnabled":true,"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"openidAdditionalAnnotations":{},"openidConfigEnabled":true,"openidConfigLabels":{},"path":"/","scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigEnabled":false,"scimConfigLabels":{},"scimEnabled":false,"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigEnabled":true,"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigEnabled":true,"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryEnabled":true,"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerEnabled":true,"webfingerLabels":{}}}` | Nginx ingress definitions chart | +| nginx-ingress.ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| nginx-ingress.ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| nginx-ingress.ingress.adminUiAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.adminUiEnabled | bool | `false` | Enable Admin UI endpoints. COMING SOON. | +| nginx-ingress.ingress.adminUiLabels | object | `{}` | Admin UI ingress resource labels. key app is taken. | +| nginx-ingress.ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| nginx-ingress.ingress.authServerEnabled | bool | `true` | Enable Auth server endpoints /jans-auth | +| nginx-ingress.ingress.authServerLabels | object | `{}` | Auth server ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedRegister | bool | `false` | Enable mTLS onn Auth server endpoint /jans-auth/restv1/register | +| nginx-ingress.ingress.authServerProtectedRegisterAdditionalAnnotations | object | `{}` | Auth server protected register ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedRegisterLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedToken | bool | `false` | Enable mTLS on Auth server endpoint /jans-auth/restv1/token | +| nginx-ingress.ingress.authServerProtectedTokenAdditionalAnnotations | object | `{}` | Auth server protected token ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedTokenLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.casaAdditionalAnnotations | object | `{}` | Casa ingress resource additional annotations. | +| nginx-ingress.ingress.casaEnabled | bool | `false` | Enable casa endpoints /casa | +| nginx-ingress.ingress.casaLabels | object | `{}` | Casa ingress resource labels. key app is taken | +| nginx-ingress.ingress.configApiAdditionalAnnotations | object | `{}` | ConfigAPI ingress resource additional annotations. | +| nginx-ingress.ingress.configApiLabels | object | `{}` | configAPI ingress resource labels. key app is taken | +| nginx-ingress.ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| nginx-ingress.ingress.deviceCodeEnabled | bool | `true` | Enable endpoint /device-code | +| nginx-ingress.ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| nginx-ingress.ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration | +| nginx-ingress.ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| nginx-ingress.ingress.firebaseMessagingEnabled | bool | `true` | Enable endpoint /firebase-messaging-sw.js | +| nginx-ingress.ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| nginx-ingress.ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.openidConfigEnabled | bool | `true` | Enable endpoint /.well-known/openid-configuration | +| nginx-ingress.ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigEnabled | bool | `false` | Enable endpoint /.well-known/scim-configuration | +| nginx-ingress.ingress.scimConfigLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimEnabled | bool | `false` | Enable SCIM endpoints /jans-scim | +| nginx-ingress.ingress.scimLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.tls | list | `[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}]` | Secrets holding HTTPS CA cert and key. | +| nginx-ingress.ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| nginx-ingress.ingress.u2fConfigEnabled | bool | `true` | Enable endpoint /.well-known/fido-configuration | +| nginx-ingress.ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| nginx-ingress.ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| nginx-ingress.ingress.uma2ConfigEnabled | bool | `true` | Enable endpoint /.well-known/uma2-configuration | +| nginx-ingress.ingress.uma2ConfigLabels | object | `{}` | uma2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| nginx-ingress.ingress.webdiscoveryEnabled | bool | `true` | Enable endpoint /.well-known/simple-web-discovery | +| nginx-ingress.ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| nginx-ingress.ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| nginx-ingress.ingress.webfingerEnabled | bool | `true` | Enable endpoint /.well-known/webfinger | +| nginx-ingress.ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| opendj | object | `{"additionalAnnotations":{},"additionalLabels":{},"backup":{"cronJobSchedule":"*/59 * * * *","enabled":true},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/opendj","tag":"5.0.0_dev"},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"multiCluster":{"clusterId":"","enabled":false,"namespaceIntId":0,"replicaCount":1,"serfAdvertiseAddrSuffix":"regional.gluu.org:30946","serfKey":"Z51b6PgKU1MZ75NCZOTGGoc0LP2OF3qvF6sjxHyQCYk=","serfPeers":["gluu-opendj-regional-0-regional.gluu.org:30946","gluu-opendj-regional-0-regional.gluu.org:31946"]},"persistence":{"size":"5Gi"},"ports":{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. | +| opendj.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| opendj.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| opendj.backup | object | `{"cronJobSchedule":"*/59 * * * *","enabled":true}` | Configure ldap backup cronjob | +| opendj.dnsConfig | object | `{}` | Add custom dns config | +| opendj.dnsPolicy | string | `""` | Add custom dns policy | +| opendj.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| opendj.hpa.behavior | object | `{}` | Scaling Policies | +| opendj.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| opendj.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| opendj.image.pullSecrets | list | `[]` | Image Pull Secrets | +| opendj.image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| opendj.image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. | +| opendj.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| opendj.multiCluster.clusterId | string | `""` | This id needs to be unique to each kubernetes cluster in a multi cluster setup west, east, south, north, region ...etc If left empty it will be randomly generated. | +| opendj.multiCluster.enabled | bool | `false` | Enable OpenDJ multiCluster mode. This flag enables loading keys under `opendj.multiCluster` | +| opendj.multiCluster.namespaceIntId | int | `0` | Namespace int id. This id needs to be a unique number 0-9 per gluu installation per namespace. Used when gluu is installed in the same kubernetes cluster more than once. | +| opendj.multiCluster.replicaCount | int | `1` | The number of opendj non scalabble statefulsets to create. Each pod created must be resolvable as it follows the patterm RELEASE-NAME-opendj-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} If set to 1, with a release name of gluu, the address of the pod would be gluu-opendj-regional-0-regional.gluu.org | +| opendj.multiCluster.serfAdvertiseAddrSuffix | string | `"regional.gluu.org:30946"` | OpenDJ Serf advertise address suffix that will be added to each opendj replica. i.e RELEASE-NAME-opendj-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} | +| opendj.multiCluster.serfKey | string | `"Z51b6PgKU1MZ75NCZOTGGoc0LP2OF3qvF6sjxHyQCYk="` | Serf key. This key will automatically sync across clusters. | +| opendj.multiCluster.serfPeers | list | `["gluu-opendj-regional-0-regional.gluu.org:30946","gluu-opendj-regional-0-regional.gluu.org:31946"]` | Serf peer addresses. One per cluster. | +| opendj.persistence.size | string | `"5Gi"` | OpenDJ volume size | +| opendj.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.replicas | int | `1` | Service replica number. | +| opendj.resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| opendj.resources.limits.cpu | string | `"1500m"` | CPU limit. | +| opendj.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| opendj.resources.requests.cpu | string | `"1500m"` | CPU request. | +| opendj.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| opendj.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| opendj.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| opendj.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| opendj.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| opendj.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| oxpassport | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/oxpassport","tag":"5.0.0_dev"},"livenessProbe":{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu interface to Passport.js to support social login and inbound identity. | +| oxpassport.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| oxpassport.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| oxpassport.dnsConfig | object | `{}` | Add custom dns config | +| oxpassport.dnsPolicy | string | `""` | Add custom dns policy | +| oxpassport.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| oxpassport.hpa.behavior | object | `{}` | Scaling Policies | +| oxpassport.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| oxpassport.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| oxpassport.image.pullSecrets | list | `[]` | Image Pull Secrets | +| oxpassport.image.repository | string | `"gluufederation/oxpassport"` | Image to use for deploying. | +| oxpassport.image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. | +| oxpassport.livenessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxPassport if needed. | +| oxpassport.livenessProbe.httpGet.path | string | `"/passport/health-check"` | http liveness probe endpoint | +| oxpassport.readinessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxPassport if needed. | +| oxpassport.readinessProbe.httpGet.path | string | `"/passport/health-check"` | http readiness probe endpoint | +| oxpassport.replicas | int | `1` | Service replica number | +| oxpassport.resources | object | `{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}}` | Resource specs. | +| oxpassport.resources.limits.cpu | string | `"700m"` | CPU limit. | +| oxpassport.resources.limits.memory | string | `"900Mi"` | Memory limit. | +| oxpassport.resources.requests.cpu | string | `"700m"` | CPU request. | +| oxpassport.resources.requests.memory | string | `"900Mi"` | Memory request. | +| oxpassport.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| oxpassport.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| oxpassport.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| oxpassport.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| oxpassport.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| oxshibboleth | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/oxshibboleth","tag":"5.0.0_dev"},"livenessProbe":{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Shibboleth project for the Gluu Server's SAML IDP functionality. | +| oxshibboleth.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| oxshibboleth.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| oxshibboleth.dnsConfig | object | `{}` | Add custom dns config | +| oxshibboleth.dnsPolicy | string | `""` | Add custom dns policy | +| oxshibboleth.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| oxshibboleth.hpa.behavior | object | `{}` | Scaling Policies | +| oxshibboleth.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| oxshibboleth.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| oxshibboleth.image.pullSecrets | list | `[]` | Image Pull Secrets | +| oxshibboleth.image.repository | string | `"gluufederation/oxshibboleth"` | Image to use for deploying. | +| oxshibboleth.image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. | +| oxshibboleth.livenessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the oxShibboleth if needed. | +| oxshibboleth.livenessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint | +| oxshibboleth.readinessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| oxshibboleth.readinessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint | +| oxshibboleth.replicas | int | `1` | Service replica number. | +| oxshibboleth.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| oxshibboleth.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| oxshibboleth.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| oxshibboleth.resources.requests.cpu | string | `"1000m"` | CPU request. | +| oxshibboleth.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| oxshibboleth.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| oxshibboleth.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| oxshibboleth.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| oxshibboleth.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| oxshibboleth.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| persistence | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/persistence-loader","tag":"1.0.0-beta.16"},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Job to generate data and intial config for Gluu Server persistence layer. | +| persistence.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| persistence.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| persistence.dnsConfig | object | `{}` | Add custom dns config | +| persistence.dnsPolicy | string | `""` | Add custom dns policy | +| persistence.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| persistence.image.pullSecrets | list | `[]` | Image Pull Secrets | +| persistence.image.repository | string | `"janssenproject/persistence-loader"` | Image to use for deploying. | +| persistence.image.tag | string | `"1.0.0-beta.16"` | Image tag to use for deploying. | +| persistence.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| persistence.resources.limits.cpu | string | `"300m"` | CPU limit | +| persistence.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| persistence.resources.requests.cpu | string | `"300m"` | CPU request. | +| persistence.resources.requests.memory | string | `"300Mi"` | Memory request. | +| persistence.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| persistence.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| persistence.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| persistence.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| persistence.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| scim | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/scim","tag":"1.0.0-beta.16"},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"service":{"name":"http-scim","port":8080},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | System for Cross-domain Identity Management (SCIM) version 2.0 | +| scim.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| scim.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| scim.dnsConfig | object | `{}` | Add custom dns config | +| scim.dnsPolicy | string | `""` | Add custom dns policy | +| scim.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| scim.hpa.behavior | object | `{}` | Scaling Policies | +| scim.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| scim.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| scim.image.pullSecrets | list | `[]` | Image Pull Secrets | +| scim.image.repository | string | `"janssenproject/scim"` | Image to use for deploying. | +| scim.image.tag | string | `"1.0.0-beta.16"` | Image tag to use for deploying. | +| scim.livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| scim.livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| scim.readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| scim.readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| scim.replicas | int | `1` | Service replica number. | +| scim.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| scim.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| scim.resources.requests.cpu | string | `"1000m"` | CPU request. | +| scim.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| scim.service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| scim.service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| scim.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| scim.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| scim.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| scim.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| scim.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/gluu/gluu/5.0.302/app-readme.md b/charts/gluu/gluu/5.0.302/app-readme.md new file mode 100644 index 000000000..84d58ba8c --- /dev/null +++ b/charts/gluu/gluu/5.0.302/app-readme.md @@ -0,0 +1,35 @@ +## Introduction +The Gluu Server is a container distribution of free open source software (FOSS) for identity and access management (IAM). SaaS, custom, open source and commercial web and mobile applications can leverage a Gluu Server for user authentication, identity information, and policy decisions. + +Common use cases include: + +- Single sign-on (SSO) +- Mobile authentication +- API access management +- Two-factor authentication (2FA) +- Customer identity and access management (CIAM) +- Identity federation + +### Free Open Source Software +The Gluu Server is a FOSS platform for IAM. + +### Open Web Standards +The Gluu Server can be deployed to support the following open standards for authentication, authorization, federated identity, and identity management: + +- OAuth 2.0 +- OpenID Connect +- User Managed Access 2.0 (UMA) +- SAML 2.0 +- System for Cross-domain Identity Management (SCIM) +- FIDO Universal 2nd Factor (U2F) +- FIDO 2.0 / WebAuthn +- Lightweight Directory Access Protocol (LDAP) +- Remote Authentication Dial-In User Service (RADIUS) + +### Important notes for installation: +- Make sure to enable `Customize Helm options before install` after clicking the initial `Install` on the top right. When you view your helm options, please uncheck the wait parameter as that conflicts with the post-install hook for the persistence image. + +### Quick install on Rancher UI with Docker single node +- Install the nginx-ingress-controller chart. +- Install the OpenEBS chart. +- Install Gluu chart and specify your persistence as ldap. \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/admin-ui/.helmignore b/charts/gluu/gluu/5.0.302/charts/admin-ui/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/admin-ui/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.302/charts/admin-ui/Chart.yaml b/charts/gluu/gluu/5.0.302/charts/admin-ui/Chart.yaml new file mode 100644 index 000000000..b9e43454b --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/admin-ui/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Admin GUI. Requires license. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Autherization +- OpenID +- GUI +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: admin-ui +sources: +- https://github.com/GluuFederation/docker-gluu-admin-ui +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/admin-ui +type: application +version: 5.0.3 diff --git a/charts/gluu/gluu/5.0.302/charts/admin-ui/README.md b/charts/gluu/gluu/5.0.302/charts/admin-ui/README.md new file mode 100644 index 000000000..51554e79f --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/admin-ui/README.md @@ -0,0 +1,58 @@ +# admin-ui + +![Version: 5.0.3](https://img.shields.io/badge/Version-5.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Admin GUI. Requires license. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/admin-ui"` | Image to use for deploying. | +| image.tag | string | `"1.0.0-beta.16"` | Image tag to use for deploying. | +| livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-admin-ui"` | The name of the admin ui port within the admin service. Please keep it as default. | +| service.port | int | `8080` | Port of the admin ui service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/_helpers.tpl b/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/_helpers.tpl new file mode 100644 index 000000000..27e0aa192 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "admin-ui.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "admin-ui.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "admin-ui.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "admin-ui.labels" -}} +app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +helm.sh/chart: {{ include "admin-ui.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "admin-ui.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "admin-ui.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/admin-ui-destination-rules.yaml b/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/admin-ui-destination-rules.yaml new file mode 100644 index 000000000..6643bee66 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/admin-ui-destination-rules.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.istio.enabled }} +# All Rights Reserved © 2021 +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-admin-ui-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/admin-ui-virtual-services.yaml b/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/admin-ui-virtual-services.yaml new file mode 100644 index 000000000..ce044cd00 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/admin-ui-virtual-services.yaml @@ -0,0 +1,33 @@ +{{- if .Values.global.istio.enabled }} +# All Rights Reserved © 2021 +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-admin-ui + namespace: {{.Release.Namespace}} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} + gateways: + - {{ .Release.Name }}-global-gtw # can omit the namespace if gateway is in same namespace as virtual service. + http: + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/admin" + route: + - destination: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/deployment.yml b/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/deployment.yml new file mode 100644 index 000000000..8b2325995 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/deployment.yml @@ -0,0 +1,133 @@ +# All Rights Reserved © 2021 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "admin-ui.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + template: + metadata: + labels: + APP_NAME: admin-ui + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + containers: + - name: {{ include "admin-ui.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "admin-ui.usr-envs" . | indent 12 }} + {{- include "admin-ui.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/hpa.yaml b/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/hpa.yaml new file mode 100644 index 000000000..9b620839f --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/hpa.yaml @@ -0,0 +1,38 @@ +{{ if .Values.hpa.enabled -}} +# All Rights Reserved © 2021 +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "admin-ui.fullname" . }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "admin-ui.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/service.yml b/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/service.yml new file mode 100644 index 000000000..2cb02f0eb --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/service.yml @@ -0,0 +1,30 @@ +# All Rights Reserved © 2021 +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} #admin-ui + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/user-custom-secret-envs.yaml new file mode 100644 index 000000000..95a833ca0 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/admin-ui/templates/user-custom-secret-envs.yaml @@ -0,0 +1,22 @@ +{{ if .Values.usrEnvs.secret }} +# All Rights Reserved © 2021 +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/admin-ui/values.yaml b/charts/gluu/gluu/5.0.302/charts/admin-ui/values.yaml new file mode 100644 index 000000000..54d622f94 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/admin-ui/values.yaml @@ -0,0 +1,82 @@ +# All Rights Reserved © 2021 +# -- Admin GUI. Requires license. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/admin-ui + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the admin ui port within the admin service. Please keep it as default. + name: http-admin-ui + # -- Port of the admin ui service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the admin ui if needed. +livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the admin ui if needed. +readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/.helmignore b/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/Chart.yaml b/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/Chart.yaml new file mode 100644 index 000000000..c396b1747 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Responsible for regenerating auth-keys per x hours +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Auth keys Rotation +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server-key-rotation +sources: +- https://github.com/JanssenProject/docker-jans-certmanager +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/auth-server-key-rotation +type: application +version: 5.0.3 diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/README.md b/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/README.md new file mode 100644 index 000000000..3cb07d314 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/README.md @@ -0,0 +1,48 @@ +# auth-server-key-rotation + +![Version: 5.0.3](https://img.shields.io/badge/Version-5.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Responsible for regenerating auth-keys per x hours + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. | +| image.tag | string | `"1.0.0-beta.16"` | Image tag to use for deploying. | +| keysLife | int | `48` | Auth server key rotation keys life in hours | +| nodeSelector | object | `{}` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/templates/_helpers.tpl b/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/templates/_helpers.tpl new file mode 100644 index 000000000..3f22c7b89 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server-key-rotation.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server-key-rotation.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server-key-rotation.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server-key-rotation.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} +helm.sh/chart: {{ include "auth-server-key-rotation.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server-key-rotation.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server-key-rotation.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/templates/cronjobs.yaml b/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/templates/cronjobs.yaml new file mode 100644 index 000000000..0c27cca19 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/templates/cronjobs.yaml @@ -0,0 +1,96 @@ +kind: CronJob +apiVersion: batch/v1beta1 +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server-key-rotation + release: {{ .Release.Name }} +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + schedule: "0 */{{ .Values.keysLife }} * * *" + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "auth-server-key-rotation.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "auth-server-key-rotation.usr-envs" . | indent 16 }} + {{- include "auth-server-key-rotation.usr-secret-envs" . | indent 16 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 16 }} + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 16 }} + {{- end }} + args: ["patch", "auth", "--opts", "interval:{{ .Values.keysLife }}"] + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + restartPolicy: Never + diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/templates/service.yaml b/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/templates/service.yaml new file mode 100644 index 000000000..4b1f6ff07 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/templates/service.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + labels: +{{ include "auth-server-key-rotation.fullname" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml new file mode 100644 index 000000000..097378fd9 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/values.yaml b/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/values.yaml new file mode 100644 index 000000000..e48661c5b --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server-key-rotation/values.yaml @@ -0,0 +1,48 @@ + +# -- Responsible for regenerating auth-keys per x hours +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/certmanager + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Auth server key rotation keys life in hours +keysLife: 48 +# -- Resource specs. +resources: + limits: + cpu: 300m + memory: 300Mi + requests: + cpu: 300m + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server/.helmignore b/charts/gluu/gluu/5.0.302/charts/auth-server/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server/Chart.yaml b/charts/gluu/gluu/5.0.302/charts/auth-server/Chart.yaml new file mode 100644 index 000000000..c167cc3b0 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization + Server--this is the main Internet facing component of Gluu. It's the service that + returns tokens, JWT's and identity assertions. This service must be Internet facing. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Autherization +- OpenID +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server +sources: +- https://github.com/JanssenProject/jans-auth-server +- https://github.com/JanssenProject/docker-jans-auth-server +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/auth-server +type: application +version: 5.0.3 diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server/README.md b/charts/gluu/gluu/5.0.302/charts/auth-server/README.md new file mode 100644 index 000000000..f32e0e86b --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server/README.md @@ -0,0 +1,60 @@ +# auth-server + +![Version: 5.0.3](https://img.shields.io/badge/Version-5.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. | +| image.tag | string | `"1.0.0-beta.16"` | Image tag to use for deploying. | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-auth"` | The name of the oxauth port within the oxauth service. Please keep it as default. | +| service.port | int | `8080` | Port of the oxauth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server/templates/_helpers.tpl b/charts/gluu/gluu/5.0.302/charts/auth-server/templates/_helpers.tpl new file mode 100644 index 000000000..ecc6ffe0f --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +helm.sh/chart: {{ include "auth-server.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server/templates/auth-server-destination-rules.yaml b/charts/gluu/gluu/5.0.302/charts/auth-server/templates/auth-server-destination-rules.yaml new file mode 100644 index 000000000..eb2c36460 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server/templates/auth-server-destination-rules.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.istio.enabled }} + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-auth-server-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server/templates/auth-server-virtual-services.yaml b/charts/gluu/gluu/5.0.302/charts/auth-server/templates/auth-server-virtual-services.yaml new file mode 100644 index 000000000..67d9e8ba8 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server/templates/auth-server-virtual-services.yaml @@ -0,0 +1,117 @@ +{{- if .Values.global.istio.enabled }} + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} + gateways: + - {{ .Release.Name }}-global-gtw # can omit the namespace if gateway is in same namespace as virtual service. + http: + - name: "{{ .Release.Name }}-istio-openid-config" + match: + - uri: + prefix: "/.well-known/openid-configuration" + rewrite: + uri: "/jans-auth/.well-known/openid-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + - name: "{{ .Release.Name }}-istio-device-code" + match: + - uri: + prefix: "/device-code" + rewrite: + uri: "/jans-auth/device_authorization.htm" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + - name: "{{ .Release.Name }}-istio-firebase-messaging" + match: + - uri: + prefix: "/firebase-messaging-sw.js" + rewrite: + uri: "/jans-auth/firebase-messaging-sw.js" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + - name: "{{ .Release.Name }}-istio-uma2-config" + match: + - uri: + prefix: "/.well-known/uma2-configuration" + rewrite: + uri: "/jans-auth/restv1/uma2-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + - name: "{{ .Release.Name }}-istio-webdiscovery" + match: + - uri: + prefix: "/.well-known/simple-web-discovery" + rewrite: + uri: "/jans-auth/.well-known/simple-web-discovery" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/jans-auth" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + - name: "{{ .Release.Name }}-istio-webfinger" + match: + - uri: + prefix: "/.well-known/webfinger" + rewrite: + uri: "/jans-auth/.well-known/webfinger" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + - name: "{{ .Release.Name }}-istio-u2f-config" + match: + - uri: + prefix: "/.well-known/fido-configuration" + rewrite: + uri: "/jans-auth/restv1/fido-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server/templates/deployment.yml b/charts/gluu/gluu/5.0.302/charts/auth-server/templates/deployment.yml new file mode 100644 index 000000000..7df84899f --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server/templates/deployment.yml @@ -0,0 +1,224 @@ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "auth-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + template: + metadata: + labels: + APP_NAME: auth-server + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + containers: + - name: {{ include "auth-server.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "auth-server.usr-envs" . | indent 12 }} + {{- include "auth-server.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + mountPath: /etc/certs/ob-ext-signing.pin + subPath: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + mountPath: /etc/certs/ob-ext-signing.key + subPath: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + mountPath: /etc/certs/ob-ext-signing.crt + subPath: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + mountPath: /etc/certs/ob-transport.pin + subPath: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + mountPath: /etc/certs/ob-transport.key + subPath: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + mountPath: /etc/certs/ob-transport.crt + subPath: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + mountPath: /etc/certs/ob-transport-truststore.p12 + subPath: ob-transport-truststore.p12 + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.crt + path: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.key + path: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.pin + path: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.crt + path: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.key + path: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.pin + path: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + secret: + secretName: {{ .Release.Name }}-ob-transport-truststore + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server/templates/hpa.yaml b/charts/gluu/gluu/5.0.302/charts/auth-server/templates/hpa.yaml new file mode 100644 index 000000000..c639b6086 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server/templates/hpa.yaml @@ -0,0 +1,38 @@ +{{ if .Values.hpa.enabled -}} + +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "auth-server.fullname" . }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "auth-server.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server/templates/service.yml b/charts/gluu/gluu/5.0.302/charts/auth-server/templates/service.yml new file mode 100644 index 000000000..906a680be --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server/templates/service.yml @@ -0,0 +1,30 @@ + +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} #auth-server + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.302/charts/auth-server/templates/user-custom-secret-envs.yaml new file mode 100644 index 000000000..a041f9f9a --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server/templates/user-custom-secret-envs.yaml @@ -0,0 +1,22 @@ +{{ if .Values.usrEnvs.secret }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/auth-server/values.yaml b/charts/gluu/gluu/5.0.302/charts/auth-server/values.yaml new file mode 100644 index 000000000..02d7e7298 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/auth-server/values.yaml @@ -0,0 +1,87 @@ + +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the oxauth port within the oxauth service. Please keep it as default. + name: http-auth + # -- Port of the oxauth service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.302/charts/casa/.helmignore b/charts/gluu/gluu/5.0.302/charts/casa/.helmignore new file mode 100644 index 000000000..50af03172 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/casa/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.302/charts/casa/Chart.yaml b/charts/gluu/gluu/5.0.302/charts/casa/Chart.yaml new file mode 100644 index 000000000..3a1390b1e --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/casa/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Gluu Casa ("Casa") is a self-service web portal for end-users to manage + authentication and authorization preferences for their account in a Gluu Server. +home: https://gluu.org/docs/casa/ +icon: https://casa.gluu.org/wp-content/themes/gluucasa/casafavicon.ico +keywords: +- casa +- 2FA +- passwordless +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: casa +sources: +- https://gluu.org/docs/casa/ +- https://github.com/GluuFederation/docker-casa +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/casa +type: application +version: 5.0.3 diff --git a/charts/gluu/gluu/5.0.302/charts/casa/README.md b/charts/gluu/gluu/5.0.302/charts/casa/README.md new file mode 100644 index 000000000..69978c025 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/casa/README.md @@ -0,0 +1,65 @@ +# casa + +![Version: 5.0.3](https://img.shields.io/badge/Version-5.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/casa"` | Image to use for deploying. | +| image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. | +| livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| podSecurityContext | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| readinessProbe.httpGet.path | string | `"/casa/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| securityContext | object | `{}` | | +| service.name | string | `"http-casa"` | The name of the casa port within the casa service. Please keep it as default. | +| service.port | int | `8080` | Port of the casa service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/gluu/gluu/5.0.302/charts/casa/templates/_helpers.tpl b/charts/gluu/gluu/5.0.302/charts/casa/templates/_helpers.tpl new file mode 100644 index 000000000..07d38cacf --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/casa/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "casa.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "casa.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "casa.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "casa.labels" -}} +app: {{ .Release.Name }}-{{ include "casa.name" . }} +helm.sh/chart: {{ include "casa.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "casa.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "casa.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "casa.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "casa.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/casa/templates/casa-destination-rules.yaml b/charts/gluu/gluu/5.0.302/charts/casa/templates/casa-destination-rules.yaml new file mode 100644 index 000000000..8299817e8 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/casa/templates/casa-destination-rules.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.istio.enabled }} + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-casa-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.casa.casaServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/casa/templates/casa-virtual-services.yaml b/charts/gluu/gluu/5.0.302/charts/casa/templates/casa-virtual-services.yaml new file mode 100644 index 000000000..22f992780 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/casa/templates/casa-virtual-services.yaml @@ -0,0 +1,34 @@ +{{- if .Values.global.istio.ingress }} + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-casa + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + gateways: + - {{ .Release.Name }}-global-gtw + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-casa + match: + - uri: + exact: /casa + route: + - destination: + host: {{ .Values.global.casa.casaServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/casa/templates/deployment.yaml b/charts/gluu/gluu/5.0.302/charts/casa/templates/deployment.yaml new file mode 100644 index 000000000..3e7629ac3 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/casa/templates/deployment.yaml @@ -0,0 +1,138 @@ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "casa.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: casa + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ include "casa.name" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "casa.usr-envs" . | indent 12 }} + {{- include "casa.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port}} + protocol: TCP + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/casa/templates/hpa.yaml b/charts/gluu/gluu/5.0.302/charts/casa/templates/hpa.yaml new file mode 100644 index 000000000..a75bfcfdd --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/casa/templates/hpa.yaml @@ -0,0 +1,38 @@ +{{ if .Values.hpa.enabled -}} + +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "casa.fullname" . }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "casa.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/casa/templates/service.yaml b/charts/gluu/gluu/5.0.302/charts/casa/templates/service.yaml new file mode 100644 index 000000000..6f8bbf7fb --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/casa/templates/service.yaml @@ -0,0 +1,31 @@ + +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.casa.casaServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/casa/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.302/charts/casa/templates/user-custom-secret-envs.yaml new file mode 100644 index 000000000..9e97d3104 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/casa/templates/user-custom-secret-envs.yaml @@ -0,0 +1,22 @@ +{{ if .Values.usrEnvs.secret }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/casa/values.yaml b/charts/gluu/gluu/5.0.302/charts/casa/values.yaml new file mode 100644 index 000000000..617263064 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/casa/values.yaml @@ -0,0 +1,98 @@ +# -- Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/casa + # -- Image tag to use for deploying. + tag: 5.0.0_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- Port of the casa service. Please keep it as default. + port: 8080 + # -- The name of the casa port within the casa service. Please keep it as default. + name: http-casa + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for casa if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the casa if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] + +nameOverride: "" +fullnameOverride: "" + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/client-api/.helmignore b/charts/gluu/gluu/5.0.302/charts/client-api/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/client-api/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.302/charts/client-api/Chart.yaml b/charts/gluu/gluu/5.0.302/charts/client-api/Chart.yaml new file mode 100644 index 000000000..385070e6b --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/client-api/Chart.yaml @@ -0,0 +1,23 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Middleware API to help application developers call an OAuth, OpenID or + UMA server. You may wonder why this is necessary. It makes it easier for client + developers to use OpenID signing and encryption features, without becoming crypto + experts. This API provides some high level endpoints to do some of the heavy lifting. +home: https://gluu.org/docs/oxd +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- client +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: client-api +sources: +- https://github.com/JanssenProject/jans/jans-client-api +- https://github.com/JanssenProject/jans/docker-jans-client-api +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/client-api +type: application +version: 5.0.3 diff --git a/charts/gluu/gluu/5.0.302/charts/client-api/README.md b/charts/gluu/gluu/5.0.302/charts/client-api/README.md new file mode 100644 index 000000000..d589c9d89 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/client-api/README.md @@ -0,0 +1,61 @@ +# client-api + +![Version: 5.0.3](https://img.shields.io/badge/Version-5.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Middleware API to help application developers call an OAuth, OpenID or UMA server. You may wonder why this is necessary. It makes it easier for client developers to use OpenID signing and encryption features, without becoming crypto experts. This API provides some high level endpoints to do some of the heavy lifting. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/client-api"` | Image to use for deploying. | +| image.tag | string | `"1.0.0-beta.16"` | Image tag to use for deploying. | +| livenessProbe | object | `{"exec":{"command":["curl","-k","https://localhost:8443/health-check"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.exec | object | `{"command":["curl","-k","https://localhost:8443/health-check"]}` | Executes the python3 healthcheck. | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8443},"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1000m","memory":"400Mi"},"requests":{"cpu":"1000m","memory":"400Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"400Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"400Mi"` | Memory request. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/gluu/gluu/5.0.302/charts/client-api/templates/_helpers.tpl b/charts/gluu/gluu/5.0.302/charts/client-api/templates/_helpers.tpl new file mode 100644 index 000000000..67460b0fb --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/client-api/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "client-api.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "client-api.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "client-api.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "client-api.labels" -}} +app: {{ .Release.Name }}-{{ include "client-api.name" . }} +helm.sh/chart: {{ include "client-api.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "client-api.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "client-api.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/client-api/templates/client-api-destination-rules.yaml b/charts/gluu/gluu/5.0.302/charts/client-api/templates/client-api-destination-rules.yaml new file mode 100644 index 000000000..0246c9257 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/client-api/templates/client-api-destination-rules.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.istio.enabled }} + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-client-api-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: client-api +{{ include "client-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "client-api" "clientApiServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/client-api/templates/deployment.yaml b/charts/gluu/gluu/5.0.302/charts/client-api/templates/deployment.yaml new file mode 100644 index 000000000..b906ebd57 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/client-api/templates/deployment.yaml @@ -0,0 +1,137 @@ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "client-api.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: client-api +{{ include "client-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "client-api.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: client-api + app: {{ .Release.Name }}-{{ include "client-api.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + containers: + - name: {{ include "client-api.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "client-api.usr-envs" . | indent 12 }} + {{- include "client-api.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - containerPort: 8444 + - containerPort: 8443 + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "client-api.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "client-api.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + diff --git a/charts/gluu/gluu/5.0.302/charts/client-api/templates/hpa.yaml b/charts/gluu/gluu/5.0.302/charts/client-api/templates/hpa.yaml new file mode 100644 index 000000000..71a622f41 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/client-api/templates/hpa.yaml @@ -0,0 +1,38 @@ +{{ if .Values.hpa.enabled -}} + +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "client-api.fullname" . }} + labels: + APP_NAME: client-api +{{ include "client-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "client-api.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/client-api/templates/networkpolicy.yaml b/charts/gluu/gluu/5.0.302/charts/client-api/templates/networkpolicy.yaml new file mode 100644 index 000000000..27f04416d --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/client-api/templates/networkpolicy.yaml @@ -0,0 +1,39 @@ +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + namespace: {{ .Release.Namespace }} + name: client-api-policy + labels: + APP_NAME: client-api +{{ include "client-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + app: client-api + ingress: + - from: + - podSelector: + matchLabels: + app: auth-server + ports: + - protocol: TCP + port: 8443 + - from: + - namespaceSelector: + matchLabels: + app: ingress-kong + - podSelector: + matchLabels: + app: ingress-kong + ports: + - protocol: TCP + port: 8443 \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/client-api/templates/service.yaml b/charts/gluu/gluu/5.0.302/charts/client-api/templates/service.yaml new file mode 100644 index 000000000..3f75e3e73 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/client-api/templates/service.yaml @@ -0,0 +1,30 @@ + +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "client-api" "clientApiServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: client-api +{{ include "client-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - port: 8444 + name: tcp-{{ include "client-api.name" . }}-admin-gui + - port: 8443 + name: tcp-{{ include "client-api.name" . }}-app-connector + selector: + app: {{ .Release.Name }}-{{ include "client-api.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/client-api/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.302/charts/client-api/templates/user-custom-secret-envs.yaml new file mode 100644 index 000000000..799602721 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/client-api/templates/user-custom-secret-envs.yaml @@ -0,0 +1,22 @@ +{{ if .Values.usrEnvs.secret }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: client-api +{{ include "client-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/client-api/values.yaml b/charts/gluu/gluu/5.0.302/charts/client-api/values.yaml new file mode 100644 index 000000000..c956c5e2d --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/client-api/values.yaml @@ -0,0 +1,87 @@ + +# -- Middleware API to help application developers call an OAuth, OpenID or UMA server. You may wonder why this is necessary. It makes it easier for client developers to use OpenID signing and encryption features, without becoming crypto experts. This API provides some high level endpoints to do some of the heavy lifting. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/client-api + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 400Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 400Mi +service: + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - curl + - -k + - https://localhost:8443/health-check + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +readinessProbe: + tcpSocket: + port: 8443 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/.helmignore b/charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/.helmignore new file mode 100644 index 000000000..50af03172 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/Chart.yaml b/charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/Chart.yaml new file mode 100644 index 000000000..a18441522 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Istio Gateway +home: https://gluu.org/docs/gluu-server/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- istio +- gateway +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: cn-istio-ingress +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/cn-istio-ingress +type: application +version: 5.0.3 diff --git a/charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/README.md b/charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/README.md new file mode 100644 index 000000000..67c448c5e --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/README.md @@ -0,0 +1,25 @@ +# cn-istio-ingress + +![Version: 5.0.3](https://img.shields.io/badge/Version-5.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Istio Gateway + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/templates/_helpers.tpl new file mode 100644 index 000000000..75a5dee78 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istio.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istio.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "istio.labels" -}} +helm.sh/chart: {{ include "istio.chart" . }} +{{ include "istio.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "istio.selectorLabels" -}} +app.kubernetes.io/name: {{ include "istio.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "istio.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "istio.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/templates/gateway.yaml b/charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/templates/gateway.yaml new file mode 100644 index 000000000..12a970013 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/templates/gateway.yaml @@ -0,0 +1,36 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: {{ .Release.Name }}-global-gtw + namespace: {{ .Release.Namespace }} +{{- if .Values.global.istio.additionalLabels }} + labels: +{{ toYaml .Values.global.istio.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.istio.additionalAnnotations }} + annotations: +{{ toYaml .Values.global.istio.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + istio: ingressgateway + servers: + # admin-ui + - port: + number: 80 + name: http-admin-ui + protocol: HTTP + hosts: + - {{ .Values.global.fqdn }} + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - {{ .Values.global.fqdn }} + tls: + mode: SIMPLE # enable https on this port + credentialName: tls-certificate # fetch cert from k8s secret + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/values.yaml b/charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/values.yaml new file mode 100644 index 000000000..645a12131 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/cn-istio-ingress/values.yaml @@ -0,0 +1,4 @@ +# Default values for istio. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + diff --git a/charts/gluu/gluu/5.0.302/charts/config-api/.helmignore b/charts/gluu/gluu/5.0.302/charts/config-api/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config-api/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.302/charts/config-api/Chart.yaml b/charts/gluu/gluu/5.0.302/charts/config-api/Chart.yaml new file mode 100644 index 000000000..f44bc0d0b --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config-api/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Jans Config Api endpoints can be used to configure jans-auth-server, + which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server + (AS) +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config-api +sources: +- https://github.com/JanssenProject/jans/jans-config-api +- https://github.com/JanssenProject/jans/docker-jans-config-api +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/config-api +type: application +version: 5.0.3 diff --git a/charts/gluu/gluu/5.0.302/charts/config-api/README.md b/charts/gluu/gluu/5.0.302/charts/config-api/README.md new file mode 100644 index 000000000..1b53fcc91 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config-api/README.md @@ -0,0 +1,64 @@ +# config-api + +![Version: 5.0.3](https://img.shields.io/badge/Version-5.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS) + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. | +| image.tag | string | `"1.0.0-beta.16"` | Image tag to use for deploying. | +| livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-config-api"` | The name of the config-api port within the config-api service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/gluu/gluu/5.0.302/charts/config-api/templates/_helpers.tpl b/charts/gluu/gluu/5.0.302/charts/config-api/templates/_helpers.tpl new file mode 100644 index 000000000..ff25cbc77 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config-api/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config-api.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config-api.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config-api.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config-api.labels" -}} +app: {{ .Release.Name }}-{{ include "config-api.name" . }} +helm.sh/chart: {{ include "config-api.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "oxauth.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "oxauth.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/config-api/templates/config-api-destination-rules.yaml b/charts/gluu/gluu/5.0.302/charts/config-api/templates/config-api-destination-rules.yaml new file mode 100644 index 000000000..8b69b6c25 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config-api/templates/config-api-destination-rules.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.istio.enabled }} + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-config-api-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/config-api/templates/deployment.yaml b/charts/gluu/gluu/5.0.302/charts/config-api/templates/deployment.yaml new file mode 100644 index 000000000..8a3838886 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config-api/templates/deployment.yaml @@ -0,0 +1,164 @@ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "config-api.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + containers: + - name: {{ include "config-api.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - containerPort: 9444 + - containerPort: 8074 + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{- if index .Values "global" "admin-ui" "enabled" }} + - mountPath: {{ index .Values "global" "admin-ui" "adminUiApiKeyFile" }} + name: admin-ui-license-api-key + subPath: admin_ui_api_key + - mountPath: {{ index .Values "global" "admin-ui" "adminUiProductCodeFile" }} + name: admin-ui-license-product-code + subPath: admin_ui_product_code + - mountPath: {{ index .Values "global" "admin-ui" "adminUiSharedKeyFile" }} + name: admin-ui-license-shared-key + subPath: admin_ui_shared_key + - mountPath: {{ index .Values "global" "admin-ui" "adminUiManagementKeyFile" }} + name: admin-ui-license-management-key + subPath: admin_ui_management_key + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- if index .Values "global" "admin-ui" "enabled" }} + - name: admin-ui-license-api-key + secret: + secretName: {{ .Release.Name }}-admin-ui-license + items: + - key: admin_ui_api_key + path: admin_ui_api_key + - name: admin-ui-license-product-code + secret: + secretName: {{ .Release.Name }}-admin-ui-license + items: + - key: admin_ui_product_code + path: admin_ui_product_code + - name: admin-ui-license-shared-key + secret: + secretName: {{ .Release.Name }}-admin-ui-license + items: + - key: admin_ui_shared_key + path: admin_ui_shared_key + - name: admin-ui-license-management-key + secret: + secretName: {{ .Release.Name }}-admin-ui-license + items: + - key: admin_ui_management_key + path: admin_ui_management_key + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + diff --git a/charts/gluu/gluu/5.0.302/charts/config-api/templates/hpa.yaml b/charts/gluu/gluu/5.0.302/charts/config-api/templates/hpa.yaml new file mode 100644 index 000000000..7fbda5da8 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config-api/templates/hpa.yaml @@ -0,0 +1,38 @@ +{{ if .Values.hpa.enabled -}} + +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "config-api.fullname" . }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "config-api.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/config-api/templates/service.yaml b/charts/gluu/gluu/5.0.302/charts/config-api/templates/service.yaml new file mode 100644 index 000000000..f29f3fa97 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config-api/templates/service.yaml @@ -0,0 +1,30 @@ + +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - port: 9444 + name: tcp-{{ include "config-api.name" . }}-ssl + - port: 8074 + name: tcp-{{ include "config-api.name" . }}-http + selector: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/config-api/values.yaml b/charts/gluu/gluu/5.0.302/charts/config-api/values.yaml new file mode 100644 index 000000000..4a4704a93 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config-api/values.yaml @@ -0,0 +1,96 @@ + +# -- Gluu Admin UI. This shouldn't be internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + + +nameOverride: "" +fullnameOverride: "" + +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the config-api port within the config-api service. Please keep it as default. + name: http-config-api + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py +readinessProbe: + httpGet: + path: /jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + +nodeSelector: {} + +tolerations: [] + +affinity: {} +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.302/charts/config/.helmignore b/charts/gluu/gluu/5.0.302/charts/config/.helmignore new file mode 100644 index 000000000..b8204d744 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +tls_generator.py diff --git a/charts/gluu/gluu/5.0.302/charts/config/Chart.yaml b/charts/gluu/gluu/5.0.302/charts/config/Chart.yaml new file mode 100644 index 000000000..6d9433fb1 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Configuration parameters for setup and initial configuration secret and + config layers used by Gluu services. +home: https://gluu.org/docs/gluu-server/reference/container-configs/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- secrets +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config +sources: +- https://gluu.org/docs/gluu-server/reference/container-configs/ +- https://github.com/JanssenProject/jans/docker-jans-configurator +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/config +type: application +version: 5.0.3 diff --git a/charts/gluu/gluu/5.0.302/charts/config/README.md b/charts/gluu/gluu/5.0.302/charts/config/README.md new file mode 100644 index 000000000..9f1ab7b57 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config/README.md @@ -0,0 +1,103 @@ +# config + +![Version: 5.0.3](https://img.shields.io/badge/Version-5.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| city | string | `"Austin"` | City. Used for certificate creation. | +| configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| configmap.cnClientApiAdminCertCn | string | `"client-api"` | Client-api OAuth client admin certificate common name. This should be left to the default value client-api . | +| configmap.cnClientApiApplicationCertCn | string | `"client-api"` | Client-api OAuth client application certificate common name. This should be left to the default value client-api. | +| configmap.cnClientApiBindIpAddresses | string | `"*"` | Client-api bind address. This limits what ip ranges can access the client-api. This should be left as * and controlled by a NetworkPolicy | +| configmap.cnConfigGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnConfigGoogleSecretVersionId | string | `"latest"` | Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) user name. This user is used during initialization only. | +| configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretManagerPassPhrase | string | `"Test1234#"` | Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| configmap.cnPersistenceLdapMapping | string | `"default"` | Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. | +| configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnSecretGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnSecretGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| configmap.cnSqlDbName | string | `"jans"` | SQL database name. | +| configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| configmap.cnSqlDbUser | string | `"jans"` | SQL database username. | +| configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected in the secrets. | +| configmap.containerMetadataName | string | `"kubernetes"` | | +| configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. | +| countryCode | string | `"US"` | Country code. Used for certificate creation. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| fullNameOverride | string | `""` | | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. | +| image.tag | string | `"1.0.0-beta.16"` | Image tag to use for deploying. | +| ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpennDJ is used for persistence. | +| migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| nameOverride | string | `""` | | +| orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit. | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| state | string | `"TX"` | State code. Used for certificate creation. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/gluu/gluu/5.0.302/charts/config/templates/_helpers.tpl b/charts/gluu/gluu/5.0.302/charts/config/templates/_helpers.tpl new file mode 100644 index 000000000..6952a8295 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config/templates/_helpers.tpl @@ -0,0 +1,100 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config.labels" -}} +app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load +helm.sh/chart: {{ include "config.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} + +{{/* +Create optional scopes list +*/}} +{{- define "config.optionalScopes"}} +{{ $newList := list }} +{{- if eq .Values.configmap.cnCacheType "REDIS" }} +{{ $newList = append $newList ("redis" | quote ) }} +{{- end}} +{{ if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} +{{ $newList = append $newList ("couchbase" | quote) }} +{{- end}} +{{ if eq .Values.global.cnPersistenceType "sql" }} +{{ $newList = append $newList ("sql" | quote) }} +{{- end }} +{{- if .Values.global.opendj.enabled}} +{{ $newList = append $newList ("ldap" | quote) }} +{{- end}} +{{- if .Values.global.casa}} +{{ $newList = append $newList ("casa" | quote) }} +{{- end}} +{{- if .Values.global.fido2.enabled}} +{{ $newList = append $newList ("fido2" | quote) }} +{{- end}} +{{- if .Values.global.scim.enabled}} +{{ $newList = append $newList ("scim" | quote) }} +{{- end}} +{{- if index .Values "global" "client-api" "enabled"}} +{{ $newList = append $newList ("client-api" |quote) }} +{{- end}} +{{ toJson $newList }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/config/templates/admin-ui-secrets.yaml b/charts/gluu/gluu/5.0.302/charts/config/templates/admin-ui-secrets.yaml new file mode 100644 index 000000000..6acc90180 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config/templates/admin-ui-secrets.yaml @@ -0,0 +1,20 @@ +{{- if index .Values "global" "admin-ui" "enabled" }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-admin-ui-license + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + admin_ui_api_key: {{ index .Values "global" "admin-ui" "adminUiApiKey" | b64enc }} + admin_ui_product_code: {{ index .Values "global" "admin-ui" "adminUiProductCode" | b64enc }} + admin_ui_shared_key: {{ index .Values "global" "admin-ui" "adminUiSharedKey" | b64enc }} + admin_ui_management_key: {{ index .Values "global" "admin-ui" "adminUiManagementKey" | b64enc }} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/config/templates/clusterrolebinding.yaml b/charts/gluu/gluu/5.0.302/charts/config/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..4bc7e389d --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config/templates/clusterrolebinding.yaml @@ -0,0 +1,46 @@ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cluster-admin-binding + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: User + # change it to your actual account; the email can be fetched using + # the following command: `gcloud info | grep Account` + name: "ACCOUNT" + apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: {{ include "config.name" . }}-load + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit +subjects: +- kind: ServiceAccount + name: default + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/config/templates/configmaps.yaml b/charts/gluu/gluu/5.0.302/charts/config/templates/configmaps.yaml new file mode 100644 index 000000000..51b6a5d48 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config/templates/configmaps.yaml @@ -0,0 +1,407 @@ + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-cm + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + # Jetty header size in bytes in the auth server + CN_JETTY_REQUEST_HEADER_SIZE: {{ .Values.configmap.cnJettyRequestHeaderSize | quote }} + CN_DISTRIBUTION: {{ .Values.global.distribution | quote }} + {{ if .Values.global.cnObExtSigningJwksUri }} + CN_OB_EXT_SIGNING_JWKS_URI: {{ .Values.global.cnObExtSigningJwksUri | quote }} + CN_OB_AS_TRANSPORT_ALIAS: {{ .Values.global.cnObTransportAlias | quote }} + CN_OB_EXT_SIGNING_ALIAS: {{ .Values.global.cnObExtSigningAlias | quote }} + # force the AS to use a specific signing key + CN_OB_STATIC_KID: {{ .Values.global.cnObStaticSigningKeyKid | quote }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + # [google_envs] Envs related to using Google + GOOGLE_APPLICATION_CREDENTIALS: {{ .Values.global.cnGoogleApplicationCredentials | quote }} + GOOGLE_PROJECT_ID: {{ .Values.configmap.cnGoogleProjectId | quote }} + {{- end }} + {{ if eq .Values.global.cnPersistenceType "spanner" }} + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + CN_GOOGLE_SPANNER_INSTANCE_ID: {{ .Values.configmap.cnGoogleSpannerInstanceId | quote }} + CN_GOOGLE_SPANNER_DATABASE_ID: {{ .Values.configmap.cnGoogleSpannerDatabaseId | quote }} + # [google_spanner_envs] END + {{- end }} + {{ if eq .Values.global.configSecretAdapter "google" }} + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + CN_SECRET_GOOGLE_SECRET_VERSION_ID: {{ .Values.configmap.cnSecretGoogleSecretVersionId | quote }} + CN_SECRET_GOOGLE_SECRET_MANAGER_PASSPHRASE: {{ .Values.configmap.cnGoogleSecretManagerPassPhrase | quote }} + CN_SECRET_GOOGLE_SECRET_NAME_PREFIX: {{ .Values.configmap.cnSecretGoogleSecretNamePrefix | quote }} + CN_CONFIG_GOOGLE_SECRET_VERSION_ID: {{ .Values.configmap.cnConfigGoogleSecretVersionId | quote }} + CN_CONFIG_GOOGLE_SECRET_NAME_PREFIX: {{ .Values.configmap.cnConfigGoogleSecretNamePrefix | quote }} + # [google_secret_manager_envs] END + {{- end }} + CN_SQL_DB_DIALECT: {{ .Values.configmap.cnSqlDbDialect }} + CN_SQL_DB_HOST: {{ .Values.configmap.cnSqlDbHost }} + CN_SQL_DB_PORT: {{ .Values.configmap.cnSqlDbPort | quote }} + CN_SQL_DB_NAME: {{ .Values.configmap.cnSqlDbName }} + CN_SQL_DB_USER: {{ .Values.configmap.cnSqlDbUser }} + CN_SQL_DB_TIMEZONE: {{ .Values.configmap.cnSqlDbTimezone }} + CN_CONFIG_ADAPTER: {{ .Values.global.configAdapterName }} + CN_SECRET_ADAPTER: {{ .Values.global.configSecretAdapter }} + CN_CONFIG_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_SECRET_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_CONFIG_KUBERNETES_CONFIGMAP: {{ .Values.configmap.cnConfigKubernetesConfigMap }} + CN_SECRET_KUBERNETES_SECRET: {{ .Values.configmap.cnSecretKubernetesSecret }} + CN_CONTAINER_METADATA: {{ .Values.configmap.containerMetadataName | quote }} + CN_MAX_RAM_PERCENTAGE: {{ .Values.configmap.cnMaxRamPercent | quote }} + CN_CACHE_TYPE: {{ .Values.configmap.cnCacheType | quote }} + CN_DOCUMENT_STORE_TYPE: {{ .Values.global.cnDocumentStoreType | quote }} + DOMAIN: {{ .Values.global.fqdn | quote }} + CN_AUTH_SERVER_BACKEND: {{ cat ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080" | quote | nospace }} + CN_AUTH_APP_LOGGERS: {{ index .Values "global" "auth-server" "appLoggers" + | toJson + | replace "authLogTarget" "auth_log_target" + | replace "authLogLevel" "auth_log_level" + | replace "httpLogTarget" "http_log_target" + | replace "httpLogLevel" "http_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "auditStatsLogTarget" "audit_log_target" + | replace "auditStatsLogLevel" "audit_log_level" + | squote + }} + {{- if index .Values "global" "client-api" "enabled" }} + CN_CLIENT_API_SERVER_URL: {{ cat ( index .Values "global" "client-api" "clientApiServerServiceName" ) ":8443" | quote | nospace }} + CN_CLIENT_API_BIND_IP_ADDRESSES: {{ .Values.configmap.cnClientApiBindIpAddresses | quote }} + CN_CLIENT_API_APP_LOGGERS: {{ index .Values "global" "client-api" "appLoggers" + | toJson + | replace "clientApiLogTarget" "client_api_log_target" + | replace "clientApiLogLevel" "client_api_log_level" + | squote + }} + {{- end }} + {{- if index .Values "global" "config-api" "enabled" }} + CN_CONFIG_API_APP_LOGGERS: {{ index .Values "global" "config-api" "appLoggers" + | toJson + | replace "configApiLogTarget" "config_api_log_target" + | replace "configApiLogLevel" "config_api_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | squote + }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + LB_ADDR: {{ .Values.configmap.lbAddr }} + {{- end }} + CN_PERSISTENCE_TYPE: {{ .Values.global.cnPersistenceType }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is ldap or hybrid + {{- if .Values.configmap.cnLdapUrl }} + CN_LDAP_URL: {{ .Values.configmap.cnLdapUrl | quote }} + {{- else }} + CN_LDAP_URL: {{ cat ( .Values.global.opendj.ldapServiceName ) ":1636" | quote | nospace }} + {{- end }} + {{- else if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is couchbase or hybrid + CN_COUCHBASE_URL: {{ .Values.configmap.cnCouchbaseUrl }} + CN_COUCHBASE_BUCKET_PREFIX: {{ .Values.configmap.cnCouchbaseBucketPrefix }} + CN_COUCHBASE_INDEX_NUM_REPLICA: {{ .Values.configmap.cnCouchbaseIndexNumReplica | quote }} + CN_COUCHBASE_USER: {{ .Values.configmap.cnCouchbaseUser }} + CN_COUCHBASE_SUPERUSER: {{ .Values.configmap.cnCouchbaseSuperUser }} + {{- end }} + CN_KEY_ROTATION_FORCE: "false" + CN_KEY_ROTATION_CHECK: "3600" + CN_KEY_ROTATION_INTERVAL: "48" + CN_SSL_CERT_FROM_SECRETS: "true" + CN_CONTAINER_MAIN_NAME: {{ .Release.Name }}-auth-server + # options: default/user/site/cache/statistic used only if CN_PERSISTENCE_TYPE is hybrid or hybrid + {{- if or (eq .Values.global.cnPersistenceType "hybrid") (eq .Values.global.cnPersistenceType "ldap") }} + # must the same as the opendj service name + CN_CERT_ALT_NAME: {{ .Values.global.opendj.ldapServiceName }} #{{ template "cn.fullname" . }}-service + CN_PERSISTENCE_LDAP_MAPPING: {{ .Values.configmap.cnPersistenceLdapMapping | quote }} + {{- end }} + # Auto enable installation of some services + CN_CASA_ENABLED: {{ .Values.global.casa.enabled | quote }} + CN_PASSPORT_ENABLED: {{ .Values.global.oxpassport.enabled | quote }} + {{- if .Values.global.oxshibboleth.enabled }} + CN_SAML_ENABLED: {{ .Values.global.oxshibboleth.enabled | quote }} + {{- end }} + CN_CLIENT_API_APPLICATION_CERT_CN: {{ .Values.configmap.cnClientApiApplicationCertCn | quote }} + CN_CLIENT_API_ADMIN_CERT_CN: {{ .Values.configmap.cnClientApiAdminCertCn | quote }} + {{ if eq .Values.configmap.cnCacheType "REDIS" }} + CN_REDIS_URL: {{ .Values.configmap.cnRedisUrl | quote }} + CN_REDIS_TYPE: {{ .Values.configmap.cnRedisType | quote }} + CN_REDIS_USE_SSL: {{ .Values.configmap.cnRedisUseSsl | quote }} + CN_REDIS_SSL_TRUSTSTORE: {{ .Values.configmap.cnRedisSslTruststore | quote }} + CN_REDIS_SENTINEL_GROUP: {{ .Values.configmap.cnRedisSentinelGroup | quote }} + {{- end }} + {{- if .Values.global.istio.enabled }} + CN_COUCHBASE_TRUSTSTORE_ENABLE: "false" + CN_LDAP_USE_SSL: "false" + {{- end }} + {{- if .Values.global.scim.enabled }} + CN_SCIM_ENABLED: {{ .Values.global.scim.enabled | quote }} + CN_SCIM_PROTECTION_MODE: {{ .Values.configmap.cnScimProtectionMode | quote }} + CN_SCIM_APP_LOGGERS: {{ .Values.global.scim.appLoggers + | toJson + | replace "scimLogTarget" "scim_log_target" + | replace "scimLogLevel" "scim_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | squote + }} + {{- end }} + {{- if .Values.global.fido2.enabled }} + CN_FIDO2_APP_LOGGERS: {{ .Values.global.fido2.appLoggers + | toJson + | replace "fido2LogTarget" "fido2_log_target" + | replace "fido2LogLevel" "fido2_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | squote + }} + {{- end }} + {{- if index .Values "global" "admin-ui" "enabled" }} + # ADMIN-UI + ADMIN_UI_JWKS: {{ cat "http://" ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080/jans-auth/restv1/jwks" | quote | nospace }} + CN_CONFIG_API_PLUGINS: "admin-ui,scim" + CN_ADMIN_UI_PLUGIN_LOGGERS: {{ index .Values "global" "config-api" "adminUiappLoggers" + | toJson + | replace "adminUiLogTarget" "admin_ui_log_target" + | replace "adminUiLogLevel" "admin_ui_log_level" + | replace "adminUiAuditLogTarget" "admin_ui_audit_log_target" + | replace "adminUiAuditLogLevel" "admin_ui_audit_log_level" + | squote + }} + {{- end }} +--- + +apiVersion: v1 +data: + tls_generator.py: |- + from kubernetes import config, client + import logging + + log_format = '%(asctime)s - %(name)8s - %(levelname)5s - %(message)s' + logging.basicConfig(format=log_format, level=logging.INFO) + logger = logging.getLogger("tls-generator") + + # use the serviceAccount k8s gives to pods + config.load_incluster_config() + core_cli = client.CoreV1Api() + + def patch_or_create_namespaced_secret(name, literal, value_of_literal, namespace="default", + secret_type="Opaque", second_literal=None, value_of_second_literal=None, + data=None): + """Patch secret and if not exist create + :param name: + :param literal: + :param value_of_literal: + :param namespace: + :param secret_type: + :param second_literal: + :param value_of_second_literal: + :param data: + :return: + """ + # Instantiate the Secret object + body = client.V1Secret() + metadata = client.V1ObjectMeta(name=name) + body.data = data + if not data: + body.data = {literal: value_of_literal} + body.metadata = metadata + body.type = secret_type + if second_literal: + body.data = {literal: value_of_literal, second_literal: value_of_second_literal} + try: + core_cli.patch_namespaced_secret(name, namespace, body) + logger.info('Secret {} in namespace {} has been patched'.format(name, namespace)) + return + except client.rest.ApiException as e: + if e.status == 404 or not e.status: + try: + core_cli.create_namespaced_secret(namespace=namespace, body=body) + logger.info('Created secret {} of type {} in namespace {}'.format(name, secret_type, namespace)) + return True + except client.rest.ApiException as e: + logger.exception(e) + return False + logger.exception(e) + return False + + # check if gluu secret exists + def get_certs(secret_name, namespace): + """ + + :param namespace: + :return: ssl cert and key from gluu secrets + """ + ssl_cert = None + ssl_key = None + if core_cli.read_namespaced_secret(secret_name, namespace): + ssl_cert = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_cert'] + ssl_key = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_key'] + + return ssl_cert, ssl_key + + + def main(): + namespace = {{.Release.Namespace | quote}} + secret_name = {{ .Values.configmap.cnSecretKubernetesSecret | quote }} + cert, key = get_certs(secret_name, namespace) + # global vars + name = "tls-certificate" + + # if istio is enabled + {{- if.Values.global.istio.ingress}} + namespace = {{.Values.global.istio.namespace | quote}} + {{- end}} + + if cert and key: + patch_or_create_namespaced_secret(name=name, + namespace=namespace, + literal="tls.crt", + value_of_literal=cert, + secret_type="kubernetes.io/tls", + second_literal="tls.key", + value_of_second_literal=key) + else: + logger.error("No certificate or key was found in secrets.") + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ include "config.fullname" . }}-tls-script + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + +--- + +apiVersion: v1 +data: + updatelbip.py: |- + #!/usr/bin/env python3 + # -*- coding: utf-8 -*- + + # Update the IP of the load balancer automatically + + """ + License terms and conditions for Gluu Cloud Native Edition: + https://www.apache.org/licenses/LICENSE-2.0 + """ + + import socket + import os + import logging + import time + + logger = logging.getLogger("update-lb-ip") + logger.setLevel(logging.INFO) + ch = logging.StreamHandler() + fmt = logging.Formatter('%(levelname)s - %(asctime)s - %(message)s') + ch.setFormatter(fmt) + logger.addHandler(ch) + + + def backup(hosts): + timenow = time.strftime("%c") + timestamp = "Backup occurred %s \n" % timenow + logger.info("Backing up hosts file to /etc/hosts.back ...") + with open('/etc/hosts.back', 'a+') as f: + f.write(timestamp) + for line in hosts: + f.write(line) + + + def get_hosts(lb_addr, domain): + ip_list = [] + hosts_list = [] + ais = socket.getaddrinfo(lb_addr, 0, 0, 0, 0) + for result in ais: + ip_list.append(result[-1][0]) + ip_list = list(set(ip_list)) + for ip in ip_list: + add_host = ip + " " + domain + hosts_list.append(add_host) + + return hosts_list + + + def main(): + try: + while True: + lb_addr = os.environ.get("LB_ADDR", "") + domain = os.environ.get("DOMAIN", "demoexample.gluu.org") + host_file = open('/etc/hosts', 'r').readlines() + hosts = get_hosts(lb_addr, domain) + stop = [] + for host in hosts: + for i in host_file: + if host.replace(" ", "") in i.replace(" ", ""): + stop.append("found") + if len(stop) != len(hosts): + backup(host_file) + logger.info("Writing new hosts file") + with open('/etc/hosts', 'w') as f: + for line in host_file: + if domain not in line: + f.write(line) + for host in hosts: + f.write(host) + f.write("\n") + f.write("\n") + time.sleep(300) + except KeyboardInterrupt: + logger.warning("Canceled by user; exiting ...") + + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-updatelbip + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/config/templates/load-init-config.yml b/charts/gluu/gluu/5.0.302/charts/config/templates/load-init-config.yml new file mode 100644 index 000000000..693612a62 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config/templates/load-init-config.yml @@ -0,0 +1,103 @@ + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "config.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: 120 + template: + metadata: + name: {{ include "config.name" . }}-job + labels: + APP_NAME: configurator + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + - name: {{ include "config.fullname" . }}-mount-gen-file + secret: + secretName: {{ include "config.fullname" . }}-gen-json-file + - name: {{ include "config.fullname" . }}-tls-script + configMap: + name: {{ include "config.fullname" . }}-tls-script + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + containers: + - name: {{ include "config.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "config.usr-envs" . | indent 12 }} + {{- include "config.usr-secret-envs" . | indent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + - mountPath: /app/db/generate.json + name: {{ include "config.fullname" . }}-mount-gen-file + subPath: generate.json + - mountPath: /scripts/tls_generator.py + name: {{ include "config.fullname" . }}-tls-script + subPath: tls_generator.py + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + {{- if .Values.migration.enabled }} + /app/scripts/entrypoint.sh migrate --migration-dir {{ .Values.migration.migrationDir | quote }} --data-format {{ .Values.migration.migrationDataFormat | quote }} + {{- else }} + /app/scripts/entrypoint.sh load + {{- end }} + /usr/bin/python3 /scripts/tls_generator.py + {{- if .Values.global.istio.enabled }} + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + restartPolicy: Never diff --git a/charts/gluu/gluu/5.0.302/charts/config/templates/ob-secrets.yaml b/charts/gluu/gluu/5.0.302/charts/config/templates/ob-secrets.yaml new file mode 100644 index 000000000..cdb1f9041 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config/templates/ob-secrets.yaml @@ -0,0 +1,71 @@ +{{ if .Values.global.cnObExtSigningJwksCrt }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-ext-signing.crt: {{ .Values.global.cnObExtSigningJwksCrt }} + {{ if .Values.global.cnObExtSigningJwksKey }} + ob-ext-signing.key: {{ .Values.global.cnObExtSigningJwksKey }} + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + ob-ext-signing.pin: {{ .Values.global.cnObExtSigningJwksKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportCrt }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport.crt: {{ .Values.global.cnObTransportCrt }} + {{ if .Values.global.cnObTransportKey }} + ob-transport.key: {{ .Values.global.cnObTransportKey }} + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + ob-transport.pin: {{ .Values.global.cnObTransportKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportTrustStore }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-truststore + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport-truststore.p12: {{ .Values.global.cnObTransportTrustStore }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/config/templates/rolebinding.yaml b/charts/gluu/gluu/5.0.302/charts/config/templates/rolebinding.yaml new file mode 100644 index 000000000..507a48af0 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config/templates/rolebinding.yaml @@ -0,0 +1,24 @@ + +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +subjects: +- kind: User + name: system:serviceaccount:{{ .Release.Namespace }}:default # Name is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role # this must be Role or ClusterRole + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role # this must match the name of the Role or ClusterRole you wish to bind to + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/config/templates/roles.yaml b/charts/gluu/gluu/5.0.302/charts/config/templates/roles.yaml new file mode 100644 index 000000000..ba80a29c2 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config/templates/roles.yaml @@ -0,0 +1,20 @@ + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +rules: +- apiGroups: [""] # "" refers to the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] diff --git a/charts/gluu/gluu/5.0.302/charts/config/templates/secrets.yaml b/charts/gluu/gluu/5.0.302/charts/config/templates/secrets.yaml new file mode 100644 index 000000000..3c745495a --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config/templates/secrets.yaml @@ -0,0 +1,101 @@ + +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "config.fullname" . }}-gen-json-file + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + generate.json: |- + { + "hostname": {{ .Values.global.fqdn | quote }}, + "country_code": {{ .Values.countryCode | quote }}, + "state": {{ .Values.state | quote }}, + "city": {{ .Values.city | quote }}, + "admin_pw": {{ .Values.adminPassword | quote }}, + "ldap_pw": {{ .Values.ldapPassword | quote }}, + "redis_pw": {{ .Values.redisPassword | quote }}, + "email": {{ .Values.email | quote }}, + "org_name": {{ .Values.orgName | quote }}, + {{ if eq .Values.global.cnPersistenceType "sql" }} + "sql_pw": {{ .Values.configmap.cnSqldbUserPassword | quote }}, + {{- end }} + {{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} + "couchbase_pw": {{ .Values.configmap.cnCouchbasePassword | quote }}, + "couchbase_superuser_pw": {{ .Values.configmap.cnCouchbaseSuperUserPassword | quote }}, + {{- end }} + "auth_sig_keys": {{ index .Values "global" "auth-server" "authSigKeys" | quote }}, + "auth_enc_keys": {{ index .Values "global" "auth-server" "authEncKeys" | quote }}, + "optional_scopes": {{ list (include "config.optionalScopes" . | fromJsonArray | join ",") }} + } + +{{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} +{{- if not .Values.global.istio.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cb-crt + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + couchbase.crt: {{ .Values.configmap.cnCouchbaseCrt }} +{{- end }} +{{- end }} +{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-google-sa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + google-credentials.json: {{ .Values.configmap.cnGoogleSecretManagerServiceAccount }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +# Consider removing secret after moving ldapPass to global. This is only used by the cronJob ldap backup. +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-cron-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + password: {{ .Values.ldapPassword | b64enc }} +{{- end}} diff --git a/charts/gluu/gluu/5.0.302/charts/config/templates/service.yaml b/charts/gluu/gluu/5.0.302/charts/config/templates/service.yaml new file mode 100644 index 000000000..da5dedf89 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if ( .Values.global.istio.enabled) }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "config.fullname" . }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/config/templates/upgrade-ldap-101-jans.yaml b/charts/gluu/gluu/5.0.302/charts/config/templates/upgrade-ldap-101-jans.yaml new file mode 100644 index 000000000..bcdc85409 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config/templates/upgrade-ldap-101-jans.yaml @@ -0,0 +1,1777 @@ +{{- if .Values.global.upgrade.enabled }} +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-oxjans + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": before-hook-creation +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + 101-jans.ldif: |+ + dn: cn=schema + objectClass: top + objectClass: ldapSubentry + objectClass: subschema + cn: schema + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.1 NAME 'jansAssociatedClnt' + DESC 'Associate the dn of an OAuth2 client with a person or UMA Resource Set.' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.2 NAME 'county' + DESC 'ISO 3166-1 Alpha-2 Country Code' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.3 NAME 'creationDate' + DESC 'Creation Date used for password reset requests' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + ORDERING generalizedTimeOrderingMatch + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.4 NAME 'jansDefScope' + DESC 'Track the default scope for an custom OAuth2 Scope.' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.5 NAME 'jansAttrViewTyp' + DESC 'Specify in exclude who can view an attribute, admin or user' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.6 NAME 'jansAttrEditTyp' + DESC 'Specify in exclude who can update an attribute, admin or user' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.7 NAME 'jansAttrName' + DESC 'Specify an identifier for an attribute. May be multi-value where an attribute has two names, like givenName and first-name.' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.8 NAME 'jansAttrOrigin' + DESC 'Specify the person objectclass associated with the attribute, used for display purposes in exclude.' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.9 NAME 'jansAttrSystemEditTyp' + DESC 'TODO - still required?' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.10 NAME 'jansAttrTyp' + DESC 'Data type of attribute. Values can be string, photo, numeric, date' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.11 NAME 'jansAttrUsgTyp' + DESC 'TODO - Usg? Value can be OpenID' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.12 NAME 'jansCustomMessage' + DESC 'exclude custom welcome message' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.13 NAME 'jansFaviconImage' + DESC 'TODO - Stores URL of favicon' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.14 NAME 'jansHostname' + DESC 'The hostname of the Jans Server instance' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.15 NAME 'jansIpAddr' + DESC 'IP address of the Jans Server instance' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.16 NAME 'jansLastUpd' + DESC 'Monitors last time the server was able to connect to the monitoring system.' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + ORDERING generalizedTimeOrderingMatch + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.17 NAME 'jansLogoImage' + DESC 'Logo used by exclude for default look and feel.' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.18 NAME 'jansManagedOrganizations' + DESC 'Used to track with which organizations a person is associated' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.19 NAME 'jansManager' + DESC 'Used to specify if a person has the manager role' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.20 NAME 'jansManagerGrp' + DESC 'Used in organizatoin entry to specifies the dn of the group that has admin priviledges in exclude.' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.21 NAME 'jansOptOuts' + DESC 'White pages attributes restricted by person in exclude profile management' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.22 NAME 'jansOrgProfileMgt' + DESC 'enable or disable profile management feature in exclude' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.23 NAME 'jansOrgShortName' + DESC 'Short description, as few letters as possible, no spaces.' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.24 NAME 'jansSAML1URI' + DESC 'SAML 1 uri of attribute' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.25 NAME 'jansSAML2URI' + DESC 'SAML 2 uri of attribute' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.26 NAME 'jansScimEnabled' + DESC 'exclude SCIM feature - enabled or disabled' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.27 NAME 'jansSslExpiry' + DESC 'SAML Trust Relationship configuration' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.28 NAME 'jansStatus' + DESC 'Status of the entry, used by many objectclasses' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.29 NAME 'jansThemeColor' + DESC 'exclude login page configuration' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.30 NAME 'jansUrl' + DESC 'Jans instance URL' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.31 NAME 'inum' + DESC 'XRI i-number' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.32 NAME 'memberOf' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.33 NAME 'jansAmHost' + DESC 'am host' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.34 NAME 'jansClaimName' + DESC 'Used by jans in conjunction with jansttributeName to map claims to attributes in LDAP.' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.35 NAME 'jansAppTyp' + DESC 'jans App Typ' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.36 NAME 'authnTime' + DESC 'jans Authn Time' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + ORDERING generalizedTimeOrderingMatch + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.37 NAME 'authzCode' + DESC 'jans authorization code' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.38 NAME 'jansClaim' + DESC 'jans Attr Claim' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.39 NAME 'jansGrpClaims' + DESC 'jans Grp Attr Claims (true or false)' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.40 NAME 'jansClntId' + DESC 'jans Clnt id' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.41 NAME 'clnId' + DESC 'jans Clnt id' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.42 NAME 'jansClntIdIssuedAt' + DESC 'jans Clnt Issued At' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.43 NAME 'jansClntSecret' + DESC 'jans Clnt Secret' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.44 NAME 'jansClntSecretExpAt' + DESC 'Date client expires' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + ORDERING generalizedTimeOrderingMatch + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.45 NAME 'jansClntURI' + DESC 'jans Clnt URI' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.46 NAME 'jansConfDyn' + DESC 'jans Dyn Conf' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.47 NAME 'jansConfErrors' + DESC 'jans Errors Conf' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.48 NAME 'jansConfStatic' + DESC 'jans Static Conf' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.49 NAME 'jansConfWebKeys' + DESC 'jans Web Keys Conf' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.50 NAME 'jansContact' + DESC 'jans Contact' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.51 NAME 'iat' + DESC 'jans Creation' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + ORDERING generalizedTimeOrderingMatch + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.52 NAME 'jansDefAcrValues' + DESC 'jans Def Acr Values' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.53 NAME 'jansDefMaxAge' + DESC 'jans Def Max Age' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.54 NAME 'exp' + DESC 'jans Exp' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + ORDERING generalizedTimeOrderingMatch + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.55 NAME 'grtId' + DESC 'jans grant id' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.56 NAME 'jansGrantTyp' + DESC 'jans Grant Typ' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.57 NAME 'grtTyp' + DESC 'jans Grant Typ' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.58 NAME 'jansIdTknEncRespAlg' + DESC 'jans ID Tkn Enc Resp Alg' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.59 NAME 'jansIdTknEncRespEnc' + DESC 'jans ID Tkn Enc Resp Enc' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.60 NAME 'jansIdTknSignedRespAlg' + DESC 'jans ID Tkn Signed Resp Alg' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.61 NAME 'jansInitiateLoginURI' + DESC 'jans Initiate Login URI' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.62 NAME 'jansJwksURI' + DESC 'jans JWKs URI' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.63 NAME 'jansJwks' + DESC 'jans JWKs' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.64 NAME 'jwtReq' + DESC 'jans JWT Req' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.65 NAME 'jansLogoURI' + DESC 'jans Logo URI' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.66 NAME 'nnc' + DESC 'jans nonce' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.67 NAME 'jansSessState' + DESC 'jans Sess State' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.68 NAME 'jansPermissionGrantedMap' + DESC 'jans Permission Granted Map' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.69 NAME 'jansPersistentJWT' + DESC 'jans Persistent JWT' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.70 NAME 'jansPolicyURI' + DESC 'jans Policy URI' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.71 NAME 'jansLogoutURI' + DESC 'jans Policy URI' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.72 NAME 'jansLogoutSessRequired' + DESC 'jans Policy URI' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.73 NAME 'jansPostLogoutRedirectURI' + DESC 'jans Post Logout Redirect URI' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.74 NAME 'jansRedirectURI' + DESC 'jans Redirect URI' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.75 NAME 'jansRegistrationAccessTkn' + DESC 'jans Registration Access Tkn' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.76 NAME 'jansReleasedScope' + DESC 'jans released scope attribute' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.77 NAME 'jansReqObjSigAlg' + DESC 'jans Req Obj Sig Alg' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.78 NAME 'jansReqObjEncAlg' + DESC 'jans Req Obj Enc Alg' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.79 NAME 'jansReqObjEncEnc' + DESC 'jans Req Obj Enc Enc' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.80 NAME 'jansReqURI' + DESC 'jans Req URI' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.81 NAME 'jansRequireAuthTime' + DESC 'jans Require Authn Time' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.82 NAME 'jansRespTyp' + DESC 'jans Resp Typ' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.83 NAME 'jansScope' + DESC 'jans Attr Scope' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.84 NAME 'scp' + DESC 'jans Attr Scope' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.85 NAME 'jansScopeTyp' + DESC 'OX Attr Scope type' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.86 NAME 'jansSectorIdentifierURI' + DESC 'jans Sector Identifier URI' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.87 NAME 'jansSignedRespAlg' + DESC 'jans Signed Resp Alg' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.88 NAME 'jansSkipAuthz' + DESC 'jans skip authorization attribute' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.89 NAME 'jansSubjectTyp' + DESC 'jans Subject Typ' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.90 NAME 'tknCde' + DESC 'jans Tkn Code' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.91 NAME 'jansTknEndpointAuthMethod' + DESC 'jans Tkn Endpoint Auth Method' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.92 NAME 'jansTknEndpointAuthSigAlg' + DESC 'jans Tkn Endpoint Auth Sig Alg' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.93 NAME 'tknTyp' + DESC 'jans Tkn Typ' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.94 NAME 'jansTosURI' + DESC 'jans TOS URI' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.95 NAME 'jansTrustedClnt' + DESC 'jans Trusted Clnt' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.96 NAME 'jansUmaScope' + DESC 'URI reference of scope descriptor' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.97 NAME 'jansUsrDN' + DESC 'jans Usr DN' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.98 NAME ( 'jansUsrId' 'usrId' ) + DESC 'jans user id' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.99 NAME 'jansUsrInfEncRespAlg' + DESC 'jans Usr Inf Enc Resp Alg' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.100 NAME 'jansUsrInfEncRespEnc' + DESC 'jans Usr Inf Enc Resp Enc' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.101 NAME 'jansExtraConf' + DESC 'jans additional configuration' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.102 NAME 'jansAuthMode' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.103 NAME 'acr' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.104 NAME 'jansConfCode' + DESC 'jans configuration code' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.105 NAME 'jansCreationTimestamp' + DESC 'Registration time' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + ORDERING generalizedTimeOrderingMatch + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.106 NAME 'jansExtUid' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.107 NAME 'jansOTPCache' + DESC 'Stores a used OTP to prevent a hacker from using it again. Complementary to jansExtUid attribute' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.108 NAME 'jansGrp' + DESC 'Usr group' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.109 NAME 'jansGuid' + DESC 'A random string to mark temporary tokens' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.110 NAME 'uuid' + DESC 'Unique identifier' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.111 NAME 'jansHost' + DESC 'jans host' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.112 NAME 'jansDbAuth' + DESC 'Custom IDP authentication configuration' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.113 NAME 'jansIconUrl' + DESC 'jans icon url' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.114 NAME 'jansId' + DESC 'Identifier' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.115 NAME 'sid' + DESC 'Sess Identifier' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.116 NAME 'jansAsJwt' + DESC 'Boolean field to indicate whether object is used as JWT' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.117 NAME 'jansJwt' + DESC 'JWT representation of the object or otherwise jwt associated with the object' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.118 NAME 'jansInvolvedClnts' + DESC 'Involved clients' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.119 NAME 'jansLastAccessTime' + DESC 'Last access time' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + ORDERING generalizedTimeOrderingMatch + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.120 NAME 'jansLastLogonTime' + DESC 'Last logon time' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + ORDERING generalizedTimeOrderingMatch + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.121 NAME 'jansLogViewerConfig' + DESC 'Log viewer configuration' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.122 NAME 'jansMultivaluedAttr' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.123 NAME 'jansName' + DESC 'Name' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.124 NAME 'jansNameIdTyp' + DESC 'NameId Typ' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.125 NAME 'jansPolicyRule' + DESC 'Policy Rule' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.126 NAME 'jansUmaPolicyScrDn' + DESC 'OX policy script Dn' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.127 NAME 'jansState' + DESC 'jansState' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.128 NAME 'jansCounter' + DESC 'jansCounter' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.129 NAME 'jansApp' + DESC 'jansApp' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.130 NAME 'jansDeviceRegistrationConf' + DESC 'jansDeviceRegistrationConf' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.131 NAME 'jansDeviceKeyHandle' + DESC 'jansDeviceKeyHandle' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.132 NAME 'jansDeviceHashCode' + DESC 'jansDeviceHashCode' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.133 NAME 'jansReq' + DESC 'jansReq' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.134 NAME 'jansReqId' + DESC 'jansReqId' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.135 NAME 'jansDeviceData' + DESC 'jansDeviceData' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.136 NAME 'jansEnrollmentCode' + DESC 'jansEnrollmentCode' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.137 NAME 'jansPushApp' + DESC 'jansPush application DN' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.138 NAME 'jansPushAppConf' + DESC 'jansPush application configuration' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.139 NAME 'jansPushDeviceConf' + DESC 'jansPush device configuration' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.140 NAME 'jansRegistrationConf' + DESC 'Registration Conf' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.141 NAME 'jansResource' + DESC 'Host path' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.142 NAME 'jansResourceSetId' + DESC 'jans resource set id' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.143 NAME 'jansRevision' + DESC 'Revision' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.144 NAME 'jansLevel' + DESC 'Level' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.145 NAME 'jansScimCustomAttr' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.146 NAME 'jansScr' + DESC 'Attr that contains script (python, java script)' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.147 NAME 'jansScrDn' + DESC 'Script object DN' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + X-ORIGIN 'Gluu created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.148 NAME 'jansScrTyp' + DESC 'Attr that contains script type (e.g. python, java script)' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.149 NAME 'jansScrError' + DESC 'Attr that contains first error which application get during it execution' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.150 NAME 'jansSmtpConf' + DESC 'SMTP configuration' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.151 NAME 'jansSourceAttr' + DESC 'Source Attr for this Attr' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.152 NAME 'jansTicket' + DESC 'jans ticket' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.153 NAME 'jansActive' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.154 NAME 'jansAddres' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.155 NAME 'jansConfApp' + DESC 'jans App Conf' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.156 NAME 'jansEmail' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.157 NAME 'jansEntitlements' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.158 NAME 'jansExtId' + EQUALITY caseExactMatch + SUBSTR caseExactSubStringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.159 NAME 'jansImsValue' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.160 NAME 'jansMetaCreated' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.161 NAME 'jansMetaLastMod' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.162 NAME 'jansMetaLocation' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.163 NAME 'jansMetaVer' + EQUALITY caseExactMatch + SUBSTR caseExactSubStringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.164 NAME 'jansNameFormatted' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.165 NAME 'jansPhoneValue' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.166 NAME 'jansPhotos' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.167 NAME 'jansProfileURL' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.168 NAME 'jansRole' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.169 NAME 'jansTitle' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.170 NAME 'jansUsrTyp' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.171 NAME 'jansHonorificPrefix' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.172 NAME 'jansHonorificSuffix' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.173 NAME 'jans509Certificate' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.174 NAME 'jansTyp' + DESC 'jans type' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.175 NAME 'jansUmaPermission' + DESC 'jans uma permission' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.176 NAME 'persistentId' + DESC 'PersistentId' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Persistent ID reserved for SAML' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.177 NAME 'personInum' + DESC 'Inum of a person' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.178 NAME 'jansProgLng' + DESC 'programming language' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.179 NAME 'registrationDate' + DESC 'Registration date' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + ORDERING generalizedTimeOrderingMatch + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.180 NAME 'role' + DESC 'Role' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.181 NAME 'secretAnswer' + DESC 'Secret Answer' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.182 NAME 'secretQuestion' + DESC 'Secret Question' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.183 NAME 'jansSoftVer' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.184 NAME 'transientId' + DESC 'TransientId' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.185 NAME 'url' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.186 NAME 'urn' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.187 NAME ( 'middleName' 'excludeMiddleName' ) + DESC 'Middle name(s)' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'OpenID Connect 1.0 Standard Claim' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.188 NAME ( 'nickname' 'excludenickname' ) + DESC 'Casual name of the End-Usr' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'OpenID Connect 1.0 Standard Claim' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.189 NAME 'jansPrefUsrName' + DESC 'Shorthand Name' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'OpenID Connect 1.0 Standard Claim' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.190 NAME 'profile' + DESC 'Profile page URL of the person' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'OpenID Connect 1.0 Standard Claim' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.191 NAME ( 'picture' 'photo1' ) + DESC 'Profile picture URL of the person' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'OpenID Connect 1.0 Standard Claim' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.192 NAME 'website' + DESC 'Web page or blog URL of the person' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'OpenID Connect 1.0 Standard Claim' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.193 NAME 'emailVerified' + DESC 'True if the e-mail address of the person has been verified; otherwise false' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'OpenID Connect 1.0 Standard Claim' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.194 NAME 'gender' + DESC 'Gender of the person either female or male' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'OpenID Connect 1.0 Standard Claim' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.195 NAME 'birthdate' + DESC 'Birthday of the person, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + ORDERING generalizedTimeOrderingMatch + X-ORIGIN 'OpenID Connect 1.0 Standard Claim' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.196 NAME ( 'zoneinfo' 'timezone' ) + DESC 'Time zone database representing the End-Usrs time zone. For example, Europe/Paris or America/Los_Angeles' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'OpenID Connect 1.0 Standard Claim' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.197 NAME ( 'locale' 'excludeLocale' ) + DESC 'Locale of the person, represented as a BCP47 [RFC5646] language tag' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'OpenID Connect 1.0 Standard Claim' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.198 NAME 'phoneNumberVerified' + DESC 'True if the phone number of the person has been verified, otherwise false' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.199 NAME 'address' + DESC 'OpenID Connect formatted JSON object representing the address of the person' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'OpenID Connect 1.0 Standard Claim' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.200 NAME 'updatedAt' + DESC 'Time the information of the person was last updated. Seconds from 1970-01-01T0:0:0Z' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + ORDERING generalizedTimeOrderingMatch + X-ORIGIN 'OpenID Connect 1.0 Standard Claim' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.201 NAME 'jansRegExp' + DESC 'Regular expression used to validate attribute data' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'OpenID Connect 1.0 Standard Claim' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.202 NAME 'jansTooltip' + DESC 'Custom tooltip to be shown on the UI' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'OpenID Connect 1.0 Standard Claim' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.203 NAME 'jansModuleProperty' + DESC 'Module property' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.204 NAME 'jansConfProperty' + DESC 'Conf property' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.205 NAME 'jansSessAttr' + DESC 'jansSessAttr' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.206 NAME 'jansStartDate' + DESC 'Start date' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + ORDERING generalizedTimeOrderingMatch + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.207 NAME 'jansEndDate' + DESC 'End date' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + ORDERING generalizedTimeOrderingMatch + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.208 NAME 'jansMetricTyp' + DESC 'Metric type' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.209 NAME 'jansData' + DESC 'OX data' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.210 NAME 'dat' + DESC 'OX data' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.211 NAME 'jansCodeChallenge' + DESC 'OX PKCE code challenge' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.212 NAME 'chlng' + DESC 'OX PKCE code challenge' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.213 NAME 'chlngMth' + DESC 'OX PKCE code challenge method' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.214 NAME 'jansSectorIdentifier' + DESC 'jans Sector Identifier' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.215 NAME 'jansPersistClntAuthzs' + DESC 'jans Persist Clnt Authzs' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.216 NAME 'jansSessStateId' + DESC 'jansSessStateId' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.217 NAME 'ssnId' + DESC 'jans Sess DN' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.218 NAME 'jansPassExpDate' + DESC 'Pass Exp date, represented as an ISO 8601 (YYYY-MM-DD) format' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + ORDERING generalizedTimeOrderingMatch + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.219 NAME 'jansCountInvalidLogin' + DESC 'Invalid login attempts count' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.220 NAME 'jansIMAPData' + DESC 'This data has information about your imap connection' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.221 NAME 'jansValidation' + DESC 'This data has information about attribute Validation' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.222 NAME 'jansPPID' + DESC 'Persistent Pairwise ID for OpenID Connect' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.223 NAME 'jansSessId' + DESC 'jans Sess Id' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.224 NAME 'jansCacheConf' + DESC 'Cache configuration' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.225 NAME 'jansLogConfigLocation' + DESC 'Path to external log4j2.xml' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.226 NAME 'jansInclClaimsInIdTkn' + DESC 'jans Incl Claims In Id Tkn' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.227 NAME 'jansClaimValues' + DESC 'Claim Values' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.228 NAME 'jansClaimRedirectURI' + DESC 'Claim Redirect URI' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.229 NAME 'jansAttrs' + DESC 'Attrs' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.230 NAME 'attr' + DESC 'Attrs' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.231 NAME 'jansRefreshTknLife' + DESC 'Life of refresh token' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.232 NAME 'jansPermissionGranted' + DESC 'jans Permission Granted' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.233 NAME 'jansNickName' + DESC 'jansNickName' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.234 NAME 'jansDeviceNotificationConf' + DESC 'Extended push notification configuration' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.235 NAME 'clms' + DESC 'jans Claims' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.236 NAME 'jansDisabled' + DESC 'Status of client' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.237 NAME 'jansWebKeysSettings' + DESC 'jans Web Keys Conf' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.238 NAME 'jansScopeExpression' + DESC 'Scope expression' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.239 NAME 'jansPreferredMethod' + DESC 'Jans Casa - jansPref method to use for user authentication' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.240 NAME 'jansOTPDevices' + DESC 'Jans Casa - Json representation of OTP devices. Complementary to jansExtUid attribute' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.241 NAME 'jansMobileDevices' + DESC 'Jans Casa - Json representation of mobile devices. Complementary to mobile attribute' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.242 NAME 'jansdId' + DESC 'jansd Id' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.243 NAME 'jansAuthorizedOrigins' + DESC 'jans Authorized Origins' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.244 NAME 'jansStrongAuthPolicy' + DESC 'Jans Casa - 2FA Enforcement Policy for Usr' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.245 NAME 'tknBndCnf' + DESC 'jansauth - Tkn Binding Id Hash' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.246 NAME 'jansUnlinkedExternalUids' + DESC 'Jans Casa - List of unlinked social accounts (ie disabled jansExtUids)' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.247 NAME 'jansAccessTknAsJwt' + DESC 'jansauth - indicator whether to return access token as JWT' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.248 NAME 'jansAccessTknSigAlg' + DESC 'jansauth - access token signing algorithm' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.249 NAME 'jansRegistrationData' + DESC 'jansRegistrationData' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.250 NAME 'jansAuthData' + DESC 'jansAuthData' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.251 NAME 'jansPublicKeyId' + DESC 'jansPublicKeyId' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.252 NAME 'jansAccessTknLife' + DESC 'Life of access token' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.253 NAME 'jansSoftId' + DESC 'Soft Identifier' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.254 NAME 'jansSoftStatement' + DESC 'Soft Statement' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.255 NAME 'jansRptAsJwt' + DESC 'jansRptAsJwt' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.256 NAME 'jansCodeChallengeHash' + DESC 'OX code challenge hash' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.257 NAME 'del' + DESC 'del' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.258 NAME 'jansEnabled' + DESC 'Status of the entry, used by many objectclasses' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.259 NAME 'jansAlias' + DESC 'jansAlias' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.260 NAME 'jansLogoPath' + DESC 'jansLogoPath' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.261 NAME 'jansFaviconPath' + DESC 'jansFaviconPath' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.262 NAME 'jansBackchannelTknDeliveryMode' + DESC 'jans Backchannel Tkn Delivery Mode' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.263 NAME 'jansBackchannelClntNotificationEndpoint' + DESC 'jans Backchannel Clnt Notification Endpoint' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.264 NAME 'jansBackchannelAuthnReqSigAlg' + DESC 'jans Backchannel Authn Req Sig Alg' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.265 NAME 'jansBackchannelUsrCodeParameter' + DESC 'jans Backchannel Usr Code Parameter' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.266 NAME 'jansBackchannelDeviceRegistrationTkn' + DESC 'jans Backchannel Device Registration Tkn' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.267 NAME 'jansBackchannelUsrCode' + DESC 'jans Backchannel Usr Code' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.268 NAME 'jansDocStoreConf' + DESC 'jansDocStoreConf' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + attributeTypes: ( 1.3.6.1.4.1.48710.1.3.269 NAME 'authReqId' + DESC 'Authn request id' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'Jans created attribute' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.1 NAME 'jansPairwiseIdentifier' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( jansId $ jansSectorIdentifier $ jansClntId $ jansUsrId ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.2 NAME 'jansPerson' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( jansAssociatedClnt $ c $ displayName $ givenName $ jansManagedOrganizations $ jansOptOuts $ jansStatus $ inum $ mail $ memberOf $ o $ jansPersistentJWT $ jansCreationTimestamp $ jansExtUid $ jansOTPCache $ jansLastLogonTime $ jansActive $ jansAddres $ jansEmail $ jansEntitlements $ jansExtId $ jansImsValue $ jansMetaCreated $ jansMetaLastMod $ jansMetaLocation $ jansMetaVer $ jansNameFormatted $ jansPhoneValue $ jansPhotos $ jansProfileURL $ jansRole $ jansTitle $ jansUsrTyp $ jansHonorificPrefix $ jansHonorificSuffix $ jans509Certificate $ jansPassExpDate $ persistentId $ middleName $ nickname $ jansPrefUsrName $ profile $ picture $ website $ emailVerified $ gender $ birthdate $ zoneinfo $ locale $ phoneNumberVerified $ address $ updatedAt $ preferredLanguage $ role $ secretAnswer $ secretQuestion $ seeAlso $ sn $ cn $ transientId $ uid $ userPassword $ st $ street $ l $ jansCountInvalidLogin $ jansEnrollmentCode $ jansIMAPData $ jansPPID $ jansGuid $ jansPreferredMethod $ userCertificate $ jansOTPDevices $ jansMobileDevices $ jansStrongAuthPolicy $ jansUnlinkedExternalUids $ jansBackchannelDeviceRegistrationTkn $ jansBackchannelUsrCode ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.3 NAME 'jansGrp' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( c $ description $ displayName $ jansStatus $ inum $ member $ o $ owner $ seeAlso $ jansMetaCreated $ jansMetaLastMod $ jansMetaLocation $ jansMetaVer ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.4 NAME 'jansOrganization' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( c $ county $ description $ displayName $ jansCustomMessage $ jansFaviconImage $ jansLogoImage $ jansManager $ jansManagerGrp $ jansOrgShortName $ jansThemeColor $ inum $ l $ mail $ memberOf $ o $ jansCreationTimestamp $ jansRegistrationConf $ postalCode $ st $ street $ telephoneNumber $ title $ uid $ jansLogoPath $ jansFaviconPath ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.5 NAME 'jansAppConf' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( c $ ou $ description $ displayName $ jansHostname $ jansLastUpd $ jansManager $ jansOrgProfileMgt $ jansScimEnabled $ jansEmail $ jansSmtpConf $ jansSslExpiry $ jansStatus $ jansUrl $ inum $ o $ jansAuthMode $ jansDbAuth $ jansLogViewerConfig $ jansLogConfigLocation $ jansCacheConf $ jansDocStoreConf $ jansSoftVer $ userPassword $ jansConfDyn $ jansConfErrors $ jansConfStatic $ jansConfWebKeys $ jansWebKeysSettings $ jansConfApp $ jansRevision ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.6 NAME 'jansAttr' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( description $ displayName $ jansAttrEditTyp $ jansAttrName $ jansAttrOrigin $ jansAttrSystemEditTyp $ jansAttrTyp $ jansClaimName $ jansAttrUsgTyp $ jansAttrViewTyp $ jansSAML1URI $ jansSAML2URI $ jansStatus $ inum $ jansMultivaluedAttr $ jansNameIdTyp $ jansScimCustomAttr $ jansSourceAttr $ seeAlso $ urn $ jansRegExp $ jansTooltip $ jansValidation ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.7 NAME 'jansPassResetReq' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( creationDate $ jansGuid $ personInum ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.8 NAME 'jansEntry' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( displayName $ inum ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.9 NAME 'jansClnt' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( displayName $ description $ inum $ jansAppTyp $ jansClntIdIssuedAt $ jansClntSecret $ jansClntSecretExpAt $ exp $ del $ jansClntURI $ jansContact $ jansDefAcrValues $ jansDefMaxAge $ jansGrantTyp $ jansIdTknEncRespAlg $ jansIdTknEncRespEnc $ jansIdTknSignedRespAlg $ jansInitiateLoginURI $ jansJwksURI $ jansJwks $ jansLogoURI $ jansPolicyURI $ jansPostLogoutRedirectURI $ jansRedirectURI $ jansRegistrationAccessTkn $ jansReqObjSigAlg $ jansReqObjEncAlg $ jansReqObjEncEnc $ jansReqURI $ jansRequireAuthTime $ jansRespTyp $ jansScope $ jansClaim $ jansSectorIdentifierURI $ jansSignedRespAlg $ jansSubjectTyp $ jansTknEndpointAuthMethod $ jansTknEndpointAuthSigAlg $ jansTosURI $ jansTrustedClnt $ jansUsrInfEncRespAlg $ jansUsrInfEncRespEnc $ jansExtraConf $ jansClaimRedirectURI $ jansLastAccessTime $ jansLastLogonTime $ jansPersistClntAuthzs $ jansInclClaimsInIdTkn $ jansRefreshTknLife $ jansDisabled $ jansLogoutURI $ jansLogoutSessRequired $ jansdId $ jansAuthorizedOrigins $ tknBndCnf $ jansAccessTknAsJwt $ jansAccessTknSigAlg $ jansAccessTknLife $ jansSoftId $ jansSoftVer $ jansSoftStatement $ jansRptAsJwt $ jansAttrs $ jansBackchannelTknDeliveryMode $ jansBackchannelClntNotificationEndpoint $ jansBackchannelAuthnReqSigAlg $ jansBackchannelUsrCodeParameter ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.10 NAME 'jansScope' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( jansDefScope $ description $ displayName $ inum $ jansScopeTyp $ jansClaim $ jansScrDn $ jansGrpClaims $ jansId $ jansIconUrl $ jansUmaPolicyScrDn $ jansAttrs $ exp $ del ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.11 NAME 'jansSessId' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( jansId $ sid $ creationDate $ exp $ del $ jansLastAccessTime $ jansUsrDN $ authnTime $ jansState $ jansSessState $ jansPermissionGranted $ jansAsJwt $ jansJwt $ jansPermissionGrantedMap $ jansInvolvedClnts $ jansSessAttr ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.12 NAME 'jansUmaResource' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( displayName $ inum $ owner $ jansAssociatedClnt $ jansUmaScope $ jansFaviconImage $ jansGrp $ jansId $ jansResource $ jansRevision $ jansTyp $ jansScopeExpression $ iat $ exp $ del $ description ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.13 NAME 'jansUmaResourcePermission' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( exp $ del $ jansUmaScope $ jansConfCode $ jansResourceSetId $ jansAttrs $ jansTicket $ jansStatus ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.14 NAME 'jansGrant' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( grtId $ iat ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.15 NAME 'jansToken' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( authnTime $ authzCode $ iat $ exp $ del $ grtId $ grtTyp $ jwtReq $ nnc $ scp $ tknCde $ tknTyp $ usrId $ clnId $ acr $ uuid $ chlng $ chlngMth $ clms $ ssnId $ attr $ tknBndCnf ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.16 NAME 'jansUmaRPT' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( authnTime $ clnId $ iat $ exp $ del $ tknCde $ usrId $ jansUmaPermission $ uuid ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.17 NAME 'jansScr' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( inum $ jansScr $ jansScrTyp ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.18 NAME 'jansPushApp' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( displayName $ jansId $ jansName $ jansPushAppConf ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.19 NAME 'jansPushDevice' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( jansUsrId $ jansId $ jansPushApp $ jansPushDeviceConf $ jansTyp ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.20 NAME 'jansCustomScr' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( inum $ displayName $ description $ jansScr $ jansScrTyp $ jansProgLng $ jansModuleProperty $ jansConfProperty $ jansLevel $ jansRevision $ jansEnabled $ jansScrError $ jansAlias ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.21 NAME 'jansDeviceRegistration' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( jansId $ displayName $ description $ jansDeviceKeyHandle $ jansDeviceHashCode $ jansApp $ jansDeviceRegistrationConf $ jansDeviceNotificationConf $ jansNickName $ jansDeviceData $ jansCounter $ jansStatus $ del $ exp $ personInum $ creationDate $ jansLastAccessTime $ jansMetaLastMod $ jansMetaLocation $ jansMetaVer ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.22 NAME 'jansU2fReq' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( jansId $ jansReqId $ jansReq $ jansSessStateId $ del $ exp $ personInum $ creationDate ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.23 NAME 'jansMetric' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( uniqueIdentifier $ jansStartDate $ jansEndDate $ jansAppTyp $ jansMetricTyp $ creationDate $ del $ exp $ jansData $ jansHost ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.24 NAME 'jansClntAuthz' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( jansId $ jansClntId $ jansUsrId $ exp $ del $ jansScope ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.25 NAME 'jansSectorIdentifier' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( jansId $ description $ jansRedirectURI $ jansClntId ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.26 NAME 'jansUmaPCT' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( clnId $ iat $ exp $ del $ tknCde $ jansClaimValues ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.27 NAME 'jansCache' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( uuid $ iat $ exp $ del $ dat ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.28 NAME 'jansFido2AuthnEntry' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( jansId $ creationDate $ jansSessStateId $ jansCodeChallenge $ personInum $ jansAuthData $ jansStatus ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.29 NAME 'jansFido2RegistrationEntry' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( jansId $ creationDate $ displayName $ jansSessStateId $ jansCodeChallenge $ jansCodeChallengeHash $ jansPublicKeyId $ personInum $ jansRegistrationData $ jansDeviceNotificationConf $ jansCounter $ jansStatus ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.30 NAME 'jansExpiredObj' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( jansId $ dat $ iat $ exp $ jansTyp ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.31 NAME 'jansRp' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( jansId $ dat ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.32 NAME 'jansCibaReq' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( authReqId $ clnId $ usrId $ creationDate $ exp $ jansStatus ) + X-ORIGIN 'Jans created objectclass' ) + objectClasses: ( 1.3.6.1.4.1.48710.1.4.33 NAME 'jansStatEntry' + SUP ( top ) + STRUCTURAL + MUST ( objectclass ) + MAY ( jansId $ dat $ attr ) + X-ORIGIN 'Gluu created objectclass' ) +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/config/templates/user-custom-envs.yaml b/charts/gluu/gluu/5.0.302/charts/config/templates/user-custom-envs.yaml new file mode 100644 index 000000000..251e7aaff --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config/templates/user-custom-envs.yaml @@ -0,0 +1,65 @@ +{{ if .Values.global.usrEnvs.secret }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.global.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} +{{ if .Values.global.usrEnvs.normal }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + {{- range $key, $val := .Values.global.usrEnvs.normal }} + {{ $key }}: {{ $val }} + {{- end}} +{{- end}} +{{ if .Values.usrEnvs.secret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} diff --git a/charts/gluu/gluu/5.0.302/charts/config/values.yaml b/charts/gluu/gluu/5.0.302/charts/config/values.yaml new file mode 100644 index 000000000..9b27aa1b8 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/config/values.yaml @@ -0,0 +1,158 @@ + +# Required environment variables for generating Gluu server initial config +# -- Add custom normal and secret envs to the service. +usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} +# -- Admin password to log in to the UI. +adminPassword: Test1234# +# -- City. Used for certificate creation. +city: Austin +configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: jans + # -- SQL database username. + cnSqlDbUser: jans + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected in the secrets. + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- Client-api OAuth client admin certificate common name. This should be left to the default value client-api . + cnClientApiAdminCertCn: client-api + # -- Client-api OAuth client application certificate common name. This should be left to the default value client-api. + cnClientApiApplicationCertCn: client-api + # -- Client-api bind address. This limits what ip ranges can access the client-api. This should be left as * and controlled by a NetworkPolicy + cnClientApiBindIpAddresses: "*" + containerMetadataName: kubernetes + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) user name. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretNamePrefix: gluu + # -- Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerPassPhrase: Test1234# + # -- Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretVersionId: "latest" + # -- Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + cnPersistenceLdapMapping: default + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Loadbalancer address for AWS if the FQDN is not registered. + lbAddr: "" +# -- Country code. Used for certificate creation. +countryCode: US +# -- Email address of the administrator usually. Used for certificate creation. +email: support@gluu.org +image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- LDAP admin password if OpennDJ is used for persistence. +ldapPassword: P@ssw0rds +# -- Organization name. Used for certificate creation. +orgName: Gluu +# -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. +redisPassword: P@assw0rd +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- State code. Used for certificate creation. +state: TX +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +# -- CE to CN Migration section +migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + +nameOverride: "" +fullNameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.302/charts/fido2/.helmignore b/charts/gluu/gluu/5.0.302/charts/fido2/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/fido2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.302/charts/fido2/Chart.yaml b/charts/gluu/gluu/5.0.302/charts/fido2/Chart.yaml new file mode 100644 index 000000000..d35a89c79 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/fido2/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging + common devices to authenticate to online services in both mobile and desktop environments. +home: https://gluu.org/docs/gluu-server/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- fido2 +- u2f +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: fido2 +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/JanssenProject/jans/jans-fido2 +- https://github.com/JanssenProject/jans/docker-jans-fido2 +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/fido2 +type: application +version: 5.0.3 diff --git a/charts/gluu/gluu/5.0.302/charts/fido2/README.md b/charts/gluu/gluu/5.0.302/charts/fido2/README.md new file mode 100644 index 000000000..89637e6ef --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/fido2/README.md @@ -0,0 +1,61 @@ +# fido2 + +![Version: 5.0.3](https://img.shields.io/badge/Version-5.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu | + +## Source Code + +* +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. | +| image.tag | string | `"1.0.0-beta.16"` | Image tag to use for deploying. | +| livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/gluu/gluu/5.0.302/charts/fido2/templates/_helpers.tpl b/charts/gluu/gluu/5.0.302/charts/fido2/templates/_helpers.tpl new file mode 100644 index 000000000..0d9982ead --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/fido2/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fido2.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fido2.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fido2.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "fido2.labels" -}} +app: {{ .Release.Name }}-{{ include "fido2.name" . }} +helm.sh/chart: {{ include "fido2.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "fido2.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "fido2.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/fido2/templates/deployment.yml b/charts/gluu/gluu/5.0.302/charts/fido2/templates/deployment.yml new file mode 100644 index 000000000..92be60e0d --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/fido2/templates/deployment.yml @@ -0,0 +1,136 @@ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "fido2.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + template: + metadata: + labels: + APP_NAME: fido2 + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + containers: + - name: {{ include "fido2.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "fido2.usr-envs" . | indent 12 }} + {{- include "fido2.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/fido2/templates/fido2-destination-rules.yaml b/charts/gluu/gluu/5.0.302/charts/fido2/templates/fido2-destination-rules.yaml new file mode 100644 index 000000000..988f1b9d7 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/fido2/templates/fido2-destination-rules.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.istio.enabled }} + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-fido2-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/fido2/templates/fido2-virtual-services.yaml b/charts/gluu/gluu/5.0.302/charts/fido2/templates/fido2-virtual-services.yaml new file mode 100644 index 000000000..970ab7780 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/fido2/templates/fido2-virtual-services.yaml @@ -0,0 +1,36 @@ +{{- if .Values.global.istio.ingress }} + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-fido2-configuration + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} + gateways: + - {{ .Release.Name }}-global-gtw + http: + - name: {{ .Release.Name }}-istio-fido2-configuration + match: + - uri: + prefix: /.well-known/fido2-configuration + rewrite: + uri: /jans-fido2/restv1/fido2/configuration + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/fido2/templates/hpa.yaml b/charts/gluu/gluu/5.0.302/charts/fido2/templates/hpa.yaml new file mode 100644 index 000000000..a6ba23cdd --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/fido2/templates/hpa.yaml @@ -0,0 +1,38 @@ +{{ if .Values.hpa.enabled -}} + +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "fido2.fullname" . }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "fido2.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/fido2/templates/service.yml b/charts/gluu/gluu/5.0.302/charts/fido2/templates/service.yml new file mode 100644 index 000000000..9e574093a --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/fido2/templates/service.yml @@ -0,0 +1,30 @@ + +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.fido2.fido2ServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} #fido2 + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/fido2/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.302/charts/fido2/templates/user-custom-secret-envs.yaml new file mode 100644 index 000000000..8bbb81073 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/fido2/templates/user-custom-secret-envs.yaml @@ -0,0 +1,22 @@ +{{ if .Values.usrEnvs.secret }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/fido2/values.yaml b/charts/gluu/gluu/5.0.302/charts/fido2/values.yaml new file mode 100644 index 000000000..c53add559 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/fido2/values.yaml @@ -0,0 +1,85 @@ + +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/fido2 + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the fido2 if needed. +livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the fido2 if needed. +readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.302/charts/nginx-ingress/.helmignore b/charts/gluu/gluu/5.0.302/charts/nginx-ingress/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/nginx-ingress/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.302/charts/nginx-ingress/Chart.yaml b/charts/gluu/gluu/5.0.302/charts/nginx-ingress/Chart.yaml new file mode 100644 index 000000000..157520fd8 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/nginx-ingress/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Nginx ingress definitions chart +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- nginx +- ingress +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: nginx-ingress +sources: +- https://github.com/kubernetes/ingress-nginx +- https://kubernetes.io/docs/concepts/services-networking/ingress/ +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/nginx-ingress +type: application +version: 5.0.3 diff --git a/charts/gluu/gluu/5.0.302/charts/nginx-ingress/README.md b/charts/gluu/gluu/5.0.302/charts/nginx-ingress/README.md new file mode 100644 index 000000000..b22715480 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/nginx-ingress/README.md @@ -0,0 +1,73 @@ +# nginx-ingress + +![Version: 5.0.3](https://img.shields.io/badge/Version-5.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Nginx ingress definitions chart + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| fullnameOverride | string | `""` | | +| ingress | object | `{"additionalAnnotations":{"kubernetes.io/ingress.class":"nginx"},"additionalLabels":{},"authServerAdditionalAnnotations":{},"authServerEnabled":true,"authServerLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeEnabled":true,"deviceCodeLabels":{},"enabled":true,"fido2ConfigAdditionalAnnotations":{},"fido2ConfigEnabled":false,"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingEnabled":true,"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"legacy":false,"openidAdditionalAnnotations":{},"openidConfigEnabled":true,"openidConfigLabels":{},"path":"/","scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigEnabled":false,"scimConfigLabels":{},"scimEnabled":false,"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigEnabled":true,"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigEnabled":true,"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryEnabled":true,"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerEnabled":true,"webfingerLabels":{}}` | Nginx ingress definitions chart | +| ingress.additionalAnnotations | object | `{"kubernetes.io/ingress.class":"nginx"}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| ingress.additionalAnnotations."kubernetes.io/ingress.class" | string | `"nginx"` | Required annotation below. Use kubernetes.io/ingress.class: "public" for microk8s. | +| ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| ingress.authServerEnabled | bool | `true` | Enable Auth server endpoints /oxauth | +| ingress.authServerLabels | object | `{}` | Auth server config ingress resource labels. key app is taken | +| ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| ingress.deviceCodeEnabled | bool | `true` | Enable endpoint /device-code | +| ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration | +| ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| ingress.fido2Enabled | bool | `false` | Enable all fido2 endpoints | +| ingress.fido2Labels | object | `{}` | fido2 ingress resource labels. key app is taken | +| ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| ingress.firebaseMessagingEnabled | bool | `true` | Enable endpoint /firebase-messaging-sw.js | +| ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| ingress.legacy | bool | `false` | Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. | +| ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| ingress.openidConfigEnabled | bool | `true` | Enable endpoint /.well-known/openid-configuration | +| ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| ingress.scimConfigEnabled | bool | `false` | Enable endpoint /.well-known/scim-configuration | +| ingress.scimConfigLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.scimEnabled | bool | `false` | Enable SCIM endpoints /scim | +| ingress.scimLabels | object | `{}` | scim config ingress resource labels. key app is taken | +| ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| ingress.u2fConfigEnabled | bool | `true` | Enable endpoint /.well-known/fido-configuration | +| ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| ingress.uma2ConfigEnabled | bool | `true` | Enable endpoint /.well-known/uma2-configuration | +| ingress.uma2ConfigLabels | object | `{}` | uma 2 config ingress resource labels. key app is taken | +| ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| ingress.webdiscoveryEnabled | bool | `true` | Enable endpoint /.well-known/simple-web-discovery | +| ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| ingress.webfingerEnabled | bool | `true` | Enable endpoint /.well-known/webfinger | +| ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| nameOverride | string | `""` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/_helpers.tpl new file mode 100644 index 000000000..7b3845569 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/admin-ui-ingress.yaml b/charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/admin-ui-ingress.yaml new file mode 100644 index 000000000..d0e040b3f --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/admin-ui-ingress.yaml @@ -0,0 +1,55 @@ +{{ if .Values.ingress.adminUiEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-admin-ui + labels: + app: {{ $fullName }}-admin-ui +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.adminUiLabels }} +{{ toYaml .Values.ingress.adminUiLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/use-regex: "true" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" +{{- if .Values.ingress.adminUiAdditionalAnnotations }} +{{ toYaml .Values.ingress.adminUiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /admin(|$)(.*) + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml b/charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml new file mode 100644 index 000000000..522c75418 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml @@ -0,0 +1,115 @@ +{{ if .Values.ingress.authServerProtectedToken -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-token + labels: + app: {{ $fullName }}-auth-server-protected-token +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedTokenLabels }} +{{ toYaml .Values.ingress.authServerProtectedTokenLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedTokenAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedTokenAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/token + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.authServerProtectedRegister -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-register + labels: + app: {{ $fullName }}-auth-server-protected-register +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedRegisterLabels }} +{{ toYaml .Values.ingress.authServerProtectedRegisterLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedRegisterAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedRegisterAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/register + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/casa-ingress.yaml b/charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/casa-ingress.yaml new file mode 100644 index 000000000..a0ba1c5c1 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/casa-ingress.yaml @@ -0,0 +1,54 @@ +{{ if .Values.ingress.casaEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-casa + labels: + app: {{ $fullName }}-casa +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.casaLabels }} +{{ toYaml .Values.ingress.casaLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: route + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.casaAdditionalAnnotations }} +{{ toYaml .Values.ingress.casaAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /casa + pathType: Prefix + backend: + service: + name: {{ .Values.global.casa.casaServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/ingress.yaml b/charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/ingress.yaml new file mode 100644 index 000000000..894ccedf8 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/nginx-ingress/templates/ingress.yaml @@ -0,0 +1,687 @@ +{{ if .Values.ingress.openidConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-openid-config + labels: + app: {{ $fullName }}-openid-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.openidConfigLabels }} +{{ toYaml .Values.ingress.openidConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/openid-configuration /jans-auth/.well-known/openid-configuration$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/openid-configuration +{{- if .Values.ingress.openidAdditionalAnnotations }} +{{ toYaml .Values.ingress.openidAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/openid-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.deviceCodeEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-device-code + labels: + app: {{ $fullName }}-device-code +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.deviceCodeLabels }} +{{ toYaml .Values.ingress.deviceCodeLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /device-code /jans-auth/device_authorization.htm$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/device_authorization.htm +{{- if .Values.ingress.deviceCodeAdditionalAnnotations }} +{{ toYaml .Values.ingress.deviceCodeAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /device-code + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.firebaseMessagingEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-firebase-messaging + labels: + app: {{ $fullName }}-firebase-messaging +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.firebaseMessagingLabels }} +{{ toYaml .Values.ingress.firebaseMessagingLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /firebase-messaging-sw.js /jans-auth/firebase-messaging-sw.js$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/firebase-messaging-sw.js +{{- if .Values.ingress.firebaseMessagingAdditionalAnnotations }} +{{ toYaml .Values.ingress.firebaseMessagingAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /firebase-messaging-sw.js + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if .Values.ingress.uma2ConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-uma2-config + labels: + app: {{ $fullName }}-uma2-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.uma2ConfigLabels }} +{{ toYaml .Values.ingress.uma2ConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/uma2-configuration /jans-auth/restv1/uma2-configuration$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/uma2-configuration +{{- if .Values.ingress.uma2AdditionalAnnotations }} +{{ toYaml .Values.ingress.uma2AdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/uma2-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.webfingerEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webfinger + labels: + app: {{ $fullName }}-webfinger +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webfingerLabels }} +{{ toYaml .Values.ingress.webfingerLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/webfinger /jans-auth/.well-known/webfinger$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/webfinger +{{- if .Values.ingress.webfingerAdditionalAnnotations }} +{{ toYaml .Values.ingress.webfingerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/webfinger + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.webdiscoveryEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webdiscovery + labels: + app: {{ $fullName }}-webdiscovery +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webdiscoveryLabels }} +{{ toYaml .Values.ingress.webdiscoveryLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/simple-web-discovery /jans-auth/.well-known/simple-web-discovery$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/simple-web-discovery +{{- if .Values.ingress.webdiscoveryAdditionalAnnotations }} +{{ toYaml .Values.ingress.webdiscoveryAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/simple-web-discovery + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.scimConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim-config + labels: + app: {{ $fullName }}-scim-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimConfigLabels }} +{{ toYaml .Values.ingress.scimConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/scim-configuration /jans-scim/restv1/scim-configuration$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-scim/restv1/scim-configuration +{{- if .Values.ingress.scimConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/scim-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.scimEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim + labels: + app: {{ $fullName }}-scim +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimLabels }} +{{ toYaml .Values.ingress.scimLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "scim" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.scimAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-scim + pathType: Prefix + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.configApiEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-config-api + labels: + app: {{ $fullName }}-config-api +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.configApiLabels }} +{{ toYaml .Values.ingress.configApiLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "configapi" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.configApiAdditionalAnnotations }} +{{ toYaml .Values.ingress.configApiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-config-api + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + port: + number: 8074 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.u2fConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-u2f-config + labels: + app: {{ $fullName }}-u2f-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.u2fConfigLabels }} +{{ toYaml .Values.ingress.u2fConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/fido-configuration /jans-auth/restv1/fido-configuration$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/fido-configuration +{{- if .Values.ingress.u2fAdditionalAnnotations }} +{{ toYaml .Values.ingress.u2fAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.fido2ConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2-configuration + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.fido2ConfigLabels }} +{{ toYaml .Values.ingress.fido2ConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/fido2-configuration /jans-fido2/restv1/configuration$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-fido2/restv1/configuration +{{- if .Values.ingress.fido2ConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.fido2ConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido2-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.ingress.authServerEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server + labels: + app: {{ $fullName }}-auth-server +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerLabels }} +{{ toYaml .Values.ingress.authServerLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + diff --git a/charts/gluu/gluu/5.0.302/charts/nginx-ingress/values.yaml b/charts/gluu/gluu/5.0.302/charts/nginx-ingress/values.yaml new file mode 100644 index 000000000..4a1f865df --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/nginx-ingress/values.yaml @@ -0,0 +1,99 @@ + +# -- Nginx ingress definitions chart +ingress: + enabled: true + # -- Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. + legacy: false + path: / + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- uma 2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- webdiscovery ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- Enable SCIM endpoints /scim + scimEnabled: false + # -- scim config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Enable all fido2 endpoints + fido2Enabled: false + # -- fido2 ingress resource labels. key app is taken + fido2Labels: { } + # -- Enable Auth server endpoints /oxauth + authServerEnabled: true + # -- Auth server config ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: + # -- Required annotation below. Use kubernetes.io/ingress.class: "public" for microk8s. + kubernetes.io/ingress.class: "nginx" + hosts: + - demoexample.gluu.org + tls: + - secretName: tls-certificate # DON'T change + hosts: + - demoexample.gluu.org +nameOverride: "" +fullnameOverride: "" diff --git a/charts/gluu/gluu/5.0.302/charts/opendj/.helmignore b/charts/gluu/gluu/5.0.302/charts/opendj/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/opendj/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.302/charts/opendj/Chart.yaml b/charts/gluu/gluu/5.0.302/charts/opendj/Chart.yaml new file mode 100644 index 000000000..0f483ee0b --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/opendj/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: OpenDJ is a directory server which implements a wide range of Lightweight + Directory Access Protocol and related standards, including full compliance with + LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in + Java, OpenDJ offers multi-master replication, access control, and many extensions. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- LDAP +- OpenDJ +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: opendj +sources: +- https://github.com/GluuFederation/docker-opendj +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/opendj +type: application +version: 5.0.3 diff --git a/charts/gluu/gluu/5.0.302/charts/opendj/README.md b/charts/gluu/gluu/5.0.302/charts/opendj/README.md new file mode 100644 index 000000000..f8a716339 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/opendj/README.md @@ -0,0 +1,78 @@ +# opendj + +![Version: 5.0.3](https://img.shields.io/badge/Version-5.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| multiCluster.clusterId | string | `""` | This id needs to be unique to each kubernetes cluster in a multi cluster setup west, east, south, north, region ...etc If left empty it will be randomly generated. | +| multiCluster.enabled | bool | `false` | Enable OpenDJ multiCluster mode. This flag enables loading keys under `opendj.multiCluster` | +| multiCluster.namespaceIntId | int | `0` | Namespace int id. This id needs to be a unique number 0-9 per gluu installation per namespace. Used when gluu is installed in the same kubernetes cluster more than once. | +| multiCluster.replicaCount | int | `1` | The number of opendj non scalabble statefulsets to create. Each pod created must be resolvable as it follows the patterm RELEASE-NAME-opendj-CLUSTERID-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} If set to 1, with a release name of gluu, the address of the pod would be gluu-opendj-regional-0-regional.gluu.org | +| multiCluster.serfAdvertiseAddrSuffix | string | `"regional.gluu.org:30946"` | OpenDJ Serf advertise address suffix that will be added to each opendj replica. i.e RELEASE-NAME-opendj-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} | +| multiCluster.serfKey | string | `"Z51b6PgKU1MZ75NCZOTGGoc0LP2OF3qvF6sjxHyQCYk="` | Serf key. This key will automatically sync across clusters. | +| multiCluster.serfPeers | list | `["gluu-opendj-regional-0-regional.gluu.org:30946","gluu-opendj-regional-0-regional.gluu.org:31946"]` | Serf peer addresses. One per cluster. | +| nameOverride | string | `""` | | +| openDjVolumeMounts.config.mountPath | string | `"/opt/opendj/config"` | | +| openDjVolumeMounts.config.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.db.mountPath | string | `"/opt/opendj/db"` | | +| openDjVolumeMounts.db.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.flag.mountPath | string | `"/flag"` | | +| openDjVolumeMounts.flag.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.ldif.mountPath | string | `"/opt/opendj/ldif"` | | +| openDjVolumeMounts.ldif.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.logs.mountPath | string | `"/opt/opendj/logs"` | | +| openDjVolumeMounts.logs.name | string | `"opendj-volume"` | | +| persistence.accessModes | string | `"ReadWriteOnce"` | | +| persistence.size | string | `"5Gi"` | OpenDJ volume size | +| persistence.type | string | `"DirectoryOrCreate"` | | +| ports | object | `{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}}` | servicePorts values used in StatefulSet container | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1500m"` | CPU limit. | +| resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1500m"` | CPU request. | +| resources.requests.memory | string | `"2000Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/gluu/gluu/5.0.302/charts/opendj/templates/_helpers.tpl b/charts/gluu/gluu/5.0.302/charts/opendj/templates/_helpers.tpl new file mode 100644 index 000000000..7ec959c4d --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/opendj/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "opendj.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "opendj.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "opendj.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "opendj.labels" -}} +app: {{ .Release.Name }}-{{ include "opendj.name" . }} +helm.sh/chart: {{ include "opendj.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "opendj.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "opendj.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/opendj/templates/configmaps.yaml b/charts/gluu/gluu/5.0.302/charts/opendj/templates/configmaps.yaml new file mode 100644 index 000000000..952ba91a7 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/opendj/templates/configmaps.yaml @@ -0,0 +1,20 @@ +{{- if .Values.multiCluster.enabled }} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-serf-peers + namespace: {{ .Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + serf-peers-static.json: | + {{ .Values.multiCluster.serfPeers | toJson }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/opendj/templates/cronjobs.yaml b/charts/gluu/gluu/5.0.302/charts/opendj/templates/cronjobs.yaml new file mode 100644 index 000000000..bcbef9507 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/opendj/templates/cronjobs.yaml @@ -0,0 +1,100 @@ +{{- if .Values.backup.enabled }} + +kind: CronJob +apiVersion: batch/v1beta1 +metadata: + name: {{ include "opendj.fullname" . }}-backup +spec: + schedule: {{ .Values.backup.cronJobSchedule | quote }} + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: + {{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "opendj.fullname" . }}-backup + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + ports: + {{- range $key, $value := .Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + env: + - name: LDAP_HOST + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_host + - name: LDAP_PORT + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_port + - name: LDAP_BIND_DN + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_site_binddn + - name: LDAP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-ldap-cron-pass + key: password + # while true; do sleep 60; ldaplog=$(cat /opt/opendj/logs/server.out); startedstr="The Directory Server has started successfully"; if [ -z "${ldaplog##*$startedstr*}" ]; then break; fi; echo "Waiting for opendj server to start"; done + command: + - /bin/sh + - -c + - | + # ========= + # FUNCTIONS + # ========= + + set_java_args() { + # not sure if we can omit `-server` safely + local java_args="-server" + java_args="${java_args} -XX:+UseContainerSupport -XX:MaxRAMPercentage=${GLUU_MAX_RAM_PERCENTAGE} ${GLUU_JAVA_OPTIONS}" + # set the env var so it is loaded by `start-ds` script + export OPENDJ_JAVA_ARGS=${java_args} + } + + # ========== + # ENTRYPOINT + # ========== + + mkdir -p /opt/opendj/locks + + export JAVA_VERSION=$(java -version 2>&1 | awk -F '[\"_]' 'NR==1{print $2}') + + python3 /app/scripts/wait.py + + if [ ! -f /deploy/touched ]; then + python3 /app/scripts/entrypoint.py + touch /deploy/touched + fi + # run OpenDJ server + set_java_args + exec /opt/opendj/bin/start-ds -N & + sleep 300 + RANDOM_NUM=$(cat /dev/urandom | tr -cd '0-5' | head -c 1) + LDAP_BACKUP_FILE=backup-$RANDOM_NUM.ldif + {{- if .Values.multiCluster.enabled }} + /opt/opendj/bin/export-ldif --hostname "$LDAP_HOST" --port "304{{$.Values.multiCluster.namespaceIntId}}0" --bindDN "$LDAP_BIND_DN" --bindPassword "$LDAP_PASSWORD" --backendID userRoot --ldifFile /opt/opendj/ldif/$LDAP_BACKUP_FILE --trustAll + {{- else }} + /opt/opendj/bin/export-ldif --hostname "$LDAP_HOST" --port 4444 --bindDN "$LDAP_BIND_DN" --bindPassword "$LDAP_PASSWORD" --backendID userRoot --ldifFile /opt/opendj/ldif/$LDAP_BACKUP_FILE --trustAll + {{- end }} + restartPolicy: Never +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/opendj/templates/hpa.yaml b/charts/gluu/gluu/5.0.302/charts/opendj/templates/hpa.yaml new file mode 100644 index 000000000..c6019d3f3 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/opendj/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} + +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "opendj.fullname" . }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "opendj.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/opendj/templates/opendj-destination-rules.yaml b/charts/gluu/gluu/5.0.302/charts/opendj/templates/opendj-destination-rules.yaml new file mode 100644 index 000000000..882f96653 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/opendj/templates/opendj-destination-rules.yaml @@ -0,0 +1,24 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +{{- if .Values.global.istio.enabled }} + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-ldap-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.opendj.ldapServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/opendj/templates/secrets.yaml b/charts/gluu/gluu/5.0.302/charts/opendj/templates/secrets.yaml new file mode 100644 index 000000000..aa2378ded --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/opendj/templates/secrets.yaml @@ -0,0 +1,19 @@ + +{{- if .Values.multiCluster.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-serf-key + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + serf-key: {{ .Values.multiCluster.serfKey | b64enc }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/opendj/templates/service.yaml b/charts/gluu/gluu/5.0.302/charts/opendj/templates/service.yaml new file mode 100644 index 000000000..1839410b3 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/opendj/templates/service.yaml @@ -0,0 +1,113 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +{{ range $k, $v := until ( .Values.multiCluster.replicaCount | int ) }} +--- + +apiVersion: v1 +kind: Service +metadata: + {{- if $.Values.multiCluster.enabled }} + name: {{ $.Values.global.opendj.ldapServiceName }}-regional-{{$v}} + {{- else }} + name: {{ $.Values.global.opendj.ldapServiceName }} + {{- end }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} + {{- if $.Values.multiCluster.enabled }} + appregion: {{ include "opendj.name" $ }}-regional-{{$v}} + {{- end }} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + {{- if $.Values.multiCluster.enabled }} + - port: 1636 + name: tcp-ldaps + targetPort: 1636 + protocol: TCP + nodePort: 306{{$.Values.multiCluster.namespaceIntId}}{{$v}} + - port: 309{{$.Values.multiCluster.namespaceIntId}}{{$v}} + name: tcp-replication + targetPort: 309{{$.Values.multiCluster.namespaceIntId}}{{$v}} + protocol: TCP + nodePort: 309{{$.Values.multiCluster.namespaceIntId}}{{$v}} + - port: 304{{$.Values.multiCluster.namespaceIntId}}{{$v}} + name: tcp-admin + targetPort: 304{{$.Values.multiCluster.namespaceIntId}}{{$v}} + nodePort: 304{{$.Values.multiCluster.namespaceIntId}}{{$v}} + protocol: TCP + - port: 7946 + name: tcp-serf + targetPort: 7946 + protocol: TCP + nodePort: 307{{$.Values.multiCluster.namespaceIntId}}{{$v}} + - port: 7946 + name: udp-serf + targetPort: 7946 + protocol: UDP + nodePort: 307{{$.Values.multiCluster.namespaceIntId}}{{$v}} + type: NodePort + {{- else }} + {{- range $key, $value := $.Values.ports }} + - port: {{ $value.port }} + name: {{ $key }} + targetPort: {{ $value.targetPort }} + protocol: {{ $value.protocol}} + {{- if $value.nodePort }} + nodePort: {{ $value.nodePort }} + {{- end }} + {{- end }} + clusterIP: None + {{- end }} + selector: + {{- if $.Values.multiCluster.enabled }} + appregion: {{ include "opendj.name" $ }}-regional-{{$v}} + {{- else }} + app: {{ include "opendj.name" $ }} + {{- end }} +{{- end }} +{{- if .Values.multiCluster.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.opendj.ldapServiceName }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "opendj.labels" . | indent 4}} +spec: + ports: + - port: 1636 + name: tcp-ldaps + targetPort: 1636 + protocol: TCP + - port: 1389 + name: tcp-ldap + targetPort: 1389 + protocol: TCP + - port: 8989 + name: tcp-replication + targetPort: 8989 + protocol: TCP + - port: 4444 + name: tcp-admin + targetPort: 4444 + protocol: TCP + - port: 7946 + name: tcp-serf + targetPort: 7946 + protocol: TCP + - port: 7946 + name: udp-serf + targetPort: 7946 + protocol: UDP + clusterIP: None + selector: + app: {{ include "opendj.name" . }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/opendj/templates/statefulset.yaml b/charts/gluu/gluu/5.0.302/charts/opendj/templates/statefulset.yaml new file mode 100644 index 000000000..5646bf1d0 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/opendj/templates/statefulset.yaml @@ -0,0 +1,167 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +{{ range $k, $v := until ( .Values.multiCluster.replicaCount | int ) }} +--- + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + {{- if $.Values.multiCluster.enabled }} + name: {{ include "opendj.fullname" $ }}-regional-{{$v}} + {{- else }} + name: {{ include "opendj.fullname" $ }} + {{- end }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} + {{- if $.Values.multiCluster.enabled }} + appregion: {{ include "opendj.name" $ }}-regional-{{$v}} + {{- end }} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- if $.Values.multiCluster.enabled }} + app: {{ include "opendj.name" $ }} + appregion: {{ include "opendj.name" $ }}-regional-{{$v}} + {{- else }} + app: {{ include "opendj.name" $ }} + {{- end }} + serviceName: {{ include "opendj.name" $ }} + {{- if $.Values.multiCluster.enabled }} + replicas: 1 + {{- else }} + replicas: {{ $.Values.replicas }} + {{- end }} + template: + metadata: + labels: + {{- if $.Values.multiCluster.enabled }} + app: {{ include "opendj.name" $ }} + appregion: {{ include "opendj.name" $ }}-regional-{{$v}} + {{- else }} + app: {{ include "opendj.name" $ }} + {{- end }} + {{- if $.Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with $.Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ $.Values.dnsPolicy | quote }} + {{- with $.Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- with $.Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- if $.Values.multiCluster.enabled }} + - name: serfkey + secret: + secretName: {{ $.Release.Name }}-serf-key + - name: serfpeers + configMap: + name: {{ $.Release.Name }}-serf-peers + {{- end }} + {{- if $.Values.global.upgrade.enabled }} + - name: ox-ldif-cm + configMap: + name: {{ $.Release.Name }}-oxjans + {{- end }} + containers: + - name: {{ include "opendj.name" $ }} + imagePullPolicy: {{ $.Values.image.pullPolicy }} + image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" + env: + {{- include "opendj.usr-envs" $ | indent 12 }} + {{- include "opendj.usr-secret-envs" $ | indent 12 }} + {{- if $.Values.multiCluster.enabled }} + - name: GLUU_SERF_ADVERTISE_ADDR + value: "{{ $.Release.Name }}-opendj-{{$.Values.multiCluster.clusterId}}-regional-{{$v}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }}:307{{$.Values.multiCluster.namespaceIntId}}{{$v}}" + - name: GLUU_LDAP_ADVERTISE_ADMIN_PORT + value: "304{{$.Values.multiCluster.namespaceIntId}}{{$v}}" + - name: GLUU_LDAP_ADVERTISE_LDAPS_PORT + value: "306{{$.Values.multiCluster.namespaceIntId}}{{$v}}" + - name: GLUU_LDAP_ADVERTISE_REPLICATION_PORT + value: "309{{$.Values.multiCluster.namespaceIntId}}{{$v}}" + {{- end }} + lifecycle: + preStop: + exec: + command: ["python3", "/app/scripts/deregister_peer.py"] + envFrom: + - configMapRef: + name: {{ $.Release.Name }}-config-cm + {{ if $.Values.global.usrEnvs.secret }} + - secretRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + {{ if $.Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + ports: + {{- range $key, $value := $.Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + volumeMounts: + {{- range $key, $values := $.Values.openDjVolumeMounts }} + - mountPath: {{$values.mountPath}} + name: {{$values.name}} + subPath: {{$key}} + {{- end }} + {{- with $.Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{- if $.Values.multiCluster.enabled }} + - mountPath: "/etc/gluu/conf/serf-key" + name: serfkey + subPath: serf-key + - mountPath: "/etc/gluu/conf/serf-peers-static.json" + name: serfpeers + subPath: serf-peers-static.json + {{- end }} + {{- if $.Values.global.upgrade.enabled }} + - name: ox-ldif-cm + mountPath: /opt/opendj/config/schema/101-jans.ldif + subPath: 101-jans.ldif + {{- end }} + livenessProbe: +{{- toYaml $.Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml $.Values.readinessProbe | nindent 10 }} + {{- if or (eq $.Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if $.Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml $.Values.resources | nindent 10 }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: opendj-volume + spec: + accessModes: + - {{ $.Values.persistence.accessModes }} + resources: + requests: + storage: {{ $.Values.persistence.size }} + {{- if eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath" }} + storageClassName: standard + {{- else }} + storageClassName: {{ include "opendj.fullname" $ | quote }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/opendj/templates/storageclass.yaml b/charts/gluu/gluu/5.0.302/charts/opendj/templates/storageclass.yaml new file mode 100644 index 000000000..c52bd2479 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/opendj/templates/storageclass.yaml @@ -0,0 +1,58 @@ + +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ include "opendj.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + storage: opendj +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + # Annotation below is to keep the storage class during upgrade. Otherwise, due to the flag at line 1 which is needed, this resource will be deleted. + helm.sh/resource-policy: keep + storageclass.beta.kubernetes.io/is-default-class: "false" + {{- if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + openebs.io/cas-type: local + cas.openebs.io/config: | + - name: StorageType + value: hostpath + - name: BasePath + value: /var/local-hostpath + {{- end }} +provisioner: {{ .Values.global.storageClass.provisioner }} +{{- if and ( ne .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) ( ne .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") ( ne .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") ( ne .Values.global.storageClass.provisioner "kubernetes.io/gce-pd") ( ne .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com") ( ne .Values.global.storageClass.provisioner "openebs.io/local") ( ne .Values.global.storageClass.provisioner "kubernetes.io/azure-disk") }} +parameters: +{{ toYaml .Values.global.storageClass.parameters | indent 4 }} +{{- else }} +parameters: + {{- if eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs" }} + type: {{ .Values.global.awsStorageType }} + fsType: ext4 + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/gce-pd" }} + type: {{ .Values.global.gcePdStorageType }} + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/azure-disk" }} + storageAccountType: {{ .Values.global.azureStorageAccountType }} + kind: {{ .Values.global.azureStorageKind }} + {{- else if eq .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com" }} + {{- else if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + {{- else }} + pool: default + fsType: ext4 + {{- end }} +{{- end }} +allowVolumeExpansion: {{ .Values.global.storageClass.allowVolumeExpansion }} +volumeBindingMode: {{ .Values.global.storageClass.volumeBindingMode }} +reclaimPolicy: {{ .Values.global.storageClass.reclaimPolicy }} +mountOptions: {{ .Values.global.storageClass.mountOptions | toJson }} +allowedTopologies: {{ .Values.global.storageClass.allowedTopologies | toJson }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/opendj/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.302/charts/opendj/templates/user-custom-secret-envs.yaml new file mode 100644 index 000000000..b65dd1241 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/opendj/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/opendj/values.yaml b/charts/gluu/gluu/5.0.302/charts/opendj/values.yaml new file mode 100644 index 000000000..bdac5da88 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/opendj/values.yaml @@ -0,0 +1,156 @@ + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0_dev + # -- Image Pull Secrets + pullSecrets: [ ] +multiCluster: + # -- Enable OpenDJ multiCluster mode. This flag enables loading keys under `opendj.multiCluster` + enabled: false + # -- OpenDJ Serf advertise address suffix that will be added to each opendj replica. + # i.e RELEASE-NAME-opendj-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} + serfAdvertiseAddrSuffix: "regional.gluu.org:30946" + # -- Serf key. This key will automatically sync across clusters. + serfKey: Z51b6PgKU1MZ75NCZOTGGoc0LP2OF3qvF6sjxHyQCYk= + # -- Serf peer addresses. One per cluster. + serfPeers: + - "gluu-opendj-regional-0-regional.gluu.org:30946" + - "gluu-opendj-regional-0-regional.gluu.org:31946" + # -- The number of opendj non scalabble statefulsets to create. Each pod created must be resolvable as it follows + # the patterm RELEASE-NAME-opendj-CLUSTERID-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} + # If set to 1, with a release name of gluu, the address of the pod would be gluu-opendj-regional-0-regional.gluu.org + replicaCount: 1 + # -- This id needs to be unique to each kubernetes cluster in a multi cluster setup + # west, east, south, north, region ...etc If left empty it will be randomly generated. + clusterId: "" + # -- Namespace int id. This id needs to be a unique number 0-9 per gluu installation per namespace. + # Used when gluu is installed in the same kubernetes cluster more than once. + namespaceIntId: 0 +persistence: + # -- OpenDJ volume size + size: 5Gi + accessModes: ReadWriteOnce + type: DirectoryOrCreate +# -- servicePorts values used in StatefulSet container +ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi +# -- Configure the liveness healthcheck for OpenDJ if needed. +# https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for OpenDJ if needed. +# https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py +readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +nameOverride: "" +fullnameOverride: "" +# VolumeMounts for StatefulSet +# opendj-init vm +openDjVolumeMounts: + config: + mountPath: /opt/opendj/config + name: opendj-volume + ldif: + mountPath: /opt/opendj/ldif + name: opendj-volume + logs: + mountPath: /opt/opendj/logs + name: opendj-volume + db: + mountPath: /opt/opendj/db + name: opendj-volume + flag: + mountPath: /flag + name: opendj-volume + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/oxpassport/.helmignore b/charts/gluu/gluu/5.0.302/charts/oxpassport/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxpassport/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.302/charts/oxpassport/Chart.yaml b/charts/gluu/gluu/5.0.302/charts/oxpassport/Chart.yaml new file mode 100644 index 000000000..34661f194 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxpassport/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Gluu interface to Passport.js to support social login and inbound identity. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Passport.js +- Inbound Identity +- Social login +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: oxpassport +sources: +- https://github.com/GluuFederation/gluu-passport +- https://github.com/GluuFederation/docker-oxpassport +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/oxpassport +type: application +version: 5.0.3 diff --git a/charts/gluu/gluu/5.0.302/charts/oxpassport/README.md b/charts/gluu/gluu/5.0.302/charts/oxpassport/README.md new file mode 100644 index 000000000..4308f58f0 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxpassport/README.md @@ -0,0 +1,66 @@ +# oxpassport + +![Version: 5.0.3](https://img.shields.io/badge/Version-5.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu interface to Passport.js to support social login and inbound identity. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/oxpassport"` | Image to use for deploying. | +| image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. | +| livenessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxPassport if needed. | +| livenessProbe.httpGet.path | string | `"/passport/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxPassport if needed. | +| readinessProbe.httpGet.path | string | `"/passport/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number | +| resources | object | `{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"700m"` | CPU limit. | +| resources.limits.memory | string | `"900Mi"` | Memory limit. | +| resources.requests.cpu | string | `"700m"` | CPU request. | +| resources.requests.memory | string | `"900Mi"` | Memory request. | +| service.name | string | `"http-passport"` | The name of the oxPassport port within the oxPassport service. Please keep it as default. | +| service.port | int | `8090` | Port of the oxPassport service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/_helpers.tpl b/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/_helpers.tpl new file mode 100644 index 000000000..9a8fa7197 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "oxpassport.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "oxpassport.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "oxpassport.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "oxpassport.labels" -}} +app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} +helm.sh/chart: {{ include "oxpassport.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "oxpassport.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "oxpassport.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/deployment.yaml b/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/deployment.yaml new file mode 100644 index 000000000..1c58622f7 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/deployment.yaml @@ -0,0 +1,147 @@ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "oxpassport.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + containers: + - name: {{ include "oxpassport.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + - name: PASSPORT_LOG_LEVEL + value: "info" + {{- include "oxpassport.usr-envs" . | indent 12 }} + {{- include "oxpassport.usr-secret-envs" . | indent 12 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + protocol: TCP + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxpassport.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxpassport.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/hpa.yaml b/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/hpa.yaml new file mode 100644 index 000000000..40701b3da --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} + +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "oxpassport.fullname" . }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "oxpassport.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/oxpassport-destination-rules.yaml b/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/oxpassport-destination-rules.yaml new file mode 100644 index 000000000..50a3c9088 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/oxpassport-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-oxpassport-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.oxpassport.oxPassportServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/oxpassport-virtual-services.yaml b/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/oxpassport-virtual-services.yaml new file mode 100644 index 000000000..38567a21f --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/oxpassport-virtual-services.yaml @@ -0,0 +1,33 @@ +{{- if .Values.global.istio.ingress }} + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-passport + namespace: {{.Release.Namespace}} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} + gateways: + - {{ .Release.Name }}-global-gtw + http: + - name: {{ .Release.Name }}-istio-passport + match: + - uri: + prefix: "/passport" + route: + - destination: + host: {{ .Values.global.oxpassport.oxPassportServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8090 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/service.yaml b/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/service.yaml new file mode 100644 index 000000000..87a941883 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/service.yaml @@ -0,0 +1,30 @@ + +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.oxpassport.oxPassportServiceName }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/user-custom-secret-envs.yaml new file mode 100644 index 000000000..ea0ac11ae --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxpassport/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/oxpassport/values.yaml b/charts/gluu/gluu/5.0.302/charts/oxpassport/values.yaml new file mode 100644 index 000000000..b9654930a --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxpassport/values.yaml @@ -0,0 +1,97 @@ + +# -- Gluu interface to Passport.js to support social login and inbound identity. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxpassport + # -- Image tag to use for deploying. + tag: 5.0.0_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 700m + # -- Memory limit. + memory: 900Mi + requests: + # -- CPU request. + cpu: 700m + # -- Memory request. + memory: 900Mi +service: + # -- Port of the oxPassport service. Please keep it as default. + port: 8090 + # -- The name of the oxPassport port within the oxPassport service. Please keep it as default. + name: http-passport + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 + +# -- Configure the liveness healthcheck for oxPassport if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the oxPassport if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] + +nameOverride: "" +fullnameOverride: "" + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/oxshibboleth/.helmignore b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.302/charts/oxshibboleth/Chart.yaml b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/Chart.yaml new file mode 100644 index 000000000..d259a29ab --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Shibboleth project for the Gluu Server's SAML IDP functionality. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SAML +- Shibboleth +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: oxshibboleth +sources: +- https://github.com/GluuFederation/oxShibboleth +- https://github.com/GluuFederation/docker-oxshibboleth +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/oxshibboleth +type: application +version: 5.0.3 diff --git a/charts/gluu/gluu/5.0.302/charts/oxshibboleth/README.md b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/README.md new file mode 100644 index 000000000..6abc31ac1 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/README.md @@ -0,0 +1,67 @@ +# oxshibboleth + +![Version: 5.0.3](https://img.shields.io/badge/Version-5.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Shibboleth project for the Gluu Server's SAML IDP functionality. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/oxshibboleth"` | Image to use for deploying. | +| image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. | +| livenessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the oxShibboleth if needed. | +| livenessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxshibboleth if needed. | +| readinessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-oxshib"` | Port of the oxShibboleth service. Please keep it as default. | +| service.port | int | `8080` | The name of the oxShibboleth port within the oxShibboleth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| service.targetPort | int | `8080` | | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/_helpers.tpl b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/_helpers.tpl new file mode 100644 index 000000000..daa1f2ea7 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "oxshibboleth.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "oxshibboleth.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "oxshibboleth.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "oxshibboleth.labels" -}} +app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} +helm.sh/chart: {{ include "oxshibboleth.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "oxshibboleth.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "oxshibboleth.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/hpa.yaml b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/hpa.yaml new file mode 100644 index 000000000..6edf6a5a0 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/hpa.yaml @@ -0,0 +1,38 @@ +{{ if .Values.hpa.enabled -}} + +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "oxshibboleth.fullname" . }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "oxshibboleth.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml new file mode 100644 index 000000000..677a46ff7 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.istio.enabled }} + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-oxshibboleth-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml new file mode 100644 index 000000000..872b068bd --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml @@ -0,0 +1,36 @@ +{{- if .Values.global.istio.ingress }} + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-oxshibbioleth + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} + gateways: + - {{ .Release.Name }}-global-gtw + http: + - name: {{ .Release.Name }}-istio-oxshibbioleth + match: + - uri: + prefix: /idp + rewrite: + uri: /identity + route: + - destination: + host: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/service.yaml b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/service.yaml new file mode 100644 index 000000000..8622fcab5 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/service.yaml @@ -0,0 +1,34 @@ + +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- else }} + clusterIP: None + {{- end }} + ports: + - port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/statefulset.yaml b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/statefulset.yaml new file mode 100644 index 000000000..563eb21dc --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/statefulset.yaml @@ -0,0 +1,133 @@ + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "oxshibboleth.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + serviceName: oxshibboleth + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: oxshibboleth + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + containers: + - name: {{ include "oxshibboleth.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "oxshibboleth.usr-envs" . | indent 12 }} + {{- include "oxshibboleth.usr-secret-envs" . | indent 12 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + protocol: TCP + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxshibboleth.fullname" .}}-updatelbip + mountPath: /scripts + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxshibboleth.fullname" .}}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/user-custom-secret-envs.yaml new file mode 100644 index 000000000..a6561a6a6 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/templates/user-custom-secret-envs.yaml @@ -0,0 +1,22 @@ +{{ if .Values.usrEnvs.secret }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/oxshibboleth/values.yaml b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/values.yaml new file mode 100644 index 000000000..6baaa0bcc --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/oxshibboleth/values.yaml @@ -0,0 +1,96 @@ + +# -- Shibboleth project for the Gluu Server's SAML IDP functionality. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxshibboleth + # -- Image tag to use for deploying. + tag: 5.0.0_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the oxShibboleth port within the oxShibboleth service. Please keep it as default. + port: 8080 + targetPort: 8080 + # -- Port of the oxShibboleth service. Please keep it as default. + name: http-oxshib + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 + +# -- Configure the liveness healthcheck for the oxShibboleth if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /idp + port: http-oxshib + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the oxshibboleth if needed. +readinessProbe: + httpGet: + # -- http liveness probe endpoint + path: /idp + port: http-oxshib + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] + +nameOverride: "" +fullnameOverride: "" + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/persistence/.helmignore b/charts/gluu/gluu/5.0.302/charts/persistence/.helmignore new file mode 100644 index 000000000..50af03172 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/persistence/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.302/charts/persistence/Chart.yaml b/charts/gluu/gluu/5.0.302/charts/persistence/Chart.yaml new file mode 100644 index 000000000..003c2f73c --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/persistence/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Job to generate data and initial config for Gluu Server persistence layer. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- persistence prep +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: persistence +sources: +- https://github.com/JanssenProject/jans/docker-jans-persistence-loader +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/persistence +type: application +version: 5.0.3 diff --git a/charts/gluu/gluu/5.0.302/charts/persistence/README.md b/charts/gluu/gluu/5.0.302/charts/persistence/README.md new file mode 100644 index 000000000..d465d81f8 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/persistence/README.md @@ -0,0 +1,51 @@ +# persistence + +![Version: 5.0.3](https://img.shields.io/badge/Version-5.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Job to generate data and initial config for Gluu Server persistence layer. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/persistence"` | Image to use for deploying. | +| image.tag | string | `"1.0.0-beta.16"` | Image tag to use for deploying. | +| imagePullSecrets | list | `[]` | | +| nameOverride | string | `""` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/gluu/gluu/5.0.302/charts/persistence/templates/_helpers.tpl b/charts/gluu/gluu/5.0.302/charts/persistence/templates/_helpers.tpl new file mode 100644 index 000000000..ca0c55207 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/persistence/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "persistence.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "persistence.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "persistence.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "persistence.labels" -}} +app: {{ .Release.Name }}-{{ include "persistence.name" . }} +helm.sh/chart: {{ include "persistence.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "persistence.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "persistence.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "persistence.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "persistence.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/persistence/templates/jobs.yml b/charts/gluu/gluu/5.0.302/charts/persistence/templates/jobs.yml new file mode 100644 index 000000000..9a3c73d51 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/persistence/templates/jobs.yml @@ -0,0 +1,96 @@ + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "persistence.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: 120 + template: + metadata: + name: {{ include "persistence.name" . }} + labels: + APP_NAME: persistence-loader + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: {{ include "persistence.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "persistence.usr-envs" . | indent 12 }} + {{- include "persistence.usr-secret-envs" . | indent 12 }} + {{- if .Values.global.istio.enabled }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + /app/scripts/entrypoint.sh + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/persistence/templates/service.yaml b/charts/gluu/gluu/5.0.302/charts/persistence/templates/service.yaml new file mode 100644 index 000000000..b266650a6 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/persistence/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "persistence.fullname" . }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/persistence/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.302/charts/persistence/templates/user-custom-secret-envs.yaml new file mode 100644 index 000000000..229c0dc47 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/persistence/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/persistence/values.yaml b/charts/gluu/gluu/5.0.302/charts/persistence/values.yaml new file mode 100644 index 000000000..db1d5cce4 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/persistence/values.yaml @@ -0,0 +1,48 @@ + +# -- Job to generate data and initial config for Gluu Server persistence layer. +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/persistence + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Resource specs. +resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/scim/.helmignore b/charts/gluu/gluu/5.0.302/charts/scim/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/scim/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.302/charts/scim/Chart.yaml b/charts/gluu/gluu/5.0.302/charts/scim/Chart.yaml new file mode 100644 index 000000000..615230659 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/scim/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: System for Cross-domain Identity Management (SCIM) version 2.0 +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SCIM +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: scim +sources: +- https://github.com/JanssenProject/jans/jans-scim +- https://github.com/JanssenProject/jans/docker-jans-scim +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/scim +type: application +version: 5.0.3 diff --git a/charts/gluu/gluu/5.0.302/charts/scim/README.md b/charts/gluu/gluu/5.0.302/charts/scim/README.md new file mode 100644 index 000000000..39f074e8b --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/scim/README.md @@ -0,0 +1,60 @@ +# scim + +![Version: 5.0.3](https://img.shields.io/badge/Version-5.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +System for Cross-domain Identity Management (SCIM) version 2.0 + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | support@gluu.org | https://github.com/moabu | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/scim"` | Image to use for deploying. | +| image.tag | string | `"1.0.0-beta.16"` | Image tag to use for deploying. | +| livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/gluu/gluu/5.0.302/charts/scim/templates/_helpers.tpl b/charts/gluu/gluu/5.0.302/charts/scim/templates/_helpers.tpl new file mode 100644 index 000000000..d779e8f5e --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/scim/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "scim.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "scim.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "scim.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "scim.labels" -}} +app: {{ .Release.Name }}-{{ include "scim.name" . }} +helm.sh/chart: {{ include "scim.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "scim.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "scim.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/scim/templates/deployment.yml b/charts/gluu/gluu/5.0.302/charts/scim/templates/deployment.yml new file mode 100644 index 000000000..9bb1cd27a --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/scim/templates/deployment.yml @@ -0,0 +1,134 @@ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "scim.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} + template: + metadata: + labels: + APP_NAME: scim + app: {{ .Release.Name }}-{{ include "scim.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + containers: + - name: {{ include "scim.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "scim.usr-envs" . | indent 12 }} + {{- include "scim.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + {{- if or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/scim/templates/hpa.yaml b/charts/gluu/gluu/5.0.302/charts/scim/templates/hpa.yaml new file mode 100644 index 000000000..ce67703df --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/scim/templates/hpa.yaml @@ -0,0 +1,38 @@ +{{ if .Values.hpa.enabled -}} + +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "scim.fullname" . }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "scim.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/scim/templates/scim-destination-rules.yaml b/charts/gluu/gluu/5.0.302/charts/scim/templates/scim-destination-rules.yaml new file mode 100644 index 000000000..4cbb8aaf7 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/scim/templates/scim-destination-rules.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.istio.enabled }} + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-scim-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.scim.scimServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/scim/templates/scim-virtual-services.yaml b/charts/gluu/gluu/5.0.302/charts/scim/templates/scim-virtual-services.yaml new file mode 100644 index 000000000..9215e7640 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/scim/templates/scim-virtual-services.yaml @@ -0,0 +1,46 @@ +{{- if .Values.global.istio.ingress }} + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-scim-config + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} + gateways: + - {{ .Release.Name }}-global-gtw # can omit the namespace if gateway is in same namespace as virtual service. + http: + - name: {{ .Release.Name }}-istio-scim-config + match: + - uri: + prefix: /.well-known/scim-configuration + rewrite: + uri: /jans-scim/restv1/scim-configuration + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + - name: {{ .Release.Name }}-istio-scim + match: + - uri: + prefix: "/jans-scim" + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/scim/templates/service.yml b/charts/gluu/gluu/5.0.302/charts/scim/templates/service.yml new file mode 100644 index 000000000..6ccf08924 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/scim/templates/service.yml @@ -0,0 +1,30 @@ + +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.scim.scimServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "scim.name" . }} #scim + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.302/charts/scim/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.302/charts/scim/templates/user-custom-secret-envs.yaml new file mode 100644 index 000000000..193995417 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/scim/templates/user-custom-secret-envs.yaml @@ -0,0 +1,22 @@ +{{ if .Values.usrEnvs.secret }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/charts/scim/values.yaml b/charts/gluu/gluu/5.0.302/charts/scim/values.yaml new file mode 100644 index 000000000..b0db52dca --- /dev/null +++ b/charts/gluu/gluu/5.0.302/charts/scim/values.yaml @@ -0,0 +1,84 @@ + +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/scim + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for SCIM if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the SCIM if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/get_helm.sh b/charts/gluu/gluu/5.0.302/get_helm.sh new file mode 100644 index 000000000..9c6035864 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/get_helm.sh @@ -0,0 +1,326 @@ +#!/usr/bin/env bash + +# Copyright The Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# The install script is based off of the MIT-licensed script from glide, +# the package manager for Go: https://github.com/Masterminds/glide.sh/blob/master/get + +: ${BINARY_NAME:="helm"} +: ${USE_SUDO:="true"} +: ${DEBUG:="false"} +: ${VERIFY_CHECKSUM:="true"} +: ${VERIFY_SIGNATURES:="false"} +: ${HELM_INSTALL_DIR:="/usr/local/bin"} +: ${GPG_PUBRING:="pubring.kbx"} + +HAS_CURL="$(type "curl" &> /dev/null && echo true || echo false)" +HAS_WGET="$(type "wget" &> /dev/null && echo true || echo false)" +HAS_OPENSSL="$(type "openssl" &> /dev/null && echo true || echo false)" +HAS_GPG="$(type "gpg" &> /dev/null && echo true || echo false)" + +# initArch discovers the architecture for this system. +initArch() { + ARCH=$(uname -m) + case $ARCH in + armv5*) ARCH="armv5";; + armv6*) ARCH="armv6";; + armv7*) ARCH="arm";; + aarch64) ARCH="arm64";; + x86) ARCH="386";; + x86_64) ARCH="amd64";; + i686) ARCH="386";; + i386) ARCH="386";; + esac +} + +# initOS discovers the operating system for this system. +initOS() { + OS=$(echo `uname`|tr '[:upper:]' '[:lower:]') + + case "$OS" in + # Minimalist GNU for Windows + mingw*|cygwin*) OS='windows';; + esac +} + +# runs the given command as root (detects if we are root already) +runAsRoot() { + if [ $EUID -ne 0 -a "$USE_SUDO" = "true" ]; then + sudo "${@}" + else + "${@}" + fi +} + +# verifySupported checks that the os/arch combination is supported for +# binary builds, as well whether or not necessary tools are present. +verifySupported() { + local supported="darwin-amd64\ndarwin-arm64\nlinux-386\nlinux-amd64\nlinux-arm\nlinux-arm64\nlinux-ppc64le\nlinux-s390x\nwindows-amd64" + if ! echo "${supported}" | grep -q "${OS}-${ARCH}"; then + echo "No prebuilt binary for ${OS}-${ARCH}." + echo "To build from source, go to https://github.com/helm/helm" + exit 1 + fi + + if [ "${HAS_CURL}" != "true" ] && [ "${HAS_WGET}" != "true" ]; then + echo "Either curl or wget is required" + exit 1 + fi + + if [ "${VERIFY_CHECKSUM}" == "true" ] && [ "${HAS_OPENSSL}" != "true" ]; then + echo "In order to verify checksum, openssl must first be installed." + echo "Please install openssl or set VERIFY_CHECKSUM=false in your environment." + exit 1 + fi + + if [ "${VERIFY_SIGNATURES}" == "true" ]; then + if [ "${HAS_GPG}" != "true" ]; then + echo "In order to verify signatures, gpg must first be installed." + echo "Please install gpg or set VERIFY_SIGNATURES=false in your environment." + exit 1 + fi + if [ "${OS}" != "linux" ]; then + echo "Signature verification is currently only supported on Linux." + echo "Please set VERIFY_SIGNATURES=false or verify the signatures manually." + exit 1 + fi + fi +} + +# checkDesiredVersion checks if the desired version is available. +checkDesiredVersion() { + if [ "x$DESIRED_VERSION" == "x" ]; then + # Get tag from release URL + local latest_release_url="https://github.com/helm/helm/releases" + if [ "${HAS_CURL}" == "true" ]; then + TAG=$(curl -Ls $latest_release_url | grep 'href="/helm/helm/releases/tag/v3.[0-9]*.[0-9]*\"' | sed -E 's/.*\/helm\/helm\/releases\/tag\/(v[0-9\.]+)".*/\1/g' | head -1) + elif [ "${HAS_WGET}" == "true" ]; then + TAG=$(wget $latest_release_url -O - 2>&1 | grep 'href="/helm/helm/releases/tag/v3.[0-9]*.[0-9]*\"' | sed -E 's/.*\/helm\/helm\/releases\/tag\/(v[0-9\.]+)".*/\1/g' | head -1) + fi + else + TAG=$DESIRED_VERSION + fi +} + +# checkHelmInstalledVersion checks which version of helm is installed and +# if it needs to be changed. +checkHelmInstalledVersion() { + if [[ -f "${HELM_INSTALL_DIR}/${BINARY_NAME}" ]]; then + local version=$("${HELM_INSTALL_DIR}/${BINARY_NAME}" version --template="{{ .Version }}") + if [[ "$version" == "$TAG" ]]; then + echo "Helm ${version} is already ${DESIRED_VERSION:-latest}" + return 0 + else + echo "Helm ${TAG} is available. Changing from version ${version}." + return 1 + fi + else + return 1 + fi +} + +# downloadFile downloads the latest binary package and also the checksum +# for that binary. +downloadFile() { + HELM_DIST="helm-$TAG-$OS-$ARCH.tar.gz" + DOWNLOAD_URL="https://get.helm.sh/$HELM_DIST" + CHECKSUM_URL="$DOWNLOAD_URL.sha256" + HELM_TMP_ROOT="$(mktemp -dt helm-installer-XXXXXX)" + HELM_TMP_FILE="$HELM_TMP_ROOT/$HELM_DIST" + HELM_SUM_FILE="$HELM_TMP_ROOT/$HELM_DIST.sha256" + echo "Downloading $DOWNLOAD_URL" + if [ "${HAS_CURL}" == "true" ]; then + curl -SsL "$CHECKSUM_URL" -o "$HELM_SUM_FILE" + curl -SsL "$DOWNLOAD_URL" -o "$HELM_TMP_FILE" + elif [ "${HAS_WGET}" == "true" ]; then + wget -q -O "$HELM_SUM_FILE" "$CHECKSUM_URL" + wget -q -O "$HELM_TMP_FILE" "$DOWNLOAD_URL" + fi +} + +# verifyFile verifies the SHA256 checksum of the binary package +# and the GPG signatures for both the package and checksum file +# (depending on settings in environment). +verifyFile() { + if [ "${VERIFY_CHECKSUM}" == "true" ]; then + verifyChecksum + fi + if [ "${VERIFY_SIGNATURES}" == "true" ]; then + verifySignatures + fi +} + +# installFile installs the Helm binary. +installFile() { + HELM_TMP="$HELM_TMP_ROOT/$BINARY_NAME" + mkdir -p "$HELM_TMP" + tar xf "$HELM_TMP_FILE" -C "$HELM_TMP" + HELM_TMP_BIN="$HELM_TMP/$OS-$ARCH/helm" + echo "Preparing to install $BINARY_NAME into ${HELM_INSTALL_DIR}" + runAsRoot cp "$HELM_TMP_BIN" "$HELM_INSTALL_DIR/$BINARY_NAME" + echo "$BINARY_NAME installed into $HELM_INSTALL_DIR/$BINARY_NAME" +} + +# verifyChecksum verifies the SHA256 checksum of the binary package. +verifyChecksum() { + printf "Verifying checksum... " + local sum=$(openssl sha1 -sha256 ${HELM_TMP_FILE} | awk '{print $2}') + local expected_sum=$(cat ${HELM_SUM_FILE}) + if [ "$sum" != "$expected_sum" ]; then + echo "SHA sum of ${HELM_TMP_FILE} does not match. Aborting." + exit 1 + fi + echo "Done." +} + +# verifySignatures obtains the latest KEYS file from GitHub main branch +# as well as the signature .asc files from the specific GitHub release, +# then verifies that the release artifacts were signed by a maintainer's key. +verifySignatures() { + printf "Verifying signatures... " + local keys_filename="KEYS" + local github_keys_url="https://raw.githubusercontent.com/helm/helm/main/${keys_filename}" + if [ "${HAS_CURL}" == "true" ]; then + curl -SsL "${github_keys_url}" -o "${HELM_TMP_ROOT}/${keys_filename}" + elif [ "${HAS_WGET}" == "true" ]; then + wget -q -O "${HELM_TMP_ROOT}/${keys_filename}" "${github_keys_url}" + fi + local gpg_keyring="${HELM_TMP_ROOT}/keyring.gpg" + local gpg_homedir="${HELM_TMP_ROOT}/gnupg" + mkdir -p -m 0700 "${gpg_homedir}" + local gpg_stderr_device="/dev/null" + if [ "${DEBUG}" == "true" ]; then + gpg_stderr_device="/dev/stderr" + fi + gpg --batch --quiet --homedir="${gpg_homedir}" --import "${HELM_TMP_ROOT}/${keys_filename}" 2> "${gpg_stderr_device}" + gpg --batch --no-default-keyring --keyring "${gpg_homedir}/${GPG_PUBRING}" --export > "${gpg_keyring}" + local github_release_url="https://github.com/helm/helm/releases/download/${TAG}" + if [ "${HAS_CURL}" == "true" ]; then + curl -SsL "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" -o "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" + curl -SsL "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" -o "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" + elif [ "${HAS_WGET}" == "true" ]; then + wget -q -O "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" + wget -q -O "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" "${github_release_url}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" + fi + local error_text="If you think this might be a potential security issue," + error_text="${error_text}\nplease see here: https://github.com/helm/community/blob/master/SECURITY.md" + local num_goodlines_sha=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)') + if [[ ${num_goodlines_sha} -lt 2 ]]; then + echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz.sha256!" + echo -e "${error_text}" + exit 1 + fi + local num_goodlines_tar=$(gpg --verify --keyring="${gpg_keyring}" --status-fd=1 "${HELM_TMP_ROOT}/helm-${TAG}-${OS}-${ARCH}.tar.gz.asc" 2> "${gpg_stderr_device}" | grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)') + if [[ ${num_goodlines_tar} -lt 2 ]]; then + echo "Unable to verify the signature of helm-${TAG}-${OS}-${ARCH}.tar.gz!" + echo -e "${error_text}" + exit 1 + fi + echo "Done." +} + +# fail_trap is executed if an error occurs. +fail_trap() { + result=$? + if [ "$result" != "0" ]; then + if [[ -n "$INPUT_ARGUMENTS" ]]; then + echo "Failed to install $BINARY_NAME with the arguments provided: $INPUT_ARGUMENTS" + help + else + echo "Failed to install $BINARY_NAME" + fi + echo -e "\tFor support, go to https://github.com/helm/helm." + fi + cleanup + exit $result +} + +# testVersion tests the installed client to make sure it is working. +testVersion() { + set +e + HELM="$(command -v $BINARY_NAME)" + if [ "$?" = "1" ]; then + echo "$BINARY_NAME not found. Is $HELM_INSTALL_DIR on your "'$PATH?' + exit 1 + fi + set -e +} + +# help provides possible cli installation arguments +help () { + echo "Accepted cli arguments are:" + echo -e "\t[--help|-h ] ->> prints this help" + echo -e "\t[--version|-v ] . When not defined it fetches the latest release from GitHub" + echo -e "\te.g. --version v3.0.0 or -v canary" + echo -e "\t[--no-sudo] ->> install without sudo" +} + +# cleanup temporary files to avoid https://github.com/helm/helm/issues/2977 +cleanup() { + if [[ -d "${HELM_TMP_ROOT:-}" ]]; then + rm -rf "$HELM_TMP_ROOT" + fi +} + +# Execution + +#Stop execution on any error +trap "fail_trap" EXIT +set -e + +# Set debug if desired +if [ "${DEBUG}" == "true" ]; then + set -x +fi + +# Parsing input arguments (if any) +export INPUT_ARGUMENTS="${@}" +set -u +while [[ $# -gt 0 ]]; do + case $1 in + '--version'|-v) + shift + if [[ $# -ne 0 ]]; then + export DESIRED_VERSION="${1}" + else + echo -e "Please provide the desired version. e.g. --version v3.0.0 or -v canary" + exit 0 + fi + ;; + '--no-sudo') + USE_SUDO="false" + ;; + '--help'|-h) + help + exit 0 + ;; + *) exit 1 + ;; + esac + shift +done +set +u + +initArch +initOS +verifySupported +checkDesiredVersion +if ! checkHelmInstalledVersion; then + downloadFile + verifyFile + installFile +fi +testVersion +cleanup diff --git a/charts/gluu/gluu/5.0.302/openbanking-values.yaml b/charts/gluu/gluu/5.0.302/openbanking-values.yaml new file mode 100644 index 000000000..f4427d509 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/openbanking-values.yaml @@ -0,0 +1,621 @@ +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: jans + # -- SQL database username. + cnSqlDbUser: jans + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected in secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretNamePrefix: gluu + # -- Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerPassPhrase: Test1234# + # -- Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretVersionId: "latest" + # -- Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Loadbalancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: support@gluu.org + image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 400Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 400Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + client-api: + # -- Name of the client-api service. Please keep it as default. + clientApiServerServiceName: client-api + # -- Boolean flag to enable/disable the client-api chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- client-api.log target + clientApiLogTarget: "STDOUT" + # -- client-api.log level + clientApiLogLevel: "INFO" + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key pas`sphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- The config backend adapter that will hold Gluu configuration layer. google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + cr-rotate: + # -- Boolean flag to enable/disable the cr-rotate chart. + enabled: false + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + # -- Gluu distributions supported are: default|openbanking. + distribution: openbanking + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer + oxshibboleth: + # -- Boolean flag to enable/disable the oxShibbboleth chart. Not part of the openbanking distribution. Keep as default.This also enables SAML-related features; UI menu, etc. Not part of the openbanking distribution. Please leave this disabled. + enabled: false + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. Not part of the openbanking distribution. Keep as default. + enabled: false + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: false + upgrade: + # -- Boolean flag used when running upgrading through versions command. + enabled: false + +# -- Nginx ingress definitions chart +nginx-ingress: + ingress: + # -- Enable Admin UI endpoints. COMING SOON. + adminUiEnabled: false + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token + authServerProtectedToken: false + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register + authServerProtectedRegister: false + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org + +# -- Job to generate data and intial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.302/questions.yaml b/charts/gluu/gluu/5.0.302/questions.yaml new file mode 100644 index 000000000..b9768fcbf --- /dev/null +++ b/charts/gluu/gluu/5.0.302/questions.yaml @@ -0,0 +1,1287 @@ +questions: +# ================== +# Distribution group +# ================== +- variable: global.distribution + default: "openbanking" + required: true + type: enum + label: Gluu Distribution + description: "Gluu Distribution. Openbanking only contains Config-API and the Auth Server customized for Openbanking industry." + group: "Global Settings" + options: + - "default" + - "openbanking" + +# ======================== +# OpenBanking Distribution +# ======================== +- variable: global.cnObExtSigningJwksUri + required: true + default: "https://keystore.openbankingtest.org.uk/keystore/openbanking.jwks" + description: "Open banking external signing jwks uri. Used in SSA Validation." + type: hostname + group: "OpenBanking Distribution" + label: Openbanking external signing JWKS URI + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObExtSigningJwksCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS certificate authority string + - variable: global.cnObExtSigningJwksKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS key string + - variable: global.cnObExtSigningJwksKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: password + label: Open banking external signing jwks AS key passphrase + min_length: 6 + - variable: global.cnObExtSigningAlias + default: "XkwIzWy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking external signing AS Alias +- variable: global.cnObStaticSigningKeyKid + default: "Wy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking signing AS kid + show_if: "global.distribution=openbanking" +- variable: global.cnObTransportAlias + default: "" + required: false + group: "OpenBanking Distribution" + description: "Open banking transport Alias used inside the JVM." + type: string + label: Open banking transport Alias used inside the JVM. + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObTransportCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport crt + - variable: global.cnObTransportKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport key + - variable: global.cnObTransportKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64." + type: password + label: Open banking AS transport key passphrase + min_length: 6 + - variable: global.cnObTransportTrustStore + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking external signing jwks AS certificate authority string + +# ======================= +# Optional Services group +# ======================= +- variable: global.admin-ui.enabled + default: false + type: boolean + group: "Optional Services" + required: false + label: Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. This requires a license agreement with Gluu. + show_if: "global.distribution=default" + show_subquestion_if: true + subquestions: + - variable: global.admin-ui.adminUiApiKey + default: "" + required: true + description: "Admin UI license API key. Obtain this from Gluu." + type: multiline + label: Admin UI license API key. Obtain this from Gluu + - variable: global.admin-ui.adminUiProductCode + default: "" + required: true + description: "Admin UI license product code. Obtain this from Gluu." + type: multiline + label: Admin UI license product code. Obtain this from Gluu. + - variable: global.admin-ui.adminUiSharedKey + default: "" + required: true + description: "Admin UI license shared key. Obtain this from Gluu." + type: multiline + label: Admin UI license shared key. Obtain this from Gluu. + - variable: global.admin-ui.adminUiManagementKey + default: "" + required: true + description: "Admin UI license management key. Obtain this from Gluu." + type: multiline + label: Admin UI license management key. Obtain this from Gluu. +- variable: global.auth-server-key-rotation.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable Auth key rotation cronjob + show_if: "global.distribution=default" + show_subquestion_if: true + subquestions: + - variable: auth-server-key-rotation.keysLife + default: 48 + description: "Auth server key rotation keys life in hours." + type: int + label: Key life +- variable: global.fido2.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable Fido2 + description: "FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments." +- variable: global.config-api.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable ConfigAPI + description: "Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS)." +- variable: global.casa.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable Casa + description: "Gluu Casa ('Casa') is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server." +- variable: global.scim.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable SCIM + description: "System for Cross-domain Identity Management (SCIM) version 2.0" +- variable: global.client-api.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable ClientAPI + show_if: "global.distribution=default" + description: "Middleware API to help application developers call an OAuth, OpenID or UMA server. You may wonder why this is necessary. It makes it easier for client developers to use OpenID signing and encryption features, without becoming crypto experts. This API provides some high level endpoints to do some of the heavy lifting." + show_subquestion_if: true + subquestions: + - variable: config.configmap.cnClientApiApplicationCertCn + default: "client-api" + description: "Client API application keystore name" + type: string + label: Client API application keystore name + - variable: config.configmap.cnClientApiAdminCertCn + default: "client-api" + description: "Client API admin keystore name" + type: string + label: Client API admin keystore name +- variable: global.jackrabbit.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable Jackrabbit + show_if: "global.distribution=default" + show_subquestion_if: true + description: "Needed for SAML. Jackrabbit Oak is a complementary implementation of the JCR specification. It is an effort to implement a scalable and performant hierarchical content repository for use as the foundation of modern world-class web sites and other demanding content applications. https://jackrabbit.apache.org/jcr/index.html ." + subquestions: + - variable: jackrabbit.storage.size + default: "4Gi" + description: "Size of Jackrabbit content repository volume storage." + type: string + label: Volume storage + - variable: config.configmap.cnJackrabbitUrl + default: "http://jackrabbit:8080" + description: "Please enter jackrabbit url." + type: hostname + label: Jackrabbit URL + - variable: config.configmap.cnJackrabbitAdminId + default: "admin" + description: "Jackrabbit admin user" + type: string + label: Jackrabbit Admin User + valid_chars: "^[a-z]+$" + - variable: jackrabbit.secrets.cnJackrabbitAdminPassword + default: "Test1234#" + description: "Jackrabbit admin password" + type: password + label: Jackrabbit Admin User Password + min_length: 6 +- variable: installer-settings.jackrabbit.clusterMode + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable Jackrabbit in Cluster Mode (HA) + show_if: "global.jackrabbit.enabled=true" + show_subquestion_if: true + description: "Requires postgres." + subquestions: + - variable: config.configmap.cnJackrabbitPostgresUser + default: "admin" + description: "Jackrabbit postgres user" + type: string + label: Jackrabbit postgres user + valid_chars: "^[a-z]+$" + - variable: jackrabbit.secrets.cnJackrabbitPostgresPassword + default: "admin" + description: "Jackrabbit postgres password" + type: password + label: Jackrabbit postgres password + + - variable: config.configmap.cnJackrabbitPostgresDatabaseName + default: "jackrabbit" + description: "Jackrabbit postgres database name" + type: string + label: Jackrabbit postgres database name + +# ====================== +# Test environment group +# ====================== +- variable: global.cloud.testEnviroment + default: false + type: boolean + group: "Test Environment" + required: true + label: Test environment + description: "Boolean flag if enabled will strip resources requests and limits from all services." + +# ================= +# Persistence group +# ================= +- variable: global.cnPersistenceType + default: "sql" + required: true + type: enum + group: "Persistence" + label: Gluu Persistence backend + description: "Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner" + options: + - "ldap" + - "couchbase" + - "hybrid" + - "spanner" + - "sql" +# LDAP +- variable: global.opendj.enabled + default: false + type: boolean + group: "Persistence" + required: true + label: Enable installation of OpenDJ + description: "Boolean flag to enable/disable the OpenDJ chart." + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnLdapUrl + default: "opendj:1636" + type: hostname + group: "Persistence" + required: true + label: OpenDJ remote URL + description: "OpenDJ remote URL. This must be resolvable by the pods" + show_if: "global.opendj.enabled=false&&global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnPersistenceLdapMapping + default: "default" + required: false + type: enum + group: "Persistence" + label: Gluu Persistence LDAP mapping + description: "Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`." + options: + - "default" + - "user" + - "site" + - "cache" + - "token" + - "session" + show_if: "global.cnPersistenceType=hybrid" +# Multi cluster ldap replication +- variable: opendj.multiCluster.enabled + default: false + type: boolean + group: "Persistence" + required: true + label: Enable OpenDJ multiCluster mode + description: "Enable OpenDJ multiCluster mode. This flag enables loading keys under `opendj.multiCluster`" + show_if: "global.opendj.enabled=true" + show_subquestion_if: true + subquestions: + - variable: opendj.multiCluster.serfAdvertiseAddrSuffix + default: "regional.gluu.org:30946s" + type: hostname + group: "Persistence" + required: true + description: "OpenDJ Serf advertise address suffix that will be added to each opendj replica. i.e RELEASE-NAME-opendj-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }}" + label: OpenDJ Serf advertise address suffix + - variable: opendj.multiCluster.replicaCount + default: 1 + type: int + group: "Persistence" + required: true + description: "The number of opendj non scalable statefulsets to create. Each pod created must be resolvable as it follows the patterm RELEASE-NAME-opendj-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} If set to 1, with a release name of gluu, the address of the pod would be gluu-opendj-regional-0-regional.gluu.org" + label: The number of opendj non scalable statefulsets to create. + - variable: opendj.multiCluster.clusterId + default: "west" + type: string + group: "Persistence" + required: true + description: "This id needs to be unique to each kubernetes cluster in a multi cluster setup; west, east, south, north, region ...etc If left empty it will be randomly generated." + label: Unique kubernetes cluster id + - variable: opendj.multiCluster.serfPeers + default: "['gluu-opendj-regional-0-regional.gluu.org:30946', 'gluu-opendj-regional-0-regional.gluu.org:31946']" + type: string + group: "Persistence" + required: true + description: "Serf peer addresses. One per replica." + label: Serf peer addresses +# SQL +- variable: config.configmap.cnSqlDbDialect + default: "default" + required: false + type: enum + group: "Persistence" + label: Gluu SQL Database dialect + description: "SQL database dialect. `mysql` or `pgsql`. The former is still not supported yet!" + options: + - "mysql" + - "pgsql" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbHost + default: "my-release-mysql.default.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: SQL database host uri + description: "SQL database host uri" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbPort + default: 3306 + required: false + type: int + group: "Persistence" + label: SQL database port + description: "SQL database port" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbUser + default: "gluu" + group: "Persistence" + description: "SQL database username" + type: string + label: SQL database username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqldbUserPassword + default: "Test1234#" + group: "Persistence" + description: "SQL password" + type: password + label: SQL password + + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbName + default: "gluu" + group: "Persistence" + description: "SQL database name" + type: string + label: SQL database name + show_if: "global.cnPersistenceType=sql" +# Spanner +- variable: config.configmap.cnGoogleSpannerInstanceId + default: "" + group: "Persistence" + description: "The google spanner instance ID" + type: string + label: Google Spanner Instance ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSpannerDatabaseId + default: "" + group: "Persistence" + description: "The google spanner database ID" + type: string + label: Google Spanner Database ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + group: "Persistence" + description: "The service account with access roles/secretmanager.admin to use Google secret manager and/or roles/spanner.databaseUser to use Spanner." + type: multiline + label: Google Spanner Service Account json + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleProjectId + default: "" + group: "Persistence" + description: "The Google Project ID" + type: string + label: Google Project ID + show_if: "global.cnPersistenceType=spanner" +#Couchbase +- variable: config.configmap.cnCouchbaseCrt + default: "" + group: "Persistence" + description: "Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required." + type: multiline + label: Couchbase certificate authority string + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUrl + default: "gluu.cbns.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: Couchbase host uri + description: "Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseBucketPrefix + default: "gluu" + type: string + description: "The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu." + group: "Persistence" + required: true + label: The prefix of Couchbase buckets + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseIndexNumReplica + default: 0 + type: int + description: "The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1." + group: "Persistence" + required: true + label: The number of replicas per index created + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUser + default: "admin" + group: "Persistence" + description: "he Couchbase super user (admin) user name. This user is used during initialization only." + type: string + label: The Couchbase super user (admin) user name. + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUserPassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization and upgrade process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + type: password + label: Couchbase password for the super users + + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUser + default: "gluu" + group: "Persistence" + description: "Couchbase restricted user, used in Gluu operations with Couchbase. Used only when global.cnPersistenceType is hybrid or couchbase." + type: string + label: Couchbase restricted username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbasePassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ." + type: password + label: Couchbase password for the restricted user + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" + +# ============================== +# StorageClass and volume group +# ============================== +- variable: global.storageClass.provisioner + default: "microk8s.io/hostpath" + type: string + group: "Volumes" + required: true + label: StorageClass provisioner + show_if: "global.cnPersistenceType=ldap||global.jackrabbit.enabled=true" + subquestions: + - variable: global.storageClass.allowVolumeExpansion + default: true + type: boolean + group: "Volumes" + required: true + label: StorageClass Volume expansion + - variable: global.storageClass.reclaimPolicy + default: "Retain" + type: enum + group: "Volumes" + required: true + label: StorageClass reclaimPolicy + options: + - "Delete" + - "Retain" + - variable: global.storageClass.volumeBindingMode + default: "WaitForFirstConsumer" + type: enum + group: "Volumes" + required: true + options: + - "WaitForFirstConsumer" + - "Immediate" + label: StorageClass volumeBindingMode + +# =========== +# Cache group +# =========== +- variable: config.configmap.cnCacheType + default: "NATIVE_PERSISTENCE" + required: true + type: enum + group: "Cache" + label: Gluu Cache + description: "Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` ." + options: + - "NATIVE_PERSISTENCE" + - "IN_MEMORY" + - "REDIS" + show_subquestion_if: "REDIS" + subquestions: + - variable: config.configmap.cnRedisType + default: "STANDALONE" + type: enum + group: "Cache" + required: false + label: Redix service type + description: "Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + options: + - "STANDALONE" + - "CLUSTER" + - variable: config.redisPassword + default: "Test1234#" + type: password + group: "Cache" + required: false + label: Redis admin password + description: "Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`." + + - variable: config.configmap.cnRedisUrl + default: "redis.redis.svc.cluster.local:6379" + required: false + type: hostname + group: "Cache" + label: Redis URL + description: "Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + +# ================== +# Configuration group +# ================== +- variable: global.fqdn + default: "demoexample.gluu.org" + required: true + type: hostname + group: "Configuration" + label: Gluu Installation FQDN + description: "Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services." +- variable: global.countryCode + default: "US" + required: true + type: string + group: "Configuration" + label: Country code + description: "Country code. Used for certificate creation." +- variable: config.state + default: "TX" + required: true + type: string + group: "Configuration" + label: State code + description: "State code. Used for certificate creation." +- variable: config.city + default: "Austin" + required: true + type: string + group: "Configuration" + label: City + description: "City. Used for certificate creation." +- variable: config.email + default: "support@gluu.org" + required: true + type: string + group: "Configuration" + label: Email + description: "Email address of the administrator usually. Used for certificate creation." +- variable: config.orgName + default: "Gluu" + required: true + type: string + group: "Configuration" + label: Organization + description: "Organization name. Used for certificate creation." +- variable: config.adminPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: Admin UI password + description: "Admin password to log in to the UI." + +- variable: config.ldapPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: LDAP password + description: "LDAP admin password if OpenDJ is used for persistence" + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" + +- variable: global.isFqdnRegistered + default: true + required: true + type: boolean + group: "Configuration" + label: Is the FQDN globally resolvable + description: "Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically." +- variable: config.migration.enabled + default: false + required: true + type: boolean + group: "Configuration" + label: Migration from Gluu CE + description: "Boolean flag to enable migration from CE" + show_subquestion_if: true + subquestions: + - variable: config.migration.migrationDataFormat + default: "ldif" + type: enum + group: "Configuration" + required: false + label: Migration data-format + description: "Migration data-format depending on persistence backend." + options: + - "ldif" + - "couchbase+json" + - "spanner+avro" + - "postgresql+json" + - "mysql+json" + - variable: config.migration.migrationDir + default: "/ce-migration" + required: false + type: string + group: "Configuration" + label: Migration Directory + description: "Directory holding all migration files" + +# =========================== +# Ingress group(Istio, NGINX) +# =========================== + +# =========== +# Istio group +# =========== +- variable: global.istio.enabled + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio side cars with Gluu services." + label: Use Istio side cars + show_subquestion_if: true + subquestions: + - variable: global.istio.ingress + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Use Istio Ingress + - variable: global.istio.namespace + default: "istio-system" + type: string + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Istio namespace + - variable: config.configmap.lbAddr + default: "" + group: "Istio" + description: "Istio loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# NGINX group +# =========== +- variable: config.configmap.lbAddr + default: "" + group: "NGINX" + show_if: "global.istio.ingress=false&&global.isFqdnRegistered=false" + description: "loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip +- variable: nginx-ingress.ingress.adminUiEnabled + default: false + type: boolean + group: "NGINX" + required: false + show_if: "global.istio.ingress=false" + description: "Enable Admin UI endpoints." + label: Enable Admin UI endpoints + subquestions: + - variable: nginx-ingress.ingress.openidConfigEnabled + default: true + type: boolean + group: "NGINX" + required: true + description: "Enable endpoint /.well-known/openid-configuration" + label: Enable endpoint /.well-known/openid-configuration + - variable: nginx-ingress.ingress.deviceCodeEnabled + default: true + type: boolean + group: "NGINX" + required: true + description: "Enable endpoint /device-code" + label: Enable endpoint /device-code + - variable: nginx-ingress.ingress.firebaseMessagingEnabled + default: true + type: boolean + group: "NGINX" + required: true + description: "Enable endpoint /firebase-messaging-sw.js" + label: Enable endpoint /firebase-messaging-sw.js + - variable: nginx-ingress.ingress.uma2ConfigEnabled + default: true + type: boolean + group: "NGINX" + required: true + description: "Enable endpoint /.well-known/uma2-configuration" + label: Enable endpoint /.well-known/uma2-configuration + - variable: nginx-ingress.ingress.webfingerEnabled + default: true + type: boolean + group: "NGINX" + required: true + description: "Enable endpoint /.well-known/webfinger" + label: Enable endpoint /.well-known/webfinger + - variable: nginx-ingress.ingress.webdiscoveryEnabled + default: true + type: boolean + group: "NGINX" + required: true + description: "Enable endpoint /.well-known/simple-web-discovery" + label: Enable endpoint /.well-known/simple-web-discovery + - variable: nginx-ingress.ingress.configApiEnabled + default: true + type: boolean + group: "NGINX" + required: true + description: "Enable config API endpoints /jans-config-api" + label: Enable config API endpoints /jans-config-api + - variable: nginx-ingress.ingress.u2fConfigEnabled + default: true + type: boolean + group: "NGINX" + required: true + description: "Enable endpoint /.well-known/fido-configuration" + label: Enable endpoint /.well-known/fido-configuration + - variable: nginx-ingress.ingress.authServerEnabled + default: true + type: boolean + group: "NGINX" + required: true + description: "Enable Auth server endpoints /jans-auth" + label: Enable Auth server endpoints /jans-auth +- variable: nginx-ingress.ingress.fido2ConfigEnabled + default: false + type: boolean + group: "NGINX" + show_if: "global.distribution=default&&global.istio.ingress=false&&global.fido2.enabled=true" + required: true + description: "Enable endpoint /.well-known/fido2-configuration. Enable this!" + label: Enable endpoint /.well-known/fido2-configuration +- variable: nginx-ingress.ingress.casaEnabled + default: false + type: boolean + group: "NGINX" + show_if: "global.distribution=default&&global.istio.ingress=false&&global.casa.enabled=true" + required: true + description: "Enable endpoint /casa. Enable this!" + label: Enable endpoint /casa Enable this! +- variable: nginx-ingress.ingress.authServerProtectedToken + default: true + type: boolean + group: "NGINX" + show_if: "global.distribution=openbanking&&global.istio.ingress=false" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/token" + label: Enable mTLS on Auth server endpoint /jans-auth/restv1/token +- variable: nginx-ingress.ingress.authServerProtectedRegister + default: true + type: boolean + group: "NGINX" + show_if: "global.distribution=openbanking&&global.istio.ingress=false" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/register" + label: Enable mTLS onn Auth server endpoint /jans-auth/restv1/register +- variable: nginx-ingress.ingress.scimConfigEnabled + default: false + type: boolean + group: "NGINX" + show_if: "global.distribution=default&&global.istio.ingress=false&&global.scim.enabled=true" + required: true + description: "Enable endpoint /.well-known/scim-configuration. Enable this!" + label: Enable endpoint /.well-known/scim-configuration. Enable this! +- variable: nginx-ingress.ingress.scimEnabled + default: false + type: boolean + group: "NGINX" + show_if: "global.distribution=default&&global.istio.ingress=false&&global.scim.enabled=true" + required: true + description: "Enable SCIM endpoints /jans-scim. Enable this!" + label: Enable SCIM endpoints /jans-scim. Enable this! + +# ============ +# Images group +# ============ +# AuthServer +- variable: auth-server.image.repository + required: true + type: string + default: "janssenproject/auth-server" + description: "The Auth Server Image repository" + label: Auth Server image repo + group: "Images" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server Image pull policy" + label: Auth Server imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.tag + required: true + type: string + default: "1.0.0-beta.16" + description: "The Auth Server Image tag" + label: Auth Server image tag + group: "Images" + show_if: "global.auth-server.enabled=true" +# AdminUI +- variable: admin-ui.image.repository + required: true + type: string + default: "gluufederation/admin-ui" + description: "The AdminUI Image repository" + label: The AdminUI Image repository + group: "Images" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The AdminUI Image pull policy" + label: AdminUI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.tag + required: true + type: string + default: "1.0.0-0" + description: "The AdminUI Image tag" + label: AdminUI image tag + group: "Images" + show_if: "global.admin-ui.enabled=true" +# AuthServer KeyRotation +- variable: auth-server-key-rotation.image.repository + required: true + type: string + default: "janssenproject/certmanager" + description: "The Auth Server KeyRotation Image repository" + label: Auth Server KeyRotation image repo + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server KeyRotation Image pull policy" + label: Auth Server KeyRotation imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.tag + required: true + type: string + default: "1.0.0-beta.16" + description: "The Auth Server Image tag" + label: Auth Server KeyRotation image tag + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +# Casa +- variable: casa.image.repository + required: true + type: string + default: "gluufederation/casa" + description: "The Casa Image repository" + label: Casa image repo + group: "Images" + show_if: "global.casa.enabled=true" +- variable: casa.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Casa Image pull policy" + label: Casa imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.casa.enabled=true" +- variable: casa.image.tag + required: true + type: string + default: "5.0.0-0" + description: "The Casa Image tag" + label: Casa image tag + group: "Images" + show_if: "global.casa.enabled=true" +# ClientAPI +- variable: client-api.image.repository + required: true + type: string + default: "janssenproject/client-api" + description: "The ClientAPI Image repository" + label: ClientAPI image repo + group: "Images" + show_if: "global.client-api.enabled=true" +- variable: client-api.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The ClientAPI Image pull policy" + label: ClientAPI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.client-api.enabled=true" +- variable: client-api.image.tag + required: true + type: string + default: "1.0.0-beta.16" + description: "The ClientAPI Image tag" + label: ClientAPI image tag + group: "Images" + show_if: "global.client-api.enabled=true" +# Configurator +- variable: config.image.repository + required: true + type: string + default: "janssenproject/configurator" + description: "The Configurator Image repository" + label: Configurator image repo + group: "Images" + show_if: "global.config.enabled=true" +- variable: config.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Configurator Image pull policy" + label: Configurator imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config.enabled=true" +- variable: config.image.tag + required: true + type: string + default: "1.0.0-beta.16" + description: "The Configurator Image tag" + label: Configurator image tag + group: "Images" + show_if: "global.config.enabled=true" +# ConfigAPI +- variable: config-api.image.repository + required: true + type: string + default: "janssenproject/config-api" + description: "The ConfigAPI Image repository" + label: ConfigAPI image repo + group: "Images" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The ConfigAPI Image pull policy" + label: ConfigAPI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.tag + required: true + type: string + default: "1.0.0-beta.16" + description: "The ConfigAPI Image tag" + label: ConfigAPI image tag + group: "Images" + show_if: "global.config-api.enabled=true" +# Fido2 +- variable: fido2.image.repository + required: true + type: string + default: "janssenproject/fido2" + description: "The Fido2 Image repository" + label: Fido2 image repo + group: "Images" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Fido2 Image pull policy" + label: Fido2 imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.tag + required: true + type: string + default: "1.0.0-beta.16" + description: "The Fido2 Image tag" + label: Fido2 image tag + group: "Images" + show_if: "global.fido2.enabled=true" +# Jackrabbit +- variable: jackrabbit.image.repository + required: true + type: string + default: "janssenproject/jackrabbit" + description: "The Jackrabbit Image repository" + label: Jackrabbit image repo + group: "Images" + show_if: "global.jackrabbit.enabled=true" +- variable: jackrabbit.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Jackrabbit Image pull policy" + label: Jackrabbit imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.jackrabbit.enabled=true" +- variable: jackrabbit.image.tag + required: true + type: string + default: "1.0.0-beta.16" + description: "The Jackrabbit Image tag" + label: Jackrabbit image tag + group: "Images" + show_if: "global.jackrabbit.enabled=true" +# OpenDJ +- variable: opendj.image.repository + required: true + type: string + default: "gluufederation/opendj" + description: "The OpenDJ Image repository" + label: OpenDJ image repo + group: "Images" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The OpenDJ Image pull policy" + label: OpenDJ imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.tag + required: true + type: string + default: "5.0.0_dev" + description: "The OpenDJ Image tag" + label: OpenDJ image tag + group: "Images" + show_if: "global.opendj.enabled=true" +# Persistence +- variable: persistence.image.repository + required: true + type: string + default: "janssenproject/persistence-loader" + description: "The Persistence Image repository" + label: Persistence image repo + group: "Images" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Persistence Image pull policy" + label: Persistence imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.tag + required: true + type: string + default: "1.0.0-beta.16" + description: "The Persistence Image tag" + label: Persistence image tag + group: "Images" + show_if: "global.persistence.enabled=true" +# SCIM +- variable: scim.image.repository + required: true + type: string + default: "janssenproject/scim" + description: "The SCIM Image repository" + label: SCIM image repo + group: "Images" + show_if: "global.scim.enabled=true" +- variable: scim.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The SCIM Image pull policy" + label: SCIM imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.scim.enabled=true" +- variable: scim.image.tag + required: true + type: string + default: "1.0.0-beta.16" + description: "The SCIM Image tag" + label: SCIM image tag + group: "Images" + show_if: "global.scim.enabled=true" + +# ============== +# Replicas group +# ============== +# AuthServer +- variable: auth-server.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Auth-server Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# Casa +- variable: casa.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Casa Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# ClientAPI +- variable: client-api.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: ClientAPI Replicas + description: "Service replica number." + show_if: "global.client-api.enabled=true" +# ConfigAPI +- variable: config-api.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: ConfigAPI Replicas + description: "Service replica number." + show_if: "global.config-api.enabled=true" +# AdminUi +- variable: admin-ui.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Admin UI Replicas + description: "Service replica number." + show_if: "global.admin-ui.enabled=true" +# Fido2 +- variable: fido2.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Fido2 Replicas + description: "Service replica number." + show_if: "global.fido2.enabled=true" +# Jackrabbit +- variable: jackrabbit.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Jackrabbit Replicas + description: "Service replica number." + show_if: "global.jackrabbit.enabled=true" +# OpenDJ +- variable: opendj.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: OpenDJ Replicas + description: "Service replica number." + show_if: "global.opendj.enabled=true&&opendj.multiCluster.enabled=false" +# SCIM +- variable: scim.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: SCIM Replicas + description: "Service replica number." + show_if: "global.scim.enabled=true" + diff --git a/charts/gluu/gluu/5.0.302/templates/_helpers.tpl b/charts/gluu/gluu/5.0.302/templates/_helpers.tpl new file mode 100644 index 000000000..c5b8d3d30 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cn.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cn.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cn.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.302/values.schema.json b/charts/gluu/gluu/5.0.302/values.schema.json new file mode 100644 index 000000000..6bafcf228 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/values.schema.json @@ -0,0 +1,3068 @@ +{ + "$schema":"https://json-schema.org/draft/2020-12/schema#", + "type":"object", + "properties":{ + "admin-ui":{ + "description":"Admin GUI for configuration of the auth-server", + "type":"object", + "properties":{ + + } + }, + "auth-server":{ + "description":"OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing.", + "type":"object", + "properties":{ + + } + }, + "auth-server-key-rotation":{ + "description":"Responsible for regenerating auth-keys per x hours", + "type":"object", + "properties":{ + + } + }, + "casa":{ + "description":"Gluu Casa (\"Casa\") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server.", + "type":"object", + "properties":{ + + } + }, + "client-api":{ + "description":"Middleware API to help application developers call an OAuth, OpenID or UMA server. You may wonder why this is necessary. It makes it easier for client developers to use OpenID signing and encryption features, without becoming crypto experts. This API provides some high level endpoints to do some of the heavy lifting.", + "type":"object", + "properties":{ + + } + }, + "config":{ + "description":"Configuration parameters for setup and initial configuration secret annd config layers used by Gluu services.", + "type":"object", + "properties":{ + "adminPass":{ + "description":"Admin password to login to the UI", + "$ref":"#/definitions/password" + }, + "city":{ + "description":"City of the company or individual. Used in generating the self-signed certificate", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "configmap":{ + "description":"Configuration parameters mapped to envs in a ConfigMap", + "type":"object", + "properties":{ + "cnSqlDbDialect":{ + "description":"SQL dialect", + "type":"string", + "pattern":"^(mysql)$" + }, + "cnSqlDbHost":{ + "description":"SQL server address or ip", + "anyOf":[ + { + "$ref":"#/definitions/url-pattern" + }, + { + "$ref":"#/definitions/ip-pattern" + } + ] + }, + "cnSqlDbPort":{ + "description":"SQL server port", + "type":"integer" + }, + "cnSqlDbName":{ + "description":"SQL server database name for Jans", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbUser":{ + "description":"SQL database Jans username", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbTimezone":{ + "description":"SQL database timezone", + "type":"string", + "pattern":"^(GMT|UTC|ECT|EET|ART|EAT|MET|NET|PLT|IST|BST|VST|CTT|JST|ACT|AET|SST|NST|MIT|HST|AST|PST|PNT|MST|CST|EST|IET|PRT|CNT|AGT|BET|CAT)$" + }, + "cnSqldbUserPassword":{ + "description":"Password for user config.configmap.cnSqlDbUser.", + "$ref":"#/definitions/password" + }, + "cnCacheType":{ + "description":"Cache type. NATIVE_PERSISTENCE, REDIS. or IN_MEMORY. Defaults to NATIVE_PERSISTENCE", + "type":"string", + "pattern":"^(NATIVE_PERSISTENCE|REDIS|IN_MEMORY)$" + }, + "cnClientApiAdminCertCn":{ + "description":"Client-api OAuth client admin certificate common name. This should be left to the default value client-api", + "type":"string", + "pattern":"^[a-z-]+$" + }, + "cnClientApiApplicationCertCn":{ + "description":"Client-api OAuth client application certificate common name. This should be left to the default value client-api", + "type":"string", + "pattern":"^[a-z-]+$" + }, + "cnClientApiBindIpAddresses":{ + "description":"Client-api bind address. This limits what ip ranges can access the client-api. This should be left as * and controlled by a NetworkPolicy", + "$ref":"#/definitions/ip-pattern" + }, + "cnConfigKubernetesConfigMap":{ + "description":"The name of the ConfigMap that will hold the configuration layer", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseBucketPrefix":{ + "description":"The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseCrt":{ + "description":"Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnCouchbaseIndexNumReplica":{ + "description":"The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1.", + "type":"integer" + }, + "cnCouchbasePass":{ + "description":"Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUser":{ + "description":"The Couchbase super user (admin) user name. This user is used during initialization only.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseSuperUserPass":{ + "description":"Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUserPassFile":{ + "description":"The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password.", + "type":"string", + "pattern":".*couchbase_superuser_password\\b.*" + }, + "cnCouchbaseUrl":{ + "description":"Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster", + "$ref":"#/definitions/fqdn-pattern" + }, + "cnCouchbaseUser":{ + "description":"Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerServiceAccount":{ + "description":"Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnGoogleProjectId":{ + "description":"Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"" + }, + "cnGoogleSpannerInstanceId":{ + "description":"Google Spanner ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^([a-z0-9\\-])*$" + }, + "cnGoogleSpannerDatabaseId":{ + "description":"Google Spanner Database ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^[a-z0-9\\-]*$" + }, + "cnSecretGoogleSecretVersionId":{ + "description":"Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^([0-9]|latest)*$" + }, + "cnSecretGoogleSecretNamePrefix":{ + "description":"Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerPassPhrase":{ + "description":"Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "$ref":"#/definitions/password" + }, + "cnConfigGoogleSecretVersionId":{ + "description":"Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^([0-9]|latest)*$" + }, + "cnConfigGoogleSecretNamePrefix":{ + "description":"Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string" + }, + "cnLdapUrl":{ + "description":"OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`.", + "type":"string", + "pattern":"^[a-z0-9-:]+$" + }, + "cnMaxRamPercent":{ + "description":"Value passed to Java option -XX:MaxRAMPercentage", + "type":"string", + "pattern":"^(\\d{0,2}(\\.\\d{1,2})?|100(\\.0?)?)$" + }, + "cnScimProtectionMode":{ + "description":"SCIM protection mode OAUTH|TEST|UMA", + "type":"string", + "pattern":"^(OAUTH|TEST|UMA)$" + }, + "cnPersistenceLdapMapping":{ + "description":"Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`.", + "type":"string", + "pattern":"^(default|user|site|cache|statistic)$" + }, + "cnRedisSentinelGroup":{ + "description":"Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisSslTruststore":{ + "description":"Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisType":{ + "description":"Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string", + "pattern":"^(SHARDED|STANDALONE|CLUSTER|SENTINEL)$" + }, + "cnRedisUrl":{ + "description":"Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "$ref":"#/definitions/url-pattern" + }, + "cnRedisUseSsl":{ + "description":"Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"boolean" + }, + "cnSecretKubernetesSecret":{ + "description":"Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "lbAddr":{ + "description":"Loadbalancer address for AWS if the FQDN is not registered.", + "$ref":"#/definitions/url-pattern" + } + } + }, + "countryCode":{ + "description":"Country code. Used for certificate creation.", + "type":"string", + "pattern":"^[A-Z]+$" + }, + "email":{ + "description":"Email address of the administrator usually. Used for certificate creation.", + "$ref":"#/definitions/email-format" + }, + "image":{ + "type":"object", + "properties":{ + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "ldapPassword":{ + "description":"LDAP admin password if OpennDJ is used for persistence.", + "$ref":"#/definitions/password" + }, + "orgName":{ + "description":"Organization name. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "redisPassword":{ + "description":"Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`", + "$ref":"#/definitions/password" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "state":{ + "description":"State code. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + } + } + }, + "config-api":{ + "description":"Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS).", + "type":"object", + "properties":{ + + } + }, + "fido2":{ + "description":"FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments.", + "type":"object", + "properties":{ + + } + }, + "global":{ + "description":"Parameters used globally across all services helm charts.", + "type":"object", + "properties":{ + "alb":{ + "type":"object", + "properties":{ + "ingress":{ + "description":"Activates ALB ingress", + "type":"boolean" + } + } + }, + "auth-server":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable auth-server chart. You should never set this to false.", + "type":"boolean" + }, + "authServerServiceName":{ + "description":"Name of the auth-server service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-auth.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-auth.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "httpLogTarget":{ + "description":"http_request_response target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "httpLogLevel":{ + "description":"http_request_response level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-auth_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-auth_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-auth_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-auth_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-auth_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-auth_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-auth_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-auth_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "auditStatsLogTarget":{ + "description":"jans-auth_audit.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "auditStatsLogLevel":{ + "description":"jans-auth_audit.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + } + } + }, + "admin-ui":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable admin-ui chart. You should never set this to false.", + "type":"boolean" + }, + "adminUiServiceName":{ + "description":"Name of the admin service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + + "auth-server-key-rotation":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the auth-server-key rotation cronjob chart.", + "type":"boolean" + } + } + }, + "awsStorageType":{ + "description":"Volume stroage type if using AWS volumes.", + "type":"string", + "pattern":"^(io1|io2|gp2|st1|sc1)$" + }, + "azureStorageAccountType":{ + "description":"Volume storage type if using Azure disks.", + "type":"string", + "pattern":"^(Standard_LRS|Premium_LRS|StandardSSD_LRS|UltraSSD_LRS)$" + }, + "azureStorageKind":{ + "description":"Azure storage kind if using Azure disks", + "type":"string", + "pattern":"^(Managed)$" + }, + "client-api":{ + "type":"object", + "properties":{ + "clientApiServerServiceName":{ + "description":"Name of the client-api service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the client-api chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "clientApiLogTarget":{ + "description":"client-api.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "clientApiLogLevel":{ + "description":"client-api.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + } + } + }, + "cloud":{ + "type":"object", + "properties":{ + "testEnviroment":{ + "description":"Boolean flag if enabled will strip resources requests and limits from all services.", + "type":"boolean" + } + } + }, + "cnPersistenceType":{ + "description":"Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner.", + "type":"string", + "pattern":"^(ldap|couchbase|hybrid|sql|spanner)$" + }, + "cnDocumentStoreType":{ + "description":"Document store type to use for shibboleth files LOCAL.", + "type":"string", + "pattern":"^(LOCAL)$" + }, + "cnObExtSigningJwksUri":{ + "description":"Open banking external signing jwks uri. Used in SSA Validation.", + "type":"string" + }, + "cnObExtSigningJwksCrt":{ + "description":"Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKey":{ + "description":"Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKeyPassPhrase":{ + "description":"Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningAlias":{ + "description":"Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObStaticSigningKeyKid":{ + "description":"Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObTransportCrt":{ + "description":"Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKey":{ + "description":"Open banking AS transport key. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKeyPassPhrase":{ + "description":"Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportAlias":{ + "description":"Open banking transport Alias used inside the JVM.", + "type":"string" + }, + "cnObTransportTrustStore":{ + "description":"Open banking AS transport truststore in .p12 format. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "config":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the configuration chart. This normally should always be true", + "type":"boolean" + } + } + }, + "configAdapterName":{ + "description":"The config backend adapter that will hold Gluu configuration layer. google|kubernetes", + "type":"string", + "pattern":"^(kubernetes|google)$" + }, + "configSecretAdapter":{ + "description":"The config backend adapter that will hold Gluu secret layer. google|kubernetes", + "type":"string", + "pattern":"^(kubernetes|google)$" + }, + "cnGoogleApplicationCredentials":{ + "description":"Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner.", + "type":"string", + "pattern":".*google-credentials.json\\b.*" + }, + "casa":{ + "type":"object", + "properties":{ + "casaServiceName":{ + "description":"Name of the casa service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the casa chart.", + "type":"boolean" + } + } + }, + "config-api":{ + "type":"object", + "properties":{ + "configApiServerServiceName":{ + "description":"Name of the config-api service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the config-api chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "configApiLogTarget":{ + "description":"configapi.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "configApiLogLevel":{ + "description":"configapi.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "adminUiappLoggers":{ + "type":"object", + "properties":{ + "adminUiLogTarget":{ + "description":"config-api admin-ui plugin log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiLogLevel":{ + "description":"config-api admin-ui plugin log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "adminUiAuditLogTarget":{ + "description":"config-api admin-ui plugin audit log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiAuditLogLevel":{ + "description":"config-api admin-ui plugin audit log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + } + + } + }, + "fqdn":{ + "description":"Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services.", + "$ref":"#/definitions/fqdn-pattern" + }, + "fido2":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the fido2 chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "fido2LogTarget":{ + "description":"fido2.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "fido2LogLevel":{ + "description":"fido2.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"fido2_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"fido2_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + } + } + }, + "gcePdStorageType":{ + "description":"GCE storage kind if using Google disks", + "type":"string", + "pattern":"^(pd-standard|pd-balanced|pd-ssd)$" + }, + "isFqdnRegistered":{ + "description":"Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically.", + "type":"boolean" + }, + "istio":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag that enables using istio side cars with Gluu services.", + "type":"boolean" + }, + "ingress":{ + "description":"Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available.", + "type":"boolean" + }, + "namespace":{ + "description":"The namespace istio is deployed in. The is normally istio-system.", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + } + } + }, + "lbIp":{ + "description":"The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable.", + "$ref":"#/definitions/ip-pattern" + }, + "nginx-ingress":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the nginx-ingress definitions chart.", + "type":"boolean" + } + } + }, + "opendj":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the OpenDJ chart.", + "type":"boolean" + }, + "ldapServiceName":{ + "description":"Name of the OpenDJ service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "oxshibboleth":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the oxShibbboleth chart. Not part of the openbanking distribution. Keep as default.This also enables SAML-related features; UI menu, etc. Not part of the openbanking distribution. Please leave this disabled.", + "type":"boolean" + } + } + }, + "distribution":{ + "description":"Gluu distributions supported are: default|openbanking.", + "type":"string", + "pattern":"^(default|openbanking)$" + }, + "persistence":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the persistence chart.", + "type":"boolean" + } + } + }, + "oxpassport": { + "type": "object", + "properties": { + "enabled": { + "description": "Boolean flag to enable/disable the oxpassport chart.", + "type": "boolean" + }, + "oxPassportServiceName":{ + "description":"Name of the oxPassport service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "scim":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the SCIM chart.", + "type":"boolean" + }, + "scimServiceName":{ + "description":"Name of the scim service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-scim.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-scim.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-scim_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-scim_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-scim_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-scim_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-scim_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-scim_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-scim_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-scim_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + } + } + }, + "storageClass":{ + "description":"StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed.", + "type":"object", + "properties":{ + "allowVolumeExpansion":{ + "type":"boolean" + }, + "allowedTopologies":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "mountOptions":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "parameters":{ + "type":"object", + "properties":{ + "fsType":{ + "type":"string" + }, + "kind":{ + "type":"string" + }, + "pool":{ + "type":"string" + }, + "storageAccountType":{ + "type":"string" + }, + "type":{ + "type":"string" + } + } + }, + "provisioner":{ + "type":"string" + }, + "reclaimPolicy":{ + "type":"string" + }, + "volumeBindingMode":{ + "type":"string" + } + } + }, + "upgrade":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag used when running helm upgrade command. This allows upgrading the chart without immutable objects errors.", + "type":"boolean" + } + } + } + } + }, + "nginx-ingress":{ + "description":"Nginx ingress definitions chart", + "type":"object", + "properties":{ + + } + }, + "opendj":{ + "description":"OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions.", + "type":"object", + "properties":{ + + } + }, + "oxpassport":{ + "description":"Gluu interface to Passport.js to support social login and inbound identity.", + "type":"object", + "properties":{ + + } + }, + "oxshibboleth":{ + "description":"Shibboleth project for the Gluu Server's SAML IDP functionality.", + "type":"object", + "properties":{ + + } + }, + "persistence":{ + "description":"Job to generate data and intial config for Gluu Server persistence layer.", + "type":"object", + "properties":{ + + } + }, + "scim":{ + "description":"System for Cross-domain Identity Management (SCIM) version 2.0", + "type":"object", + "properties":{ + + } + } + }, + "allOf":[ + { + "$ref":"#/definitions/admin-ui-enabled" + }, + { + "$ref":"#/definitions/auth-server-enabled" + }, + { + "$ref":"#/definitions/auth-server-key-rotation-enabled" + }, + { + "$ref":"#/definitions/casa-enabled" + }, + { + "$ref":"#/definitions/client-api-enabled" + }, + { + "$ref":"#/definitions/config-api-enabled" + }, + { + "$ref":"#/definitions/fido2-enabled" + }, + { + "$ref":"#/definitions/nginx-ingress-enabled" + }, + { + "$ref":"#/definitions/opendj-enabled" + }, + { + "$ref":"#/definitions/oxpassport-enabled" + }, + { + "$ref":"#/definitions/oxshibboleth-enabled" + }, + { + "$ref":"#/definitions/persistence-enabled" + }, + { + "$ref":"#/definitions/scim-enabled" + } + ], + "definitions":{ + "password":{ + "anyOf":[ + { + "type":"string", + "minLength":8, + "pattern":"", + "description":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "password-pattern":{ + "type":"string", + "minLength":6, + "pattern":"", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + "email-format":{ + "type":"string", + "format":"email" + }, + "fqdn-pattern":{ + "anyOf":[ + { + "type":"string", + "errors":{ + "pattern":"Setting not FQDN structured. Please enter a FQDN with the format demoexample.gluu.org" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "url-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"(^|\\s)((https?:\\/\\/)?[\\w-]+(\\.[\\w-]+)+\\.?(:\\d+)?(\\/\\S*)?)", + "errors":{ + "pattern":"URL pattern is not meeting standards." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "ip-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"^(\\*|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$", + "errors":{ + "pattern":"Not a valid IP." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "admin-ui-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "admin-ui":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "admin-ui":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-key-rotation-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "keysLife":{ + "description":"Auth server key rotation keys life in hours", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + }, + "required":[ + "image", + "resources", + "keysLife" + ] + } + } + }, + "else":true + }, + "casa-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "casa":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "casa":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "client-api-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "client-api":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "client-api":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "config-api-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "config-api":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "config-api":{ + "required":[ + "image", + "replicas", + "resources" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "fido2-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "fido2":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "fido2":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the Fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "nginx-ingress-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "nginx-ingress":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "nginx-ingress":{ + "type":"object", + "properties":{ + "ingress":{ + "type":"object", + "required":[ + "openidConfigEnabled", + "uma2ConfigEnabled", + "webfingerEnabled", + "webdiscoveryEnabled", + "configApiEnabled", + "u2fConfigEnabled", + "authServerEnabled", + "authServerProtectedToken", + "authServerProtectedRegister", + "additionalAnnotations", + "path", + "hosts", + "tls" + ], + "properties":{ + "adminUiEnabled":{ + "description":"Enable Admin UI endpoints. COMING SOON.", + "type":"boolean" + }, + "adminUiLabels":{ + "description":"Admin UI ingress resource labels. key app is taken.", + "type":"object" + }, + "openidConfigEnabled":{ + "description":"Enable endpoint /.well-known/openid-configuration", + "type":"boolean" + }, + "openidConfigLabels":{ + "description":"openid-configuration ingress resource labels. key app is taken", + "type":"object" + }, + "uma2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/uma2-configuration", + "type":"boolean" + }, + "uma2ConfigLabels":{ + "description":"uma2 config ingress resource labels. key app is taken", + "type":"object" + }, + "webfingerEnabled":{ + "description":"Enable endpoint /.well-known/webfinger", + "type":"boolean" + }, + "webfingerLabels":{ + "description":"webfinger ingress resource labels. key app is taken", + "type":"object" + }, + "webdiscoveryEnabled":{ + "description":"Enable endpoint /.well-known/simple-web-discovery", + "type":"boolean" + }, + "webdiscoveryLabels":{ + "description":"webdiscovery ingress resource labels. key app is taken", + "type":"object" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + }, + "scimConfigLabels":{ + "description":"SCIM config ingress resource labels. key app is taken", + "type":"object" + }, + "scimEnabled":{ + "description":"Enable SCIM endpoints /jans-scim", + "type":"boolean" + }, + "scimLabels":{ + "description":"SCIM ingress resource labels. key app is taken", + "type":"object" + }, + "configApiEnabled":{ + "description":"Enable config API endpoints /jans-config-api", + "type":"boolean" + }, + "configApiLabels":{ + "description":"configAPI ingress resource labels. key app is taken", + "type":"object" + }, + "u2fConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido-configuration", + "type":"boolean" + }, + "u2fConfigLabels":{ + "description":"u2f ingress resource labels. key app is taken", + "type":"object" + }, + "fido2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido2-configuration", + "type":"boolean" + }, + "fido2ConfigLabels":{ + "description":"fido2 ingress resource labels. key app is taken", + "type":"object" + }, + "authServerEnabled":{ + "description":"Enable Auth server endpoints /jans-auth", + "type":"boolean" + }, + "authServerLabels":{ + "description":"Auth server config ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedToken":{ + "description":"Enable mTLS on Auth server endpoint /jans-auth/restv1/token", + "type":"boolean" + }, + "authServerProtectedTokenLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedRegister":{ + "description":"Enable mTLS onn Auth server endpoint /jans-auth/restv1/register", + "type":"boolean" + }, + "authServerProtectedRedisterLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "additionalAnnotations":{ + "description":"Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: \"letsencrypt-prod\"}", + "type":"object" + }, + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "path":{ + "type":"string" + }, + "tls":{ + "description":"Secret holding HTTPS CA cert and key.", + "type":"array", + "items":{ + "type":"object", + "properties":{ + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "secretName":{ + "type":"string", + "pattern":"^[a-z-]+$" + } + } + } + } + } + } + } + } + } + }, + "else":true + }, + "opendj-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "opendj":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "opendj":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "multiCluster":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Enable OpenDJ multiCluster mode. This flag enabbles loading keys under `opendj.multiCluster`", + "type":"boolean" + }, + "serfAdvertiseAddrSuffix":{ + "description":"OpenDJ Serf advertise address for the cluster", + "type":"string" + }, + "serfKey":{ + "description":"Serf key. This key will automatically sync across clusters.", + "type":"string" + }, + "serfPeers":{ + "description":"Serf peer addresses. One per cluster.", + "type":"array", + "items":{ + "type":"string" + } + } + } + }, + "persistence":{ + "type":"object", + "properties":{ + "size":{ + "description":"OpenDJ volume size", + "type":"string", + "pattern":"^[0-9]Gi+$" + } + } + }, + "ports":{ + "type":"object", + "properties":{ + "tcp-admin":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldap":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldaps":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-repl":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "udp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "oxpassport-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "oxpassport":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "oxpassport":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "oxPassportServiceName":{ + "description":"Name of the oxPassport service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "oxshibboleth-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "oxshibboleth":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "oxshibboleth":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "oxShibbolethServiceName":{ + "description":"Name of the oxShibboleth service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "persistence-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "persistence":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "persistence":{ + "required":[ + "image", + "resources" + ], + "type":"object", + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "scim-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "scim":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "scim":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "scimServiceName":{ + "description":"Name of the SCIM service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + } + } +} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.302/values.yaml b/charts/gluu/gluu/5.0.302/values.yaml new file mode 100644 index 000000000..02b9764e0 --- /dev/null +++ b/charts/gluu/gluu/5.0.302/values.yaml @@ -0,0 +1,1527 @@ +# -- Only used by the installer. These settings do not affect nor are used by the chart +installer-settings: + currentVersion: "" + upgrade: + targetVersion: "" + image: + repository: "" + tag: "" + acceptLicense: "" + namespace: "" + releaseName: "" + nginxIngress: + releaseName: "" + namespace: "" + nodes: + names: "" + zones: "" + ips: "" + images: + edit: "" + aws: + lbType: "" + arn: + enabled: "" + arnAcmCert: "" + vpcCidr: "0.0.0.0/0" + couchbase: + clusterName: "" + namespace: "" + lowResourceInstall: "" + install: "" + customFileOverride: "" + backup: + incrementalSchedule: "" + fullSchedule: "" + retentionTime: "" + storageSize: "" + # Couchbase cert related keys + subjectAlternativeName: "" + commonName: "" + # Couchbase cluster yaml generator keys + totalNumberOfExpectedUsers: "" + totalNumberOfExpectedTransactionsPerSec: "" + volumeType: "" + volumeProvisionStrategy: "" + ldap: + multiClusterIds: [] + subsequentCluster: "" + backup: + fullSchedule: "" + postgres: + install: "" + namespace: "" + sql: + install: "" + namespace: "" + google: + useSecretManager: "" + redis: + install: "" + namespace: "" + openbanking: + hasCnObTransportTrustStore: false + cnObTransportTrustStoreP12password: "" + confirmSettings: false + +# -- Admin GUI for configuration of the auth-server +admin-ui: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/admin-ui + # -- Image tag to use for deploying. + tag: 1.0.0-0 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the admin ui if needed. + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the admin ui if needed. + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Responsible for regenerating auth-keys per x hours +auth-server-key-rotation: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/certmanager + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Auth server key rotation keys life in hours + keysLife: 48 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. +casa: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/casa + # -- Image tag to use for deploying. + tag: 5.0.0-0 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + # -- Configure the liveness healthcheck for casa if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Middleware API to help application developers call an OAuth, OpenID or UMA server. You may wonder why this is necessary. It makes it easier for client developers to use OpenID signing and encryption features, without becoming crypto experts. This API provides some high level endpoints to do some of the heavy lifting. +client-api: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/client-api + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 400Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 400Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - curl + - -k + - https://localhost:8443/health-check + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + readinessProbe: + tcpSocket: + port: 8443 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- Admin password to log in to the UI. + adminPassword: Test1234# + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: jans + # -- SQL database username. + cnSqlDbUser: jans + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- Client-api OAuth client admin certificate common name. This should be left to the default value client-api . + cnClientApiAdminCertCn: client-api + # -- Client-api OAuth client application certificate common name. This should be left to the default value client-api. + cnClientApiApplicationCertCn: client-api + # -- Client-api bind address. This limits what ip ranges can access the client-api. This should be left as * and controlled by a NetworkPolicy + cnClientApiBindIpAddresses: "*" + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) user name. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretNamePrefix: gluu + # -- Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerPassPhrase: Test1234# + # -- Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretVersionId: "latest" + # -- Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + cnPersistenceLdapMapping: default + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Loadbalancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: support@gluu.org + image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- LDAP admin password if OpennDJ is used for persistence. + ldapPassword: P@ssw0rds + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + # -- CE to CN Migration section + migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 400Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 400Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. +fido2: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/fido2 + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for the fido2 if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the fido2 if needed. + readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: false + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + # License parameters + # -- Admin UI license API key. + adminUiApiKey: xxxxxxxxxxx + # -- Admin UI license API key mount location. + adminUiApiKeyFile: /etc/jans/conf/admin_ui_api_key + # -- Admin UI license product code. + adminUiProductCode: xxxxxxxxxxx + # -- Admin UI license product code mount location. + adminUiProductCodeFile: /etc/jans/conf/admin_ui_product_code + # -- Admin UI license shared key. + adminUiSharedKey: xxxxxxxxxxx + # -- Admin UI license shared key mount location. + adminUiSharedKeyFile: /etc/jans/conf/admin_ui_shared_key + # -- Admin UI license management key. + adminUiManagementKey: xxxxxxxxxxx + # -- Admin UI license management key mount location. + adminUiManagementKeyFile: /etc/jans/conf/admin_ui_management_key + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casachart. + enabled: true + client-api: + # -- Name of the client-api service. Please keep it as default. + clientApiServerServiceName: client-api + # -- Boolean flag to enable/disable the client-api chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- client-api.log target + clientApiLogTarget: "STDOUT" + # -- client-api.log level + clientApiLogLevel: "INFO" + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Document store type to use for shibboleth files LOCAL. + cnDocumentStoreType: LOCAL + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key pas`sphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- The config backend adapter that will hold Gluu configuration layer. google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiappLoggers: + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + oxpassport: + # -- Name of the oxPassport service. Please keep it as default. + oxPassportServiceName: oxpassport + # -- Boolean flag to enable/disable passport chart + enabled: false + oxshibboleth: + # -- Name of the oxShibboleth service. Please keep it as default. + oxShibbolethServiceName: oxshibboleth + # -- Boolean flag to enable/disable the oxShibbboleth chart. Not part of the openbanking distribution. Keep as default.This also enables SAML-related features; UI menu, etc. Not part of the openbanking distribution. Please leave this disabled. + enabled: false + # -- Gluu distributions supported are: default|openbanking. + distribution: default + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer + upgrade: + # -- Boolean flag used when running upgrading through versions command. Used when upgrading with LDAP as the persistence to load the 101x ldif. + enabled: false + +# -- Nginx ingress definitions chart +nginx-ingress: + ingress: + # -- Enable Admin UI endpoints. COMING SOON. + adminUiEnabled: false + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- Enable SCIM endpoints /jans-scim + scimEnabled: false + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Enable casa endpoints /casa + casaEnabled: false + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token + authServerProtectedToken: false + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register + authServerProtectedRegister: false + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +opendj: + # -- Configure ldap backup cronjob + backup: + enabled: true + cronJobSchedule: "*/59 * * * *" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0_dev + # -- Image Pull Secrets + pullSecrets: [ ] + multiCluster: + # -- Enable OpenDJ multiCluster mode. This flag enables loading keys under `opendj.multiCluster` + enabled: false + # -- OpenDJ Serf advertise address suffix that will be added to each opendj replica. + # i.e RELEASE-NAME-opendj-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} + serfAdvertiseAddrSuffix: "regional.gluu.org:30946" + # -- Serf key. This key will automatically sync across clusters. + serfKey: Z51b6PgKU1MZ75NCZOTGGoc0LP2OF3qvF6sjxHyQCYk= + # -- Serf peer addresses. One per cluster. + serfPeers: + - "gluu-opendj-regional-0-regional.gluu.org:30946" + - "gluu-opendj-regional-0-regional.gluu.org:31946" + # -- The number of opendj non scalabble statefulsets to create. Each pod created must be resolvable as it follows + # the patterm RELEASE-NAME-opendj-regional-{{statefulset pod number}}-{{ $.Values.multiCluster.serfAdvertiseAddrSuffix }} + # If set to 1, with a release name of gluu, the address of the pod would be gluu-opendj-regional-0-regional.gluu.org + replicaCount: 1 + # -- This id needs to be unique to each kubernetes cluster in a multi cluster setup + # west, east, south, north, region ...etc If left empty it will be randomly generated. + clusterId: "" + # -- Namespace int id. This id needs to be a unique number 0-9 per gluu installation per namespace. + # Used when gluu is installed in the same kubernetes cluster more than once. + namespaceIntId: 0 + + persistence: + # -- OpenDJ volume size + size: 5Gi + ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Gluu interface to Passport.js to support social login and inbound identity. +oxpassport: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxpassport + # -- Image tag to use for deploying. + tag: 5.0.0_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 700m + # -- Memory limit. + memory: 900Mi + requests: + # -- CPU request. + cpu: 700m + # -- Memory request. + memory: 900Mi + # -- Configure the liveness healthcheck for oxPassport if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the oxPassport if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Shibboleth project for the Gluu Server's SAML IDP functionality. +oxshibboleth: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxshibboleth + # -- Image tag to use for deploying. + tag: 5.0.0_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for the oxShibboleth if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /idp + port: http-oxshib + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + httpGet: + # -- http liveness probe endpoint + path: /idp + port: http-oxshib + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Job to generate data and intial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +scim: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/scim + # -- Image tag to use for deploying. + tag: 1.0.0-beta.16 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for SCIM if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the SCIM if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/k10/k10/4.5.1100/Chart.yaml b/charts/k10/k10/4.5.1100/Chart.yaml new file mode 100644 index 000000000..fde76e072 --- /dev/null +++ b/charts/k10/k10/4.5.1100/Chart.yaml @@ -0,0 +1,15 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: K10 + catalog.cattle.io/release-name: k10 +apiVersion: v2 +appVersion: 4.5.11 +description: Kasten’s K10 Data Management Platform +home: https://kasten.io/ +icon: https://docs.kasten.io/_static/kasten-logo-vertical.png +kubeVersion: '>= 1.17.0-0' +maintainers: +- email: support@kasten.io + name: kastenIO +name: k10 +version: 4.5.1100 diff --git a/charts/k10/k10/4.5.1100/README.md b/charts/k10/k10/4.5.1100/README.md new file mode 100644 index 000000000..6000d693a --- /dev/null +++ b/charts/k10/k10/4.5.1100/README.md @@ -0,0 +1,227 @@ +# Kasten's K10 Helm chart. + +[Kasten's k10](https://docs.kasten.io/) is a data lifecycle management system for all your persistence.enabled container-based applications. + +## TL;DR; + +```console +$ helm install kasten/k10 --name=k10 --namespace=kasten-io +``` + +## Introduction + +This chart bootstraps Kasten's K10 platform on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + - Kubernetes 1.7+ with Beta APIs enabled + +## Installing the Chart + +To install the chart on a [GKE](https://cloud.google.com/container-engine/) cluster + +```console +$ helm install kasten/k10 --name=k10 --namespace=kasten-io +``` + +To install the chart on an [AWS](https://aws.amazon.com/) [kops](https://github.com/kubernetes/kops)-created cluster + +```console +$ helm install kasten/k10 --name=k10 --namespace=kasten-io --set secrets.awsAccessKeyId="${AWS_ACCESS_KEY_ID}" \ + --set secrets.awsSecretAccessKey="${AWS_SECRET_ACCESS_KEY}" +``` + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `k10` application: + +```console +$ helm delete k10 --purge +``` + +## Configuration + +The following table lists the configurable parameters of the K10 +chart and their default values. + +Parameter | Description | Default +--- | --- | --- +`eula.accept`| Whether to enable accept EULA before installation | `false` +`eula.company` | Company name. Required field if EULA is accepted | `None` +`eula.email` | Contact email. Required field if EULA is accepted | `None` +`license` | License string obtained from Kasten | `None` +`rbac.create` | Whether to enable RBAC with a specific cluster role and binding for K10 | `true` +`scc.create` | Whether to create a SecurityContextConstraints for K10 ServiceAccounts | `false` +`services.dashboardbff.hostNetwork` | Whether the dashboardbff pods may use the node network | `false` +`services.executor.hostNetwork` | Whether the executor pods may use the node network | `false` +`services.aggregatedapis.hostNetwork` | Whether the aggregatedapis pods may use the node network | `false` +`serviceAccount.create`| Specifies whether a ServiceAccount should be created | `true` +`serviceAccount.name` | The name of the ServiceAccount to use. If not set, a name is derived using the release and chart names. | `None` +`ingress.create` | Specifies whether the K10 dashboard should be exposed via ingress | `false` +`ingress.class` | Cluster ingress controller class: `nginx`, `GCE` | `None` +`ingress.host` | FQDN (e.g., `k10.example.com`) for name-based virtual host | `None` +`ingress.urlPath` | URL path for K10 Dashboard (e.g., `/k10`) | `Release.Name` +`ingress.annotations` | Additional Ingress object annotations | `{}` +`ingress.tls.enabled` | Configures a TLS use for `ingress.host` | `false` +`ingress.tls.secretName` | Specifies a name of TLS secret | `None` +`ingress.pathType` | Specifies the path type for the ingress resource | `ImplementationSpecific` +`global.persistence.enabled` | Use PVS to persist data | `true` +`global.persistence.size` | Default global size of volumes for K10 persistent services | `20Gi` +`global.persistence.catalog.size` | Size of a volume for catalog service | `global.persistence.size` +`global.persistence.jobs.size` | Size of a volume for jobs service | `global.persistence.size` +`global.persistence.logging.size` | Size of a volume for logging service | `global.persistence.size` +`global.persistence.metering.size` | Size of a volume for metering service | `global.persistence.size` +`global.persistence.storageClass` | Specified StorageClassName will be used for PVCs | `None` +`global.airgapped.repository` | Specify the helm repository for offline (airgapped) installation | `''` +`global.imagePullSecret` | Provide secret which contains docker config for private repository. Use `k10-ecr` when secrets.dockerConfigPath is used. | `''` +`secrets.awsAccessKeyId` | AWS access key ID (required for AWS deployment) | `None` +`secrets.awsSecretAccessKey` | AWS access key secret | `None` +`secrets.awsIamRole` | ARN of the AWS IAM role assumed by K10 to perform any AWS operation. | `None` +`secrets.googleApiKey` | Non-default base64 encoded GCP Service Account key file | `None` +`secrets.azureTenantId` | Azure tenant ID (required for Azure deployment) | `None` +`secrets.azureClientId` | Azure Service App ID | `None` +`secrets.azureClientSecret` | Azure Service APP secret | `None` +`secrets.azureResourceGroup` | Resource Group name that was created for the Kubernetes cluster | `None` +`secrets.azureSubscriptionID` | Subscription ID in your Azure tenant | `None` +`secrets.azureResourceMgrEndpoint` | Resource management endpoint for the Azure Stack instance | `None` +`secrets.azureADEndpoint` | Azure Active Directory login endpoint | `None` +`secrets.azureADResourceID` | Azure Active Directory resource ID to obtain AD tokens | `None` +`secrets.azureCloudEnvID` | Azure Cloud Environment ID | `None` +`secrets.vsphereEndpoint` | vSphere endpoint for login | `None` +`secrets.vsphereUsername` | vSphere username for login | `None` +`secrets.vspherePassword` | vSphere password for login | `None` +`secrets.dockerConfigPath` | Use --set-file secrets.dockerConfigPath=path_to_docker_config.yaml to specify docker config for image pull | `None` +`cacertconfigmap.name` | Name of the ConfigMap that contains a certificate for a trusted root certificate authority | `None` +`clusterName` | Cluster name for better logs visibility | `None` +`metering.awsRegion` | Sets AWS_REGION for metering service | `None` +`metering.mode` | Control license reporting (set to `airgap` for private-network installs) | `None` +`metering.reportCollectionPeriod` | Sets metric report collection period (in seconds) | `1800` +`metering.reportPushPeriod` | Sets metric report push period (in seconds) | `3600` +`metering.promoID` | Sets K10 promotion ID from marketing campaigns | `None` +`metering.awsMarketplace` | Sets AWS cloud metering license mode | `false` +`metering.awsManagedLicense` | Sets AWS managed license mode | `false` +`metering.redhatMarketplacePayg` | Sets Red Hat cloud metering license mode | `false` +`metering.licenseConfigSecretName` | Sets AWS managed license config secret | `None` +`externalGateway.create` | Configures an external gateway for K10 API services | `false` +`externalGateway.annotations` | Standard annotations for the services | `None` +`externalGateway.fqdn.name` | Domain name for the K10 API services | `None` +`externalGateway.fqdn.type` | Supported gateway type: `route53-mapper` or `external-dns` | `None` +`externalGateway.awsSSLCertARN` | ARN for the AWS ACM SSL certificate used in the K10 API server | `None` +`auth.basicAuth.enabled` | Configures basic authentication for the K10 dashboard | `false` +`auth.basicAuth.htpasswd` | A username and password pair separated by a colon character | `None` +`auth.basicAuth.secretName` | Name of an existing Secret that contains a file generated with htpasswd | `None` +`auth.k10AdminGroups` | A list of groups whose members are granted admin level access to K10's dashboard | `None` +`auth.k10AdminUsers` | A list of users who are granted admin level access to K10's dashboard | `None` +`auth.tokenAuth.enabled` | Configures token based authentication for the K10 dashboard | `false` +`auth.oidcAuth.enabled` | Configures Open ID Connect based authentication for the K10 dashboard | `false` +`auth.oidcAuth.providerURL` | URL for the OIDC Provider | `None` +`auth.oidcAuth.redirectURL` | URL to the K10 gateway service | `None` +`auth.oidcAuth.scopes` | Space separated OIDC scopes required for userinfo. Example: "profile email" | `None` +`auth.oidcAuth.prompt` | The type of prompt to be used during authentication (none, consent, login or select_account) | `select_account` +`auth.oidcAuth.clientID` | Client ID given by the OIDC provider for K10 | `None` +`auth.oidcAuth.clientSecret` | Client secret given by the OIDC provider for K10 | `None` +`auth.oidcAuth.usernameClaim` | The claim to be used as the username | `sub` +`auth.oidcAuth.usernamePrefix` | Prefix that has to be used with the username obtained from the username claim | `None` +`auth.oidcAuth.groupClaim` | Name of a custom OpenID Connect claim for specifying user groups | `None` +`auth.oidcAuth.groupPrefix` | All groups will be prefixed with this value to prevent conflicts | `None` +`auth.openshift.enabled` | Enables access to the K10 dashboard by authenticating with the OpenShift OAuth server | `false` +`auth.openshift.serviceAccount` | Name of the service account that represents an OAuth client | `None` +`auth.openshift.clientSecret` | The token corresponding to the service account | `None` +`auth.openshift.dashboardURL` | The URL used for accessing K10's dashboard | `None` +`auth.openshift.openshiftURL` | The URL for accessing OpenShift's API server | `None` +`auth.openshift.insecureCA` | To turn off SSL verification of connections to OpenShift | `false` +`auth.openshift.useServiceAccountCA` | Set this to true to use the CA certificate corresponding to the Service Account ``auth.openshift.serviceAccount`` usually found at ``/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`` | `false` +`auth.ldap.enabled` | Configures Active Directory/LDAP based authentication for the K10 dashboard | `false` +`auth.ldap.restartPod` | To force a restart of the authentication service pod (useful when updating authentication config) | `false` +`auth.ldap.dashboardURL` | The URL used for accessing K10's dashboard | `None` +`auth.ldap.host` | Host and optional port of the AD/LDAP server in the form `host:port` | `None` +`auth.ldap.insecureNoSSL` | Required if the AD/LDAP host is not using TLS | `false` +`auth.ldap.insecureSkipVerifySSL` | To turn off SSL verification of connections to the AD/LDAP host | `false` +`auth.ldap.startTLS` | When set to true, ldap:// is used to connect to the server followed by creation of a TLS session. When set to false, ldaps:// is used. | `false` +`auth.ldap.bindDN` | The Distinguished Name(username) used for connecting to the AD/LDAP host | `None` +`auth.ldap.bindPW` | The password corresponding to the `bindDN` for connecting to the AD/LDAP host | `None` +`auth.ldap.bindPWSecretName` | The name of the secret that contains the password corresponding to the `bindDN` for connecting to the AD/LDAP host | `None` +`auth.ldap.userSearch.baseDN` | The base Distinguished Name to start the AD/LDAP search from | `None` +`auth.ldap.userSearch.filter` | Optional filter to apply when searching the directory | `None` +`auth.ldap.userSearch.username` | Attribute used for comparing user entries when searching the directory | `None` +`auth.ldap.userSearch.idAttr` | AD/LDAP attribute in a user's entry that should map to the user ID field in a token | `None` +`auth.ldap.userSearch.emailAttr` | AD/LDAP attribute in a user's entry that should map to the email field in a token | `None` +`auth.ldap.userSearch.nameAttr` | AD/LDAP attribute in a user's entry that should map to the name field in a token | `None` +`auth.ldap.userSearch.preferredUsernameAttr` | AD/LDAP attribute in a user's entry that should map to the preferred_username field in a token | `None` +`auth.ldap.groupSearch.baseDN` | The base Distinguished Name to start the AD/LDAP group search from | `None` +`auth.ldap.groupSearch.filter` | Optional filter to apply when searching the directory for groups | `None` +`auth.ldap.groupSearch.nameAttr` | The AD/LDAP attribute that represents a group's name in the directory | `None` +`auth.ldap.groupSearch.userMatchers` | List of field pairs that are used to match a user to a group. | `None` +`auth.ldap.groupSearch.userMatchers.userAttr` | Attribute in the user's entry that must match with the `groupAttr` while searching for groups | `None` +`auth.ldap.groupSearch.userMatchers.groupAttr` | Attribute in the group's entry that must match with the `userAttr` while searching for groups | `None` +`auth.groupAllowList` | A list of groups whose members are allowed access to K10's dashboard | `None` +`services.securityContext` | Custom [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for K10 service containers | `{"runAsUser" : 1000, "fsGroup": 1000}` +`services.securityContext.runAsUser` | User ID K10 service containers run as| `1000` +`services.securityContext.runAsGroup` | Group ID K10 service containers run as| `1000` +`services.securityContext.fsGroup` | FSGroup that owns K10 service container volumes | `1000` +`injectKanisterSidecar.enabled` | Enable Kanister sidecar injection for workload pods | `false` +`injectKanisterSidecar.namespaceSelector.matchLabels` | Set of labels to select namespaces in which sidecar injection is enabled for workloads | `{}` +`injectKanisterSidecar.objectSelector.matchLabels` | Set of labels to filter workload objects in which the sidecar is injected | `{}` +`injectKanisterSidecar.webhookServer.port` | Port number on which the mutating webhook server accepts request | `8080` +`gateway.insecureDisableSSLVerify` | Specifies whether to disable SSL verification for gateway pods | `false` +`gateway.exposeAdminPort` | Specifies whether to expose Admin port for gateway service | `true` +`genericVolumeSnapshot.resources.[requests\|limits].[cpu\|memory]` | Resource requests and limits for Generic Volume Snapshot restore pods | `{}` +`prometheus.server.enabled` | If false, K10's Prometheus server will not be created, reducing the dashboard's functionality. | `true` +`prometheus.server.persistentVolume.enabled` | If true, K10 Prometheus server will create a Persistent Volume Claim | `true` +`prometheus.server.persistentVolume.size` | K10 Prometheus server data Persistent Volume size | `30Gi` +`prometheus.server.persistentVolume.storageClass` | StorageClassName used to create Prometheus PVC. Setting this option overwrites global StorageClass value | `""` +`prometheus.server.retention` | (optional) K10 Prometheus data retention | `"30d"` +`prometheus.server.baseURL` | (optional) K10 Prometheus external url path at which the server can be accessed | `/k10/prometheus/` +`prometheus.server.prefixURL` | (optional) K10 Prometheus prefix slug at which the server can be accessed | `/k10/prometheus/` +`grafana.enabled` | (optional) If false Grafana will not be available | `true` +`grafana.prometheusPrefixURL` | (optional) URL for Prometheus datasource in Grafana (must match `prometheus.server.prefixURL`) | `/k10/prometheus/` +`resources...[requests\|limits].[cpu\|memory]` | Overwrite default K10 [container resource requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | varies by container +`route.enabled` | Specifies whether the K10 dashboard should be exposed via route | `false` +`route.host` | FQDN (e.g., `.k10.example.com`) for name-based virtual host | `""` +`route.path` | URL path for K10 Dashboard (e.g., `/k10`) | `/` +`route.annotations` | Additional Route object annotations | `{}` +`route.labels` | Additional Route object labels | `{}` +`route.tls.enabled` | Configures a TLS use for `route.host` | `false` +`route.tls.insecureEdgeTerminationPolicy` | Specifies behavior for insecure scheme traffic | `Redirect` +`route.tls.termination` | Specifies the TLS termination of the route | `edge` +`apigateway.serviceResolver` | Specifies the resolver used for service discovery in the API gateway (`dns` or `endpoint`) | `dns` +`limiter.genericVolumeSnapshots` | Limit of concurrent generic volume snapshot create operations | `10` +`limiter.genericVolumeCopies` | Limit of concurrent generic volume snapshot copy operations | `10` +`limiter.genericVolumeRestores` | Limit of concurrent generic volume snapshot restore operations | `10` +`limiter.csiSnapshots` | Limit of concurrent CSI snapshot create operations | `10` +`limiter.providerSnapshots` | Limit of concurrent cloud provider create operations | `10` +`cluster.domainName` | Specifies the domain name of the cluster | `cluster.local` +`kanister.backupTimeout` | Specifies timeout to set on Kanister backup operations | `45` +`kanister.restoreTimeout` | Specifies timeout to set on Kanister restore operations | `600` +`kanister.deleteTimeout` | Specifies timeout to set on Kanister delete operations | `45` +`kanister.hookTimeout` | Specifies timeout to set on Kanister pre-hook and post-hook operations | `20` +`kanister.checkRepoTimeout` | Specifies timeout to set on Kanister checkRepo operations | `20` +`kanister.statsTimeout` | Specifies timeout to set on Kanister stats operations | `20` +`kanister.efsPostRestoreTimeout` | Specifies timeout to set on Kanister efsPostRestore operations | `45` +`awsConfig.assumeRoleDuration` | Duration of a session token generated by AWS for an IAM role. The minimum value is 15 minutes and the maximum value is the maximum duration setting for that IAM role. For documentation about how to view and edit the maximum session duration for an IAM role see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session. The value accepts a number along with a single character ``m``(for minutes) or ``h`` (for hours) Examples: 60m or 2h | `''` +`awsConfig.efsBackupVaultName` | Specifies the AWS EFS backup vault name | `k10vault` +`vmWare.taskTimeoutMin` | Specifies the timeout for VMWare operations | `60` +`encryption.primaryKey.awsCmkKeyId` | Specifies the AWS CMK key ID for encrypting K10 Primary Key | `None` +## Helm tips and tricks + +There is a way of setting values via a yaml file instead of using `--set`. +You can copy/paste values into a file (e.g., my_values.yaml): + +```yaml +secrets: + awsAccessKeyId: ${AWS_ACCESS_KEY_ID} + awsSecretAccessKey: ${AWS_SECRET_ACCESS_KEY} +``` +and then run: +```bash + envsubst < my_values.yaml > my_values_out.yaml && helm install helm/k10 -f my_values_out.yaml +``` + +To use non-default GCP ServiceAccount (SA) credentials, the credentials JSON file needs to be encoded into a base64 string. + + +```bash + sa_key=$(base64 -w0 sa-key.json) + helm install kasten/k10 --name=k10 --namespace=kasten-io --set secrets.googleApiKey=$sa_key +``` diff --git a/charts/k10/k10/4.5.1100/app-readme.md b/charts/k10/k10/4.5.1100/app-readme.md new file mode 100644 index 000000000..1b221891b --- /dev/null +++ b/charts/k10/k10/4.5.1100/app-readme.md @@ -0,0 +1,5 @@ +The K10 data management platform, purpose-built for Kubernetes, provides enterprise operations teams an easy-to-use, scalable, and secure system for backup/restore, disaster recovery, and mobility of Kubernetes applications. + +K10’s application-centric approach and deep integrations with relational and NoSQL databases, Kubernetes distributions, and all clouds provide teams the freedom of infrastructure choice without sacrificing operational simplicity. Policy-driven and extensible, K10 provides a native Kubernetes API and includes features such as full-spectrum consistency, database integrations, automatic application discovery, multi-cloud mobility, and a powerful web-based user interface. + +For more information, refer to the docs [https://docs.kasten.io/](https://docs.kasten.io/) diff --git a/charts/k10/k10/4.5.1100/charts/grafana/.helmignore b/charts/k10/k10/4.5.1100/charts/grafana/.helmignore new file mode 100644 index 000000000..8cade1318 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.vscode +.project +.idea/ +*.tmproj +OWNERS diff --git a/charts/k10/k10/4.5.1100/charts/grafana/Chart.yaml b/charts/k10/k10/4.5.1100/charts/grafana/Chart.yaml new file mode 100644 index 000000000..e2e2ba77a --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 8.1.0 +description: The leading tool for querying and visualizing time series and metrics. +home: https://grafana.net +icon: https://raw.githubusercontent.com/grafana/grafana/master/public/img/logo_transparent_400x.png +kubeVersion: ^1.8.0-0 +maintainers: +- email: zanhsieh@gmail.com + name: zanhsieh +- email: rluckie@cisco.com + name: rtluckie +- email: maor.friedman@redhat.com + name: maorfr +- email: miroslav.hadzhiev@gmail.com + name: Xtigyro +- email: mail@torstenwalter.de + name: torstenwalter +name: grafana +sources: +- https://github.com/grafana/grafana +type: application +version: 6.15.0 diff --git a/charts/k10/k10/4.5.1100/charts/grafana/README.md b/charts/k10/k10/4.5.1100/charts/grafana/README.md new file mode 100644 index 000000000..01219f7cb --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/README.md @@ -0,0 +1,528 @@ +# Grafana Helm Chart + +* Installs the web dashboarding system [Grafana](http://grafana.org/) + +## Get Repo Info + +```console +helm repo add grafana https://grafana.github.io/helm-charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +helm install my-release grafana/grafana +``` + +## Uninstalling the Chart + +To uninstall/delete the my-release deployment: + +```console +helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Upgrading an existing Release to a new major version + +A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an +incompatible breaking change needing manual actions. + +### To 4.0.0 (And 3.12.1) + +This version requires Helm >= 2.12.0. + +### To 5.0.0 + +You have to add --force to your helm upgrade command as the labels of the chart have changed. + +### To 6.0.0 + +This version requires Helm >= 3.1.0. + +## Configuration + +| Parameter | Description | Default | +|-------------------------------------------|-----------------------------------------------|---------------------------------------------------------| +| `replicas` | Number of nodes | `1` | +| `podDisruptionBudget.minAvailable` | Pod disruption minimum available | `nil` | +| `podDisruptionBudget.maxUnavailable` | Pod disruption maximum unavailable | `nil` | +| `deploymentStrategy` | Deployment strategy | `{ "type": "RollingUpdate" }` | +| `livenessProbe` | Liveness Probe settings | `{ "httpGet": { "path": "/api/health", "port": 3000 } "initialDelaySeconds": 60, "timeoutSeconds": 30, "failureThreshold": 10 }` | +| `readinessProbe` | Readiness Probe settings | `{ "httpGet": { "path": "/api/health", "port": 3000 } }`| +| `securityContext` | Deployment securityContext | `{"runAsUser": 472, "runAsGroup": 472, "fsGroup": 472}` | +| `priorityClassName` | Name of Priority Class to assign pods | `nil` | +| `image.repository` | Image repository | `grafana/grafana` | +| `image.tag` | Image tag (`Must be >= 5.0.0`) | `8.0.3` | +| `image.sha` | Image sha (optional) | `80c6d6ac633ba5ab3f722976fb1d9a138f87ca6a9934fcd26a5fc28cbde7dbfa` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Image pull secrets | `{}` | +| `service.enabled` | Enable grafana service | `true` | +| `service.type` | Kubernetes service type | `ClusterIP` | +| `service.port` | Kubernetes port where service is exposed | `80` | +| `service.portName` | Name of the port on the service | `service` | +| `service.targetPort` | Internal service is port | `3000` | +| `service.nodePort` | Kubernetes service nodePort | `nil` | +| `service.annotations` | Service annotations | `{}` | +| `service.labels` | Custom labels | `{}` | +| `service.clusterIP` | internal cluster service IP | `nil` | +| `service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `nil` | +| `service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to lb (if supported) | `[]` | +| `service.externalIPs` | service external IP addresses | `[]` | +| `extraExposePorts` | Additional service ports for sidecar containers| `[]` | +| `hostAliases` | adds rules to the pod's /etc/hosts | `[]` | +| `ingress.enabled` | Enables Ingress | `false` | +| `ingress.annotations` | Ingress annotations (values are templated) | `{}` | +| `ingress.labels` | Custom labels | `{}` | +| `ingress.path` | Ingress accepted path | `/` | +| `ingress.pathType` | Ingress type of path | `Prefix` | +| `ingress.hosts` | Ingress accepted hostnames | `["chart-example.local"]` | +| `ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). Requires `ingress.hosts` to have one or more host entries. | `[]` | +| `ingress.tls` | Ingress TLS configuration | `[]` | +| `resources` | CPU/Memory resource requests/limits | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Toleration labels for pod assignment | `[]` | +| `affinity` | Affinity settings for pod assignment | `{}` | +| `extraInitContainers` | Init containers to add to the grafana pod | `{}` | +| `extraContainers` | Sidecar containers to add to the grafana pod | `{}` | +| `extraContainerVolumes` | Volumes that can be mounted in sidecar containers | `[]` | +| `extraLabels` | Custom labels for all manifests | `{}` | +| `schedulerName` | Name of the k8s scheduler (other than default) | `nil` | +| `global.persistence.enabled` | Use persistent volume to store data | `false` | +| `persistence.type` | Type of persistence (`pvc` or `statefulset`) | `pvc` | +| `global.persistence.size` | Size of persistent volume claim | `20Gi` | +| `persistence.existingClaim` | Use an existing PVC to persist data | `nil` | +| `global.persistence.storageClass` | Type of persistent volume claim | `nil` | +| `global.persistence.accessMode` | Persistence access modes | `[ReadWriteOnce]` | +| `persistence.annotations` | PersistentVolumeClaim annotations | `{}` | +| `persistence.finalizers` | PersistentVolumeClaim finalizers | `[ "kubernetes.io/pvc-protection" ]` | +| `persistence.subPath` | Mount a sub dir of the persistent volume | `nil` | +| `persistence.inMemory.enabled` | If persistence is not enabled, whether to mount the local storage in-memory to improve performance | `false` | +| `persistence.inMemory.sizeLimit` | SizeLimit for the in-memory local storage | `nil` | +| `initChownData.enabled` | If false, don't reset data ownership at startup | true | +| `initChownData.image.repository` | init-chown-data container image repository | `busybox` | +| `initChownData.image.tag` | init-chown-data container image tag | `1.31.1` | +| `initChownData.image.sha` | init-chown-data container image sha (optional)| `""` | +| `initChownData.image.pullPolicy` | init-chown-data container image pull policy | `IfNotPresent` | +| `initChownData.resources` | init-chown-data pod resource requests & limits | `{}` | +| `schedulerName` | Alternate scheduler name | `nil` | +| `env` | Extra environment variables passed to pods | `{}` | +| `envValueFrom` | Environment variables from alternate sources. See the API docs on [EnvVarSource](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#envvarsource-v1-core) for format details. | `{}` | +| `envFromSecret` | Name of a Kubernetes secret (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | `""` | +| `envRenderSecret` | Sensible environment variables passed to pods and stored as secret | `{}` | +| `enableServiceLinks` | Inject Kubernetes services as environment variables. | `true` | +| `extraSecretMounts` | Additional grafana server secret mounts | `[]` | +| `extraVolumeMounts` | Additional grafana server volume mounts | `[]` | +| `extraConfigmapMounts` | Additional grafana server configMap volume mounts | `[]` | +| `extraEmptyDirMounts` | Additional grafana server emptyDir volume mounts | `[]` | +| `plugins` | Plugins to be loaded along with Grafana | `[]` | +| `datasources` | Configure grafana datasources (passed through tpl) | `{}` | +| `notifiers` | Configure grafana notifiers | `{}` | +| `dashboardProviders` | Configure grafana dashboard providers | `{}` | +| `dashboards` | Dashboards to import | `{}` | +| `dashboardsConfigMaps` | ConfigMaps reference that contains dashboards | `{}` | +| `grafana.ini` | Grafana's primary configuration | `{}` | +| `ldap.enabled` | Enable LDAP authentication | `false` | +| `ldap.existingSecret` | The name of an existing secret containing the `ldap.toml` file, this must have the key `ldap-toml`. | `""` | +| `ldap.config` | Grafana's LDAP configuration | `""` | +| `annotations` | Deployment annotations | `{}` | +| `labels` | Deployment labels | `{}` | +| `podAnnotations` | Pod annotations | `{}` | +| `podLabels` | Pod labels | `{}` | +| `podPortName` | Name of the grafana port on the pod | `grafana` | +| `sidecar.image.repository` | Sidecar image repository | `quay.io/kiwigrid/k8s-sidecar` | +| `sidecar.image.tag` | Sidecar image tag | `1.12.2` | +| `sidecar.image.sha` | Sidecar image sha (optional) | `""` | +| `sidecar.imagePullPolicy` | Sidecar image pull policy | `IfNotPresent` | +| `sidecar.resources` | Sidecar resources | `{}` | +| `sidecar.enableUniqueFilenames` | Sets the kiwigrid/k8s-sidecar UNIQUE_FILENAMES environment variable | `false` | +| `sidecar.dashboards.enabled` | Enables the cluster wide search for dashboards and adds/updates/deletes them in grafana | `false` | +| `sidecar.dashboards.SCProvider` | Enables creation of sidecar provider | `true` | +| `sidecar.dashboards.provider.name` | Unique name of the grafana provider | `sidecarProvider` | +| `sidecar.dashboards.provider.orgid` | Id of the organisation, to which the dashboards should be added | `1` | +| `sidecar.dashboards.provider.folder` | Logical folder in which grafana groups dashboards | `""` | +| `sidecar.dashboards.provider.disableDelete` | Activate to avoid the deletion of imported dashboards | `false` | +| `sidecar.dashboards.provider.allowUiUpdates` | Allow updating provisioned dashboards from the UI | `false` | +| `sidecar.dashboards.provider.type` | Provider type | `file` | +| `sidecar.dashboards.provider.foldersFromFilesStructure` | Allow Grafana to replicate dashboard structure from filesystem. | `false` | +| `sidecar.dashboards.watchMethod` | Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | `WATCH` | +| `sidecar.skipTlsVerify` | Set to true to skip tls verification for kube api calls | `nil` | +| `sidecar.dashboards.label` | Label that config maps with dashboards should have to be added | `grafana_dashboard` | +| `sidecar.dashboards.labelValue` | Label value that config maps with dashboards should have to be added | `nil` | +| `sidecar.dashboards.folder` | Folder in the pod that should hold the collected dashboards (unless `sidecar.dashboards.defaultFolderName` is set). This path will be mounted. | `/tmp/dashboards` | +| `sidecar.dashboards.folderAnnotation` | The annotation the sidecar will look for in configmaps to override the destination folder for files | `nil` | +| `sidecar.dashboards.defaultFolderName` | The default folder name, it will create a subfolder under the `sidecar.dashboards.folder` and put dashboards in there instead | `nil` | +| `sidecar.dashboards.searchNamespace` | If specified, the sidecar will search for dashboard config-maps inside this namespace. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces | `nil` | +| `sidecar.dashboards.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | +| `sidecar.datasources.enabled` | Enables the cluster wide search for datasources and adds/updates/deletes them in grafana |`false` | +| `sidecar.datasources.label` | Label that config maps with datasources should have to be added | `grafana_datasource` | +| `sidecar.datasources.labelValue` | Label value that config maps with datasources should have to be added | `nil` | +| `sidecar.datasources.searchNamespace` | If specified, the sidecar will search for datasources config-maps inside this namespace. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces | `nil` | +| `sidecar.datasources.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | +| `sidecar.notifiers.enabled` | Enables the cluster wide search for notifiers and adds/updates/deletes them in grafana | `false` | +| `sidecar.notifiers.label` | Label that config maps with notifiers should have to be added | `grafana_notifier` | +| `sidecar.notifiers.searchNamespace` | If specified, the sidecar will search for notifiers config-maps (or secrets) inside this namespace. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces | `nil` | +| `sidecar.notifiers.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | +| `smtp.existingSecret` | The name of an existing secret containing the SMTP credentials. | `""` | +| `smtp.userKey` | The key in the existing SMTP secret containing the username. | `"user"` | +| `smtp.passwordKey` | The key in the existing SMTP secret containing the password. | `"password"` | +| `admin.existingSecret` | The name of an existing secret containing the admin credentials. | `""` | +| `admin.userKey` | The key in the existing admin secret containing the username. | `"admin-user"` | +| `admin.passwordKey` | The key in the existing admin secret containing the password. | `"admin-password"` | +| `serviceAccount.autoMount` | Automount the service account token in the pod| `true` | +| `serviceAccount.annotations` | ServiceAccount annotations | | +| `serviceAccount.create` | Create service account | `true` | +| `serviceAccount.name` | Service account name to use, when empty will be set to created account if `serviceAccount.create` is set else to `default` | `` | +| `serviceAccount.nameTest` | Service account name to use for test, when empty will be set to created account if `serviceAccount.create` is set else to `default` | `nil` | +| `rbac.create` | Create and use RBAC resources | `true` | +| `rbac.namespaced` | Creates Role and Rolebinding instead of the default ClusterRole and ClusteRoleBindings for the grafana instance | `false` | +| `rbac.useExistingRole` | Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. | `nil` | +| `rbac.pspEnabled` | Create PodSecurityPolicy (with `rbac.create`, grant roles permissions as well) | `true` | +| `rbac.pspUseAppArmor` | Enforce AppArmor in created PodSecurityPolicy (requires `rbac.pspEnabled`) | `true` | +| `rbac.extraRoleRules` | Additional rules to add to the Role | [] | +| `rbac.extraClusterRoleRules` | Additional rules to add to the ClusterRole | [] | +| `command` | Define command to be executed by grafana container at startup | `nil` | +| `testFramework.enabled` | Whether to create test-related resources | `true` | +| `testFramework.image` | `test-framework` image repository. | `bats/bats` | +| `testFramework.tag` | `test-framework` image tag. | `v1.1.0` | +| `testFramework.imagePullPolicy` | `test-framework` image pull policy. | `IfNotPresent` | +| `testFramework.securityContext` | `test-framework` securityContext | `{}` | +| `downloadDashboards.env` | Environment variables to be passed to the `download-dashboards` container | `{}` | +| `downloadDashboards.envFromSecret` | Name of a Kubernetes secret (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | `""` | +| `downloadDashboards.resources` | Resources of `download-dashboards` container | `{}` | +| `downloadDashboardsImage.repository` | Curl docker image repo | `curlimages/curl` | +| `downloadDashboardsImage.tag` | Curl docker image tag | `7.73.0` | +| `downloadDashboardsImage.sha` | Curl docker image sha (optional) | `""` | +| `downloadDashboardsImage.pullPolicy` | Curl docker image pull policy | `IfNotPresent` | +| `namespaceOverride` | Override the deployment namespace | `""` (`Release.Namespace`) | +| `serviceMonitor.enabled` | Use servicemonitor from prometheus operator | `false` | +| `serviceMonitor.namespace` | Namespace this servicemonitor is installed in | | +| `serviceMonitor.interval` | How frequently Prometheus should scrape | `1m` | +| `serviceMonitor.path` | Path to scrape | `/metrics` | +| `serviceMonitor.scheme` | Scheme to use for metrics scraping | `http` | +| `serviceMonitor.tlsConfig` | TLS configuration block for the endpoint | `{}` | +| `serviceMonitor.labels` | Labels for the servicemonitor passed to Prometheus Operator | `{}` | +| `serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `30s` | +| `serviceMonitor.relabelings` | MetricRelabelConfigs to apply to samples before ingestion. | `[]` | +| `revisionHistoryLimit` | Number of old ReplicaSets to retain | `10` | +| `imageRenderer.enabled` | Enable the image-renderer deployment & service | `false` | +| `imageRenderer.image.repository` | image-renderer Image repository | `grafana/grafana-image-renderer` | +| `imageRenderer.image.tag` | image-renderer Image tag | `latest` | +| `imageRenderer.image.sha` | image-renderer Image sha (optional) | `""` | +| `imageRenderer.image.pullPolicy` | image-renderer ImagePullPolicy | `Always` | +| `imageRenderer.env` | extra env-vars for image-renderer | `{}` | +| `imageRenderer.serviceAccountName` | image-renderer deployment serviceAccountName | `""` | +| `imageRenderer.securityContext` | image-renderer deployment securityContext | `{}` | +| `imageRenderer.hostAliases` | image-renderer deployment Host Aliases | `[]` | +| `imageRenderer.priorityClassName` | image-renderer deployment priority class | `''` | +| `imageRenderer.service.enabled` | Enable the image-renderer service | `true` | +| `imageRenderer.service.portName` | image-renderer service port name | `'http'` | +| `imageRenderer.service.port` | image-renderer service port used by both service and deployment | `8081` | +| `imageRenderer.grafanaSubPath` | Grafana sub path to use for image renderer callback url | `''` | +| `imageRenderer.podPortName` | name of the image-renderer port on the pod | `http` | +| `imageRenderer.revisionHistoryLimit` | number of image-renderer replica sets to keep | `10` | +| `imageRenderer.networkPolicy.limitIngress` | Enable a NetworkPolicy to limit inbound traffic from only the created grafana pods | `true` | +| `imageRenderer.networkPolicy.limitEgress` | Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods | `false` | +| `imageRenderer.resources` | Set resource limits for image-renderer pdos | `{}` | + +### Example ingress with path + +With grafana 6.3 and above +```yaml +grafana.ini: + server: + domain: monitoring.example.com + root_url: "%(protocol)s://%(domain)s/grafana" + serve_from_sub_path: true +ingress: + enabled: true + hosts: + - "monitoring.example.com" + path: "/grafana" +``` + +### Example of extraVolumeMounts + +Volume can be type persistentVolumeClaim or hostPath but not both at same time. +If none existingClaim or hostPath argument is givent then type is emptyDir. + +```yaml +- extraVolumeMounts: + - name: plugins + mountPath: /var/lib/grafana/plugins + subPath: configs/grafana/plugins + existingClaim: existing-grafana-claim + readOnly: false + - name: dashboards + mountPath: /var/lib/grafana/dashboards + hostPath: /usr/shared/grafana/dashboards + readOnly: false +``` + +## Import dashboards + +There are a few methods to import dashboards to Grafana. Below are some examples and explanations as to how to use each method: + +```yaml +dashboards: + default: + some-dashboard: + json: | + { + "annotations": + + ... + # Complete json file here + ... + + "title": "Some Dashboard", + "uid": "abcd1234", + "version": 1 + } + custom-dashboard: + # This is a path to a file inside the dashboards directory inside the chart directory + file: dashboards/custom-dashboard.json + prometheus-stats: + # Ref: https://grafana.com/dashboards/2 + gnetId: 2 + revision: 2 + datasource: Prometheus + local-dashboard: + url: https://raw.githubusercontent.com/user/repository/master/dashboards/dashboard.json +``` + +## BASE64 dashboards + +Dashboards could be stored on a server that does not return JSON directly and instead of it returns a Base64 encoded file (e.g. Gerrit) +A new parameter has been added to the url use case so if you specify a b64content value equals to true after the url entry a Base64 decoding is applied before save the file to disk. +If this entry is not set or is equals to false not decoding is applied to the file before saving it to disk. + +### Gerrit use case + +Gerrit API for download files has the following schema: where {project-name} and +{file-id} usually has '/' in their values and so they MUST be replaced by %2F so if project-name is user/repo, branch-id is master and file-id is equals to dir1/dir2/dashboard +the url value is + +## Sidecar for dashboards + +If the parameter `sidecar.dashboards.enabled` is set, a sidecar container is deployed in the grafana +pod. This container watches all configmaps (or secrets) in the cluster and filters out the ones with +a label as defined in `sidecar.dashboards.label`. The files defined in those configmaps are written +to a folder and accessed by grafana. Changes to the configmaps are monitored and the imported +dashboards are deleted/updated. + +A recommendation is to use one configmap per dashboard, as a reduction of multiple dashboards inside +one configmap is currently not properly mirrored in grafana. + +Example dashboard config: + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: sample-grafana-dashboard + labels: + grafana_dashboard: "1" +data: + k8s-dashboard.json: |- + [...] +``` + +## Sidecar for datasources + +If the parameter `sidecar.datasources.enabled` is set, an init container is deployed in the grafana +pod. This container lists all secrets (or configmaps, though not recommended) in the cluster and +filters out the ones with a label as defined in `sidecar.datasources.label`. The files defined in +those secrets are written to a folder and accessed by grafana on startup. Using these yaml files, +the data sources in grafana can be imported. + +Secrets are recommended over configmaps for this usecase because datasources usually contain private +data like usernames and passwords. Secrets are the more appropriate cluster resource to manage those. + +Example values to add a datasource adapted from [Grafana](http://docs.grafana.org/administration/provisioning/#example-datasource-config-file): + +```yaml +datasources: + datasources.yaml: + apiVersion: 1 + datasources: + # name of the datasource. Required + - name: Graphite + # datasource type. Required + type: graphite + # access mode. proxy or direct (Server or Browser in the UI). Required + access: proxy + # org id. will default to orgId 1 if not specified + orgId: 1 + # url + url: http://localhost:8080 + # database password, if used + password: + # database user, if used + user: + # database name, if used + database: + # enable/disable basic auth + basicAuth: + # basic auth username + basicAuthUser: + # basic auth password + basicAuthPassword: + # enable/disable with credentials headers + withCredentials: + # mark as default datasource. Max one per org + isDefault: + # fields that will be converted to json and stored in json_data + jsonData: + graphiteVersion: "1.1" + tlsAuth: true + tlsAuthWithCACert: true + # json object of data that will be encrypted. + secureJsonData: + tlsCACert: "..." + tlsClientCert: "..." + tlsClientKey: "..." + version: 1 + # allow users to edit datasources from the UI. + editable: false +``` + +## Sidecar for notifiers + +If the parameter `sidecar.notifiers.enabled` is set, an init container is deployed in the grafana +pod. This container lists all secrets (or configmaps, though not recommended) in the cluster and +filters out the ones with a label as defined in `sidecar.notifiers.label`. The files defined in +those secrets are written to a folder and accessed by grafana on startup. Using these yaml files, +the notification channels in grafana can be imported. The secrets must be created before +`helm install` so that the notifiers init container can list the secrets. + +Secrets are recommended over configmaps for this usecase because alert notification channels usually contain +private data like SMTP usernames and passwords. Secrets are the more appropriate cluster resource to manage those. + +Example datasource config adapted from [Grafana](https://grafana.com/docs/grafana/latest/administration/provisioning/#alert-notification-channels): + +```yaml +notifiers: + - name: notification-channel-1 + type: slack + uid: notifier1 + # either + org_id: 2 + # or + org_name: Main Org. + is_default: true + send_reminder: true + frequency: 1h + disable_resolve_message: false + # See `Supported Settings` section for settings supporter for each + # alert notification type. + settings: + recipient: 'XXX' + token: 'xoxb' + uploadImage: true + url: https://slack.com + +delete_notifiers: + - name: notification-channel-1 + uid: notifier1 + org_id: 2 + - name: notification-channel-2 + # default org_id: 1 +``` + +## How to serve Grafana with a path prefix (/grafana) + +In order to serve Grafana with a prefix (e.g., ), add the following to your values.yaml. + +```yaml +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/rewrite-target: /$1 + nginx.ingress.kubernetes.io/use-regex: "true" + + path: /grafana/?(.*) + hosts: + - k8s.example.dev + +grafana.ini: + server: + root_url: http://localhost:3000/grafana # this host can be localhost +``` + +## How to securely reference secrets in grafana.ini + +This example uses Grafana uses [file providers](https://grafana.com/docs/grafana/latest/administration/configuration/#file-provider) for secret values and the `extraSecretMounts` configuration flag (Additional grafana server secret mounts) to mount the secrets. + +In grafana.ini: + +```yaml +grafana.ini: + [auth.generic_oauth] + enabled = true + client_id = $__file{/etc/secrets/auth_generic_oauth/client_id} + client_secret = $__file{/etc/secrets/auth_generic_oauth/client_secret} +``` + +Existing secret, or created along with helm: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: auth-generic-oauth-secret +type: Opaque +stringData: + client_id: + client_secret: +``` + +Include in the `extraSecretMounts` configuration flag: + +```yaml +- extraSecretMounts: + - name: auth-generic-oauth-secret-mount + secretName: auth-generic-oauth-secret + defaultMode: 0440 + mountPath: /etc/secrets/auth_generic_oauth + readOnly: true +``` + +### extraSecretMounts using a Container Storage Interface (CSI) provider + +This example uses a CSI driver e.g. retrieving secrets using [Azure Key Vault Provider](https://github.com/Azure/secrets-store-csi-driver-provider-azure) + +```yaml +- extraSecretMounts: + - name: secrets-store-inline + mountPath: /run/secrets + readOnly: true + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: "my-provider" + nodePublishSecretRef: + name: akv-creds +``` + +## Image Renderer Plug-In + +This chart supports enabling [remote image rendering](https://github.com/grafana/grafana-image-renderer/blob/master/docs/remote_rendering_using_docker.md) + +```yaml +imageRenderer: + enabled: true +``` + +### Image Renderer NetworkPolicy + +By default the image-renderer pods will have a network policy which only allows ingress traffic from the created grafana instance diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/NOTES.txt b/charts/k10/k10/4.5.1100/charts/grafana/templates/NOTES.txt new file mode 100644 index 000000000..ca7d88e3d --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/NOTES.txt @@ -0,0 +1,54 @@ +1. Get your '{{ .Values.adminUser }}' user password by running: + + kubectl get secret --namespace {{ template "grafana.namespace" . }} {{ template "grafana.fullname" . }} -o jsonpath="{.data.admin-password}" | base64 --decode ; echo + +2. The Grafana server can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster: + + {{ template "grafana.fullname" . }}.{{ template "grafana.namespace" . }}.svc.cluster.local +{{ if .Values.ingress.enabled }} + If you bind grafana to 80, please update values in values.yaml and reinstall: + ``` + securityContext: + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 + + command: + - "setcap" + - "'cap_net_bind_service=+ep'" + - "/usr/sbin/grafana-server &&" + - "sh" + - "/run.sh" + ``` + Details refer to https://grafana.com/docs/installation/configuration/#http-port. + Or grafana would always crash. + + From outside the cluster, the server URL(s) are: +{{- range .Values.ingress.hosts }} + http://{{ . }} +{{- end }} +{{ else }} + Get the Grafana URL to visit by running these commands in the same shell: +{{ if contains "NodePort" .Values.service.type -}} + export NODE_PORT=$(kubectl get --namespace {{ template "grafana.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "grafana.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ template "grafana.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{ else if contains "LoadBalancer" .Values.service.type -}} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ template "grafana.namespace" . }} -w {{ template "grafana.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ template "grafana.namespace" . }} {{ template "grafana.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + http://$SERVICE_IP:{{ .Values.service.port -}} +{{ else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ template "grafana.namespace" . }} -l "app={{ template "grafana.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ template "grafana.namespace" . }} port-forward $POD_NAME 3000 +{{- end }} +{{- end }} + +3. Login with the password from step 1 and the username: {{ .Values.adminUser }} + +{{- if not .Values.global.persistence.enabled }} +################################################################################# +###### WARNING: Persistence is disabled!!! You will lose your data when ##### +###### the Grafana pod is terminated. ##### +################################################################################# +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/_definitions.tpl b/charts/k10/k10/4.5.1100/charts/grafana/templates/_definitions.tpl new file mode 100644 index 000000000..10863ce2d --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/_definitions.tpl @@ -0,0 +1,3 @@ +{{/* Autogenerated, do NOT modify */}} +{{- define "k10.grafanaImageTag" -}}8.1.8{{- end -}} +{{- define "k10.grafanaInitContainerImageTag" -}}8.5-230.1645809059{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/_helpers.tpl b/charts/k10/k10/4.5.1100/charts/grafana/templates/_helpers.tpl new file mode 100644 index 000000000..aea79b673 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/_helpers.tpl @@ -0,0 +1,235 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "grafana.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "grafana.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "grafana.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account +*/}} +{{- define "grafana.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "grafana.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{- define "grafana.serviceAccountNameTest" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (print (include "grafana.fullname" .) "-test") .Values.serviceAccount.nameTest }} +{{- else -}} + {{ default "default" .Values.serviceAccount.nameTest }} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "grafana.namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "grafana.labels" -}} +helm.sh/chart: {{ include "grafana.chart" . }} +{{ include "grafana.selectorLabels" . }} +{{- if or .Chart.AppVersion .Values.image.tag }} +app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels }} +{{- end }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "grafana.selectorLabels" -}} +app: {{ include "grafana.name" . }} +release: {{ .Release.Name }} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "grafana.imageRenderer.labels" -}} +helm.sh/chart: {{ include "grafana.chart" . }} +{{ include "grafana.imageRenderer.selectorLabels" . }} +{{- if or .Chart.AppVersion .Values.image.tag }} +app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels ImageRenderer +*/}} +{{- define "grafana.imageRenderer.selectorLabels" -}} +app: {{ include "grafana.name" . }}-image-renderer +release: {{ .Release.Name }} +{{- end -}} + +{{/* +Looks if there's an existing secret and reuse its password. If not it generates +new password and use it. +*/}} +{{- define "grafana.password" -}} +{{- $secret := (lookup "v1" "Secret" (include "grafana.namespace" .) (include "grafana.fullname" .) ) -}} + {{- if $secret -}} + {{- index $secret "data" "admin-password" -}} + {{- else -}} + {{- (randAlphaNum 40) | b64enc | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for rbac. +*/}} +{{- define "grafana.rbac.apiVersion" -}} + {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} + {{- print "rbac.authorization.k8s.io/v1" -}} + {{- else -}} + {{- print "rbac.authorization.k8s.io/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "grafana.ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" .Capabilities.KubeVersion.Version) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "extensions/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return if ingress is stable. +*/}} +{{- define "grafana.ingress.isStable" -}} + {{- eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return if ingress supports ingressClassName. +*/}} +{{- define "grafana.ingress.supportsIngressClassName" -}} + {{- or (eq (include "grafana.ingress.isStable" .) "true") (and (eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}} +{{- end -}} + +{{/* +Return if ingress supports pathType. +*/}} +{{- define "grafana.ingress.supportsPathType" -}} + {{- or (eq (include "grafana.ingress.isStable" .) "true") (and (eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}} +{{- end -}} + +{{/* +Figure out the grafana image tag +based on the value of global.upstreamCertifiedImages +*/}} +{{- define "get.grafanaImageTag"}} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s" (include "k10.grafanaImageTag" .) }} +{{- else }} +{{- printf "%s" (include "k10.grafanaImageTag" .) }} +{{- end }} +{{- end }} + +{{- define "get.grafanaImageRepo" }} +{{- if .Values.global.upstreamCertifiedImages }} +{{- printf "%s/%s/grafana" .Values.k10image.registry .Values.k10image.repository }} +{{- else }} +{{- print .Values.image.repository }} +{{- end }} +{{- end }} + +{{/* +Figure out the config based on +the value of airgapped.repository +*/}} +{{- define "get.grafanaServerimage" }} +{{- if not .Values.global.rhMarketPlace }} +{{- if .Values.global.airgapped.repository }} +{{- printf "%s/grafana:%s" .Values.global.airgapped.repository (include "get.grafanaImageTag" .) }} +{{- else }} +{{- printf "%s:%s" (include "get.grafanaImageRepo" .) (include "get.grafanaImageTag" .) }} +{{- end }} +{{- else }} +{{- printf "%s" .Values.global.images.grafana }} +{{- end -}} +{{- end }} + +{{/* +Figure out the grafana init container busy box image tag +based on the value of global.airgapped.repository +*/}} +{{- define "get.grafanaInitContainerImageTag"}} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s" (include "k10.grafanaInitContainerImageTag" .) }} +{{- else }} +{{- printf "%s" (include "k10.grafanaInitContainerImageTag" .) }} +{{- end }} +{{- end }} + +{{- define "get.grafanaInitContainerImageRepo" }} +{{- if .Values.global.upstreamCertifiedImages }} +{{- printf "%s/%s/ubi-minimal" .Values.k10image.registry .Values.k10image.repository }} +{{- else }} +{{- print .Values.ubi.image.repository }} +{{- end }} +{{- end }} + +{{/* +Figure out the config based on +the value of airgapped.repository +*/}} +{{- define "get.grafanaInitContainerImage" }} +{{- if not .Values.global.rhMarketPlace }} +{{- if .Values.global.airgapped.repository }} +{{- printf "%s/ubi-minimal:%s" .Values.global.airgapped.repository (include "get.grafanaInitContainerImageTag" .) }} +{{- else }} +{{- printf "%s:%s" (include "get.grafanaInitContainerImageRepo" .) (include "get.grafanaInitContainerImageTag" .) }} +{{- end }} +{{- else }} +{{- printf "%s:%s" (include "get.grafanaInitContainerImageRepo" .) (include "get.grafanaInitContainerImageTag" .) }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/_pod.tpl b/charts/k10/k10/4.5.1100/charts/grafana/templates/_pod.tpl new file mode 100644 index 000000000..46cee7d64 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/_pod.tpl @@ -0,0 +1,509 @@ + +{{- define "grafana.pod" -}} +{{- if .Values.schedulerName }} +schedulerName: "{{ .Values.schedulerName }}" +{{- end }} +serviceAccountName: {{ template "grafana.serviceAccountName" . }} +automountServiceAccountToken: {{ .Values.serviceAccount.autoMount }} +{{- if .Values.securityContext }} +securityContext: +{{ toYaml .Values.securityContext | indent 2 }} +{{- end }} +{{- if .Values.hostAliases }} +hostAliases: +{{ toYaml .Values.hostAliases | indent 2 }} +{{- end }} +{{- if .Values.priorityClassName }} +priorityClassName: {{ .Values.priorityClassName }} +{{- end }} +{{- if ( or .Values.global.persistence.enabled .Values.dashboards .Values.sidecar.datasources.enabled .Values.sidecar.notifiers.enabled .Values.extraInitContainers) }} +initContainers: +{{- end }} +{{- if ( and .Values.global.persistence.enabled .Values.initChownData.enabled ) }} + - name: init-chown-data + image: "{{ include "get.grafanaInitContainerImage" . }}" + imagePullPolicy: {{ .Values.ubi.image.pullPolicy }} + securityContext: + runAsNonRoot: false + runAsUser: 0 + command: ["chown", "-R", "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }}", "/var/lib/grafana"] + resources: +{{ toYaml .Values.initChownData.resources | indent 6 }} + volumeMounts: + - name: storage + mountPath: "/var/lib/grafana" +{{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} +{{- end }} +{{- end }} +{{- if .Values.dashboards }} + - name: download-dashboards + {{- if .Values.downloadDashboardsImage.sha }} + image: "{{ .Values.downloadDashboardsImage.repository }}:{{ .Values.downloadDashboardsImage.tag }}@sha256:{{ .Values.downloadDashboardsImage.sha }}" + {{- else }} + image: "{{ include "get.grafanaInitContainerImage" . }}" + {{- end }} + imagePullPolicy: {{ .Values.downloadDashboardsImage.pullPolicy }} + command: ["/bin/sh"] + args: [ "-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh" ] + resources: +{{ toYaml .Values.downloadDashboards.resources | indent 6 }} + env: +{{- range $key, $value := .Values.downloadDashboards.env }} + - name: "{{ $key }}" + value: "{{ $value }}" +{{- end }} +{{- if .Values.downloadDashboards.envFromSecret }} + envFrom: + - secretRef: + name: {{ tpl .Values.downloadDashboards.envFromSecret . }} +{{- end }} + volumeMounts: + - name: config + mountPath: "/etc/grafana/download_dashboards.sh" + subPath: download_dashboards.sh + - name: storage + mountPath: "/var/lib/grafana" +{{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} +{{- end }} + {{- range .Values.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + {{- end }} +{{- end }} +{{- if .Values.sidecar.datasources.enabled }} + - name: {{ template "grafana.name" . }}-sc-datasources + {{- if .Values.sidecar.image.sha }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + - name: METHOD + value: LIST + - name: LABEL + value: "{{ .Values.sidecar.datasources.label }}" + {{- if .Values.sidecar.datasources.labelValue }} + - name: LABEL_VALUE + value: {{ quote .Values.sidecar.datasources.labelValue }} + {{- end }} + - name: FOLDER + value: "/etc/grafana/provisioning/datasources" + - name: RESOURCE + value: {{ quote .Values.sidecar.datasources.resource }} + {{- if .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ .Values.sidecar.enableUniqueFilenames }}" + {{- end }} + {{- if .Values.sidecar.datasources.searchNamespace }} + - name: NAMESPACE + value: "{{ .Values.sidecar.datasources.searchNamespace }}" + {{- end }} + {{- if .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ .Values.sidecar.skipTlsVerify }}" + {{- end }} + resources: +{{ toYaml .Values.sidecar.resources | indent 6 }} + volumeMounts: + - name: sc-datasources-volume + mountPath: "/etc/grafana/provisioning/datasources" +{{- end}} +{{- if .Values.sidecar.notifiers.enabled }} + - name: {{ template "grafana.name" . }}-sc-notifiers + {{- if .Values.sidecar.image.sha }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + - name: METHOD + value: LIST + - name: LABEL + value: "{{ .Values.sidecar.notifiers.label }}" + - name: FOLDER + value: "/etc/grafana/provisioning/notifiers" + - name: RESOURCE + value: {{ quote .Values.sidecar.notifiers.resource }} + {{- if .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ .Values.sidecar.enableUniqueFilenames }}" + {{- end }} + {{- if .Values.sidecar.notifiers.searchNamespace }} + - name: NAMESPACE + value: "{{ .Values.sidecar.notifiers.searchNamespace }}" + {{- end }} + {{- if .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ .Values.sidecar.skipTlsVerify }}" + {{- end }} + resources: +{{ toYaml .Values.sidecar.resources | indent 6 }} + volumeMounts: + - name: sc-notifiers-volume + mountPath: "/etc/grafana/provisioning/notifiers" +{{- end}} +{{- if .Values.extraInitContainers }} +{{ toYaml .Values.extraInitContainers | indent 2 }} +{{- end }} +{{- if (or .Values.global.imagePullSecret .Values.image.pullSecrets) }} +imagePullSecrets: +{{- if .Values.global.imagePullSecret }} + - name: {{ .Values.global.imagePullSecret }} +{{- end }} +{{- if .Values.image.pullSecrets }} +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end }} +enableServiceLinks: {{ .Values.enableServiceLinks }} +containers: +{{- if .Values.sidecar.dashboards.enabled }} + - name: {{ template "grafana.name" . }}-sc-dashboard + {{- if .Values.sidecar.image.sha }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + - name: METHOD + value: {{ .Values.sidecar.dashboards.watchMethod }} + - name: LABEL + value: "{{ .Values.sidecar.dashboards.label }}" + {{- if .Values.sidecar.dashboards.labelValue }} + - name: LABEL_VALUE + value: {{ quote .Values.sidecar.dashboards.labelValue }} + {{- end }} + - name: FOLDER + value: "{{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }}" + - name: RESOURCE + value: {{ quote .Values.sidecar.dashboards.resource }} + {{- if .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ .Values.sidecar.enableUniqueFilenames }}" + {{- end }} + {{- if .Values.sidecar.dashboards.searchNamespace }} + - name: NAMESPACE + value: "{{ .Values.sidecar.dashboards.searchNamespace }}" + {{- end }} + {{- if .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ .Values.sidecar.skipTlsVerify }}" + {{- end }} + {{- if .Values.sidecar.dashboards.folderAnnotation }} + - name: FOLDER_ANNOTATION + value: "{{ .Values.sidecar.dashboards.folderAnnotation }}" + {{- end }} + resources: +{{ toYaml .Values.sidecar.resources | indent 6 }} + volumeMounts: + - name: sc-dashboard-volume + mountPath: {{ .Values.sidecar.dashboards.folder | quote }} +{{- end}} + - name: {{ .Chart.Name }} + {{- if .Values.image.sha }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}@sha256:{{ .Values.image.sha }}" + {{- else }} + image: "{{ include "get.grafanaServerimage" . }}" + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.command }} + command: + {{- range .Values.command }} + - {{ . }} + {{- end }} + {{- end}} +{{- if .Values.containerSecurityContext }} + securityContext: +{{- toYaml .Values.containerSecurityContext | nindent 6 }} +{{- end }} + volumeMounts: + - name: config + mountPath: "/etc/grafana/grafana.ini" + subPath: grafana.ini + {{- if .Values.ldap.enabled }} + - name: ldap + mountPath: "/etc/grafana/ldap.toml" + subPath: ldap.toml + {{- end }} + {{- range .Values.extraConfigmapMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath | default "" }} + readOnly: {{ .readOnly }} + {{- end }} + - name: storage + mountPath: "/var/lib/grafana" +{{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} +{{- end }} +{{- if .Values.dashboards }} +{{- range $provider, $dashboards := .Values.dashboards }} +{{- range $key, $value := $dashboards }} +{{- if (or (hasKey $value "json") (hasKey $value "file")) }} + - name: dashboards-{{ $provider }} + mountPath: "/var/lib/grafana/dashboards/{{ $provider }}/{{ $key }}.json" + subPath: "{{ $key }}.json" +{{- end }} +{{- end }} +{{- end }} +{{- end -}} +{{- if .Values.dashboardsConfigMaps }} +{{- range (keys .Values.dashboardsConfigMaps | sortAlpha) }} + - name: dashboards-{{ . }} + mountPath: "/var/lib/grafana/dashboards/{{ . }}" +{{- end }} +{{- end }} +{{/* Mounting default datasources in pod as yaml */}} + - name: config + mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" + subPath: datasources.yaml +{{- if .Values.notifiers }} + - name: config + mountPath: "/etc/grafana/provisioning/notifiers/notifiers.yaml" + subPath: notifiers.yaml +{{- end }} +{{- if .Values.dashboardProviders }} + - name: config + mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" + subPath: dashboardproviders.yaml +{{- end }} +{{- if .Values.sidecar.dashboards.enabled }} + - name: sc-dashboard-volume + mountPath: {{ .Values.sidecar.dashboards.folder | quote }} +{{ if .Values.sidecar.dashboards.SCProvider }} + - name: sc-dashboard-provider + mountPath: "/etc/grafana/provisioning/dashboards/sc-dashboardproviders.yaml" + subPath: provider.yaml +{{- end}} +{{- end}} +{{- if .Values.sidecar.datasources.enabled }} + - name: sc-datasources-volume + mountPath: "/etc/grafana/provisioning/datasources" +{{- end}} +{{- if .Values.sidecar.notifiers.enabled }} + - name: sc-notifiers-volume + mountPath: "/etc/grafana/provisioning/notifiers" +{{- end}} + {{- range .Values.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + subPath: {{ .subPath | default "" }} + {{- end }} + {{- range .Values.extraVolumeMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath | default "" }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.extraEmptyDirMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + {{- end }} + ports: + - name: {{ .Values.service.portName }} + containerPort: {{ .Values.service.port }} + protocol: TCP + - name: {{ .Values.podPortName }} + containerPort: 3000 + protocol: TCP + env: + {{- if and (not .Values.env.GF_SECURITY_ADMIN_USER) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: GF_SECURITY_ADMIN_USER + valueFrom: + secretKeyRef: + name: {{ .Values.admin.existingSecret | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: GF_SECURITY_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.admin.existingSecret | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if .Values.plugins }} + - name: GF_INSTALL_PLUGINS + valueFrom: + configMapKeyRef: + name: {{ template "grafana.fullname" . }} + key: plugins + {{- end }} + {{- if .Values.smtp.existingSecret }} + - name: GF_SMTP_USER + valueFrom: + secretKeyRef: + name: {{ .Values.smtp.existingSecret }} + key: {{ .Values.smtp.userKey | default "user" }} + - name: GF_SMTP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.smtp.existingSecret }} + key: {{ .Values.smtp.passwordKey | default "password" }} + {{- end }} + {{ if .Values.imageRenderer.enabled }} + - name: GF_RENDERING_SERVER_URL + value: http://{{ template "grafana.fullname" . }}-image-renderer.{{ template "grafana.namespace" . }}:{{ .Values.imageRenderer.service.port }}/render + - name: GF_RENDERING_CALLBACK_URL + value: http://{{ template "grafana.fullname" . }}.{{ template "grafana.namespace" . }}:{{ .Values.service.port }}/{{ .Values.imageRenderer.grafanaSubPath }} + {{ end }} + - name: GF_PATHS_DATA + value: {{ (get .Values "grafana.ini").paths.data }} + - name: GF_PATHS_LOGS + value: {{ (get .Values "grafana.ini").paths.logs }} + - name: GF_PATHS_PLUGINS + value: {{ (get .Values "grafana.ini").paths.plugins }} + - name: GF_PATHS_PROVISIONING + value: {{ (get .Values "grafana.ini").paths.provisioning }} + {{- range $key, $value := .Values.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: +{{ toYaml $value | indent 10 }} + {{- end }} +{{- range $key, $value := .Values.env }} + - name: "{{ tpl $key $ }}" + value: "{{ tpl (print $value) $ }}" +{{- end }} + {{- if .Values.envFromSecret }} + envFrom: + - secretRef: + name: {{ tpl .Values.envFromSecret . }} + {{- end }} + {{- if .Values.envRenderSecret }} + envFrom: + - secretRef: + name: {{ template "grafana.fullname" . }}-env + {{- end }} + livenessProbe: +{{ toYaml .Values.livenessProbe | indent 6 }} + readinessProbe: +{{ toYaml .Values.readinessProbe | indent 6 }} + resources: +{{ toYaml .Values.resources | indent 6 }} +{{- with .Values.extraContainers }} +{{ tpl . $ | indent 2 }} +{{- end }} +{{- with .Values.nodeSelector }} +nodeSelector: +{{ toYaml . | indent 2 }} +{{- end }} +{{- with .Values.affinity }} +affinity: +{{ toYaml . | indent 2 }} +{{- end }} +{{- with .Values.tolerations }} +tolerations: +{{ toYaml . | indent 2 }} +{{- end }} +volumes: + - name: config + configMap: + name: {{ template "grafana.fullname" . }} +{{- range .Values.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} +{{- end }} + {{- if .Values.dashboards }} + {{- range (keys .Values.dashboards | sortAlpha) }} + - name: dashboards-{{ . }} + configMap: + name: {{ template "grafana.fullname" $ }}-dashboards-{{ . }} + {{- end }} + {{- end }} + {{- if .Values.dashboardsConfigMaps }} + {{ $root := . }} + {{- range $provider, $name := .Values.dashboardsConfigMaps }} + - name: dashboards-{{ $provider }} + configMap: + name: {{ tpl $name $root }} + {{- end }} + {{- end }} + {{- if .Values.ldap.enabled }} + - name: ldap + secret: + {{- if .Values.ldap.existingSecret }} + secretName: {{ .Values.ldap.existingSecret }} + {{- else }} + secretName: {{ template "grafana.fullname" . }} + {{- end }} + items: + - key: ldap-toml + path: ldap.toml + {{- end }} +{{- if and .Values.global.persistence.enabled (eq .Values.persistence.type "pvc") }} + - name: storage + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default (include "grafana.fullname" .) }} +{{- else if and .Values.global.persistence.enabled (eq .Values.persistence.type "statefulset") }} +# nothing +{{- else }} + - name: storage +{{- if .Values.persistence.inMemory.enabled }} + emptyDir: + medium: Memory +{{- if .Values.persistence.inMemory.sizeLimit }} + sizeLimit: {{ .Values.persistence.inMemory.sizeLimit }} +{{- end -}} +{{- else }} + emptyDir: {} +{{- end -}} +{{- end -}} +{{- if .Values.sidecar.dashboards.enabled }} + - name: sc-dashboard-volume + emptyDir: {} +{{- if .Values.sidecar.dashboards.SCProvider }} + - name: sc-dashboard-provider + configMap: + name: {{ template "grafana.fullname" . }}-config-dashboards +{{- end }} +{{- end }} +{{- if .Values.sidecar.datasources.enabled }} + - name: sc-datasources-volume + emptyDir: {} +{{- end -}} +{{- if .Values.sidecar.notifiers.enabled }} + - name: sc-notifiers-volume + emptyDir: {} +{{- end -}} +{{- range .Values.extraSecretMounts }} +{{- if .secretName }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + defaultMode: {{ .defaultMode }} +{{- else if .projected }} + - name: {{ .name }} + projected: {{- toYaml .projected | nindent 6 }} +{{- else if .csi }} + - name: {{ .name }} + csi: {{- toYaml .csi | nindent 6 }} +{{- end }} +{{- end }} +{{- range .Values.extraVolumeMounts }} + - name: {{ .name }} + {{- if .existingClaim }} + persistentVolumeClaim: + claimName: {{ .existingClaim }} + {{- else if .hostPath }} + hostPath: + path: {{ .hostPath }} + {{- else }} + emptyDir: {} + {{- end }} +{{- end }} +{{- range .Values.extraEmptyDirMounts }} + - name: {{ .name }} + emptyDir: {} +{{- end -}} +{{- if .Values.extraContainerVolumes }} +{{ toYaml .Values.extraContainerVolumes | indent 2 }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/clusterrole.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/clusterrole.yaml new file mode 100644 index 000000000..6d2aa55c9 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/clusterrole.yaml @@ -0,0 +1,27 @@ +{{- if .Values.enabled }} +{{- if and .Values.rbac.create (not .Values.rbac.namespaced) (not .Values.rbac.useExistingRole) }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + name: {{ template "grafana.fullname" . }}-clusterrole +{{- if or .Values.sidecar.dashboards.enabled (or .Values.sidecar.datasources.enabled .Values.rbac.extraClusterRoleRules) }} +rules: +{{- if or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled }} +- apiGroups: [""] # "" indicates the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "watch", "list"] +{{- end}} +{{- with .Values.rbac.extraClusterRoleRules }} +{{ toYaml . | indent 0 }} +{{- end}} +{{- else }} +rules: [] +{{- end}} +{{- end}} +{{- end}} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/clusterrolebinding.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..5e50cd7fe --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/clusterrolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.enabled }} +{{- if and .Values.rbac.create (not .Values.rbac.namespaced) }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "grafana.fullname" . }}-clusterrolebinding + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +subjects: + - kind: ServiceAccount + name: {{ template "grafana.serviceAccountName" . }} + namespace: {{ template "grafana.namespace" . }} +roleRef: + kind: ClusterRole +{{- if (not .Values.rbac.useExistingRole) }} + name: {{ template "grafana.fullname" . }}-clusterrole +{{- else }} + name: {{ .Values.rbac.useExistingRole }} +{{- end }} + apiGroup: rbac.authorization.k8s.io +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/configmap-dashboard-provider.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/configmap-dashboard-provider.yaml new file mode 100644 index 000000000..c3dcc0810 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/configmap-dashboard-provider.yaml @@ -0,0 +1,31 @@ +{{- if .Values.enabled }} +{{- if .Values.sidecar.dashboards.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + name: {{ template "grafana.fullname" . }}-config-dashboards + namespace: {{ template "grafana.namespace" . }} +data: + provider.yaml: |- + apiVersion: 1 + providers: + - name: '{{ .Values.sidecar.dashboards.provider.name }}' + orgId: {{ .Values.sidecar.dashboards.provider.orgid }} + {{- if not .Values.sidecar.dashboards.provider.foldersFromFilesStructure }} + folder: '{{ .Values.sidecar.dashboards.provider.folder }}' + {{- end}} + type: {{ .Values.sidecar.dashboards.provider.type }} + disableDeletion: {{ .Values.sidecar.dashboards.provider.disableDelete }} + allowUiUpdates: {{ .Values.sidecar.dashboards.provider.allowUiUpdates }} + updateIntervalSeconds: {{ .Values.sidecar.dashboards.provider.updateIntervalSeconds | default 30 }} + options: + foldersFromFilesStructure: {{ .Values.sidecar.dashboards.provider.foldersFromFilesStructure }} + path: {{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }} +{{- end}} +{{- end}} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/configmap.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/configmap.yaml new file mode 100644 index 000000000..6bbfaeb52 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/configmap.yaml @@ -0,0 +1,99 @@ +{{- if .Values.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +data: + # Adding default prometheus datasource for grafana + datasources.yaml: | + apiVersion: 1 + datasources: + - access: proxy + editable: false + isDefault: true + name: Prometheus + type: prometheus + url: http://{{ .Values.prometheusName | trimSuffix "/" }}-exp/{{ .Values.prometheusPrefixURL | trimPrefix "/"}} + jsonData: + timeInterval: '1m' +{{- if .Values.plugins }} + plugins: {{ join "," .Values.plugins }} +{{- end }} + grafana.ini: | +{{- range $key, $value := index .Values "grafana.ini" }} + [{{ $key }}] + {{- range $elem, $elemVal := $value }} + {{- if kindIs "invalid" $elemVal }} + {{ $elem }} = + {{- else if kindIs "string" $elemVal }} + {{ $elem }} = {{ tpl $elemVal $ }} + {{- else }} + {{ $elem }} = {{ $elemVal }} + {{- end }} + {{- end }} +{{- end }} + [server] + root_url=/{{ include "k10.ingressPath" . | trimSuffix "/"}}/grafana + serve_from_sub_path=true + +{{- if .Values.datasources }} +{{ $root := . }} + {{- range $key, $value := .Values.datasources }} + {{ $key }}: | +{{ tpl (toYaml $value | indent 4) $root }} + {{- end -}} +{{- end -}} + +{{- if .Values.notifiers }} + {{- range $key, $value := .Values.notifiers }} + {{ $key }}: | +{{ toYaml $value | indent 4 }} + {{- end -}} +{{- end -}} + +{{- if .Values.dashboardProviders }} + {{- range $key, $value := .Values.dashboardProviders }} + {{ $key }}: | +{{ toYaml $value | indent 4 }} + {{- end -}} +{{- end -}} + +{{- if .Values.dashboards }} + download_dashboards.sh: | + #!/usr/bin/env sh + set -euf + {{- if .Values.dashboardProviders }} + {{- range $key, $value := .Values.dashboardProviders }} + {{- range $value.providers }} + mkdir -p {{ .options.path }} + {{- end }} + {{- end }} + {{- end }} + + {{- range $provider, $dashboards := .Values.dashboards }} + {{- range $key, $value := $dashboards }} + {{- if (or (hasKey $value "gnetId") (hasKey $value "url")) }} + curl -skf \ + --connect-timeout 60 \ + --max-time 60 \ + {{- if not $value.b64content }} + -H "Accept: application/json" \ + {{- if $value.token }} + -H "Authorization: token {{ $value.token }}" \ + {{- end }} + -H "Content-Type: application/json;charset=UTF-8" \ + {{ end }} + {{- if $value.url -}}"{{ $value.url }}"{{- else -}}"https://grafana.com/api/dashboards/{{ $value.gnetId }}/revisions/{{- if $value.revision -}}{{ $value.revision }}{{- else -}}1{{- end -}}/download"{{- end -}}{{ if $value.datasource }} | sed '/-- .* --/! s/"datasource":.*,/"datasource": "{{ $value.datasource }}",/g'{{ end }}{{- if $value.b64content -}} | base64 -d {{- end -}} \ + > "/var/lib/grafana/dashboards/{{ $provider }}/{{ $key }}.json" + {{- end -}} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/dashboards-json-configmap.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/dashboards-json-configmap.yaml new file mode 100644 index 000000000..232cd5a5e --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/dashboards-json-configmap.yaml @@ -0,0 +1,37 @@ +{{- if .Values.enabled }} +{{- if .Values.dashboards }} +{{ $files := .Files }} +{{- range $provider, $dashboards := .Values.dashboards }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "grafana.fullname" $ }}-dashboards-{{ $provider }} + namespace: {{ template "grafana.namespace" $ }} + labels: + {{- include "grafana.labels" $ | nindent 4 }} + dashboard-provider: {{ $provider }} +{{- if $dashboards }} +data: +{{- $dashboardFound := false }} +{{- range $key, $value := $dashboards }} +{{- if (or (hasKey $value "json") (hasKey $value "file")) }} +{{- $dashboardFound = true }} +{{ print $key | indent 2 }}.json: +{{- if hasKey $value "json" }} + |- +{{ $value.json | indent 6 }} +{{- end }} +{{- if hasKey $value "file" }} +{{ toYaml ( $files.Get $value.file ) | indent 4}} +{{- end }} +{{- end }} +{{- end }} +{{- if not $dashboardFound }} + {} +{{- end }} +{{- end }} +--- +{{- end }} + +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/deployment.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/deployment.yaml new file mode 100644 index 000000000..21395889a --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/deployment.yaml @@ -0,0 +1,52 @@ +{{- if .Values.enabled }} +{{ if (or (not .Values.global.persistence.enabled) (eq .Values.persistence.type "pvc")) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- if .Values.labels }} +{{ toYaml .Values.labels | indent 4 }} +{{- end }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicas }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 6 }} +{{- with .Values.deploymentStrategy }} + strategy: +{{ toYaml . | trim | indent 4 }} +{{- end }} + template: + metadata: + labels: + {{- include "grafana.selectorLabels" . | nindent 8 }} +{{- with .Values.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/dashboards-json-config: {{ include (print $.Template.BasePath "/dashboards-json-configmap.yaml") . | sha256sum }} + checksum/sc-dashboard-provider-config: {{ include (print $.Template.BasePath "/configmap-dashboard-provider.yaml") . | sha256sum }} +{{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.envRenderSecret }} + checksum/secret-env: {{ include (print $.Template.BasePath "/secret-env.yaml") . | sha256sum }} +{{- end }} +{{- with .Values.podAnnotations }} +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- include "grafana.pod" . | nindent 6 }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/headless-service.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/headless-service.yaml new file mode 100644 index 000000000..4715281ab --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/headless-service.yaml @@ -0,0 +1,20 @@ +{{- if .Values.enabled }} +{{- if and .Values.global.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.persistence.type "statefulset")}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "grafana.fullname" . }}-headless + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + clusterIP: None + selector: + {{- include "grafana.selectorLabels" . | nindent 4 }} + type: ClusterIP +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/hpa.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/hpa.yaml new file mode 100644 index 000000000..b4e610c6c --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/hpa.yaml @@ -0,0 +1,22 @@ +{{- if .Values.enabled }} +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "grafana.fullname" . }} + labels: + app: {{ template "grafana.name" . }} + helm.sh/chart: {{ template "grafana.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "grafana.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: +{{ toYaml .Values.autoscaling.metrics | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/image-renderer-deployment.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/image-renderer-deployment.yaml new file mode 100644 index 000000000..5fed1a5f1 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/image-renderer-deployment.yaml @@ -0,0 +1,117 @@ +{{- if .Values.enabled }} +{{ if .Values.imageRenderer.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "grafana.fullname" . }}-image-renderer + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.imageRenderer.labels" . | nindent 4 }} +{{- if .Values.imageRenderer.labels }} +{{ toYaml .Values.imageRenderer.labels | indent 4 }} +{{- end }} +{{- with .Values.imageRenderer.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.imageRenderer.replicas }} + revisionHistoryLimit: {{ .Values.imageRenderer.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }} +{{- with .Values.imageRenderer.deploymentStrategy }} + strategy: +{{ toYaml . | trim | indent 4 }} +{{- end }} + template: + metadata: + labels: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 8 }} +{{- with .Values.imageRenderer.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} +{{- with .Values.imageRenderer.podAnnotations }} +{{ toYaml . | indent 8 }} +{{- end }} + spec: + + {{- if .Values.imageRenderer.schedulerName }} + schedulerName: "{{ .Values.imageRenderer.schedulerName }}" + {{- end }} + {{- if .Values.imageRenderer.serviceAccountName }} + serviceAccountName: "{{ .Values.imageRenderer.serviceAccountName }}" + {{- end }} + {{- if .Values.imageRenderer.securityContext }} + securityContext: + {{- toYaml .Values.imageRenderer.securityContext | nindent 8 }} + {{- end }} + {{- if .Values.imageRenderer.hostAliases }} + hostAliases: + {{- toYaml .Values.imageRenderer.hostAliases | nindent 8 }} + {{- end }} + {{- if .Values.imageRenderer.priorityClassName }} + priorityClassName: {{ .Values.imageRenderer.priorityClassName }} + {{- end }} + {{- if .Values.imageRenderer.image.pullSecrets }} + imagePullSecrets: + {{- range .Values.imageRenderer.image.pullSecrets }} + - name: {{ . }} + {{- end}} + {{- end }} + containers: + - name: {{ .Chart.Name }}-image-renderer + {{- if .Values.imageRenderer.image.sha }} + image: "{{ .Values.imageRenderer.image.repository }}:{{ .Values.imageRenderer.image.tag }}@sha256:{{ .Values.imageRenderer.image.sha }}" + {{- else }} + image: "{{ .Values.imageRenderer.image.repository }}:{{ .Values.imageRenderer.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.imageRenderer.image.pullPolicy }} + {{- if .Values.imageRenderer.command }} + command: + {{- range .Values.imageRenderer.command }} + - {{ . }} + {{- end }} + {{- end}} + ports: + - name: {{ .Values.imageRenderer.service.portName }} + containerPort: {{ .Values.imageRenderer.service.port }} + protocol: TCP + env: + - name: HTTP_PORT + value: {{ .Values.imageRenderer.service.port | quote }} + {{- range $key, $value := .Values.imageRenderer.env }} + - name: {{ $key | quote }} + value: {{ $value | quote }} + {{- end }} + securityContext: + capabilities: + drop: ['all'] + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /tmp + name: image-renderer-tmpfs + {{- with .Values.imageRenderer.resources }} + resources: +{{ toYaml . | indent 12 }} + {{- end }} + {{- with .Values.imageRenderer.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.imageRenderer.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.imageRenderer.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + - name: image-renderer-tmpfs + emptyDir: {} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/image-renderer-network-policy.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/image-renderer-network-policy.yaml new file mode 100644 index 000000000..3730e7eba --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/image-renderer-network-policy.yaml @@ -0,0 +1,78 @@ +{{- if .Values.enabled }} +{{- if and (.Values.imageRenderer.enabled) (.Values.imageRenderer.networkPolicy.limitIngress) }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "grafana.fullname" . }}-image-renderer-ingress + namespace: {{ template "grafana.namespace" . }} + annotations: + comment: Limit image-renderer ingress traffic from grafana +spec: + podSelector: + matchLabels: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }} + {{- if .Values.imageRenderer.podLabels }} + {{ toYaml .Values.imageRenderer.podLabels | nindent 6 }} + {{- end }} + + policyTypes: + - Ingress + ingress: + - ports: + - port: {{ .Values.imageRenderer.service.port }} + protocol: TCP + from: + - namespaceSelector: + matchLabels: + name: {{ template "grafana.namespace" . }} + podSelector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 14 }} + {{- if .Values.podLabels }} + {{ toYaml .Values.podLabels | nindent 14 }} + {{- end }} +{{ end }} + +{{- if and (.Values.imageRenderer.enabled) (.Values.imageRenderer.networkPolicy.limitEgress) }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "grafana.fullname" . }}-image-renderer-egress + namespace: {{ template "grafana.namespace" . }} + annotations: + comment: Limit image-renderer egress traffic to grafana +spec: + podSelector: + matchLabels: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }} + {{- if .Values.imageRenderer.podLabels }} + {{ toYaml .Values.imageRenderer.podLabels | nindent 6 }} + {{- end }} + + policyTypes: + - Egress + egress: + # allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # talk only to grafana + - ports: + - port: {{ .Values.service.port }} + protocol: TCP + to: + - namespaceSelector: + matchLabels: + name: {{ template "grafana.namespace" . }} + podSelector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 14 }} + {{- if .Values.podLabels }} + {{ toYaml .Values.podLabels | nindent 14 }} + {{- end }} +{{ end }} +{{- end}} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/image-renderer-service.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/image-renderer-service.yaml new file mode 100644 index 000000000..530931327 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/image-renderer-service.yaml @@ -0,0 +1,32 @@ +{{- if .Values.enabled }} +{{ if .Values.imageRenderer.enabled }} +{{ if .Values.imageRenderer.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "grafana.fullname" . }}-image-renderer + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.imageRenderer.labels" . | nindent 4 }} +{{- if .Values.imageRenderer.service.labels }} +{{ toYaml .Values.imageRenderer.service.labels | indent 4 }} +{{- end }} +{{- with .Values.imageRenderer.service.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + type: ClusterIP + {{- if .Values.imageRenderer.service.clusterIP }} + clusterIP: {{ .Values.imageRenderer.service.clusterIP }} + {{end}} + ports: + - name: {{ .Values.imageRenderer.service.portName }} + port: {{ .Values.imageRenderer.service.port }} + protocol: TCP + targetPort: {{ .Values.imageRenderer.service.targetPort }} + selector: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 4 }} +{{ end }} +{{ end }} +{{- end}} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/ingress.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/ingress.yaml new file mode 100644 index 000000000..80dbc798b --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/ingress.yaml @@ -0,0 +1,80 @@ +{{- if .Values.enabled }} +{{- if .Values.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "grafana.ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "grafana.ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "grafana.ingress.supportsPathType" .) "true" -}} +{{- $fullName := include "grafana.fullname" . -}} +{{- $servicePort := .Values.service.port -}} +{{- $ingressPath := .Values.ingress.path -}} +{{- $ingressPathType := .Values.ingress.pathType -}} +{{- $extraPaths := .Values.ingress.extraPaths -}} +apiVersion: {{ include "grafana.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- if .Values.ingress.labels }} +{{ toYaml .Values.ingress.labels | indent 4 }} +{{- end }} + {{- if .Values.ingress.annotations }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ tpl $value $ | quote }} + {{- end }} + {{- end }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.ingress.ingressClassName }} + ingressClassName: {{ .Values.ingress.ingressClassName }} + {{- end -}} +{{- if .Values.ingress.tls }} + tls: +{{ tpl (toYaml .Values.ingress.tls) $ | indent 4 }} +{{- end }} + rules: + {{- if .Values.ingress.hosts }} + {{- range .Values.ingress.hosts }} + - host: {{ tpl . $}} + http: + paths: +{{- if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $fullName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end }} + {{- else }} + - http: + paths: + - backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $fullName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- if $ingressPath }} + path: {{ $ingressPath }} + {{- end }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + {{- end -}} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/networkpolicy.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/networkpolicy.yaml new file mode 100644 index 000000000..591ac7286 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/networkpolicy.yaml @@ -0,0 +1,18 @@ +{{- if .Values.enabled }} +{{ if .Values.service.enabled}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "grafana.name" . }}-network-policy + namespace: {{ template "grafana.namespace" . }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + app: {{ template "grafana.name" . }} + ingress: + - { } + egress: + - { } +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/poddisruptionbudget.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..c1ee81e61 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/poddisruptionbudget.yaml @@ -0,0 +1,24 @@ +{{- if .Values.enabled }} +{{- if .Values.podDisruptionBudget }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- if .Values.labels }} +{{ toYaml .Values.labels | indent 4 }} +{{- end }} +spec: +{{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} +{{- end }} +{{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} +{{- end }} + selector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 6 }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/podsecuritypolicy.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000..0f4e58942 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/podsecuritypolicy.yaml @@ -0,0 +1,51 @@ +{{- if .Values.enabled }} +{{- if .Values.rbac.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "grafana.fullname" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + {{- if .Values.rbac.pspUseAppArmor }} + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + # Default set from Docker, with DAC_OVERRIDE and CHOWN + - ALL + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'csi' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/pvc.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/pvc.yaml new file mode 100644 index 000000000..4389846c7 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/pvc.yaml @@ -0,0 +1,33 @@ +{{- if .Values.enabled }} +{{- if and .Values.global.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.persistence.type "pvc")}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.persistence.annotations }} + annotations: +{{ toYaml . | indent 4 }} + {{- end }} + {{- with .Values.persistence.finalizers }} + finalizers: +{{ toYaml . | indent 4 }} + {{- end }} +spec: + accessModes: + - {{ .Values.global.persistence.accessMode }} + resources: + requests: + storage: {{ default .Values.global.persistence.size .Values.global.persistence.grafana.size | quote }} + {{- if .Values.global.persistence.storageClass }} + storageClassName: {{ .Values.global.persistence.storageClass }} + {{- end -}} + {{- with .Values.persistence.selectorLabels }} + selector: + matchLabels: +{{ toYaml . | indent 6 }} + {{- end }} +{{- end }} +{{- end}} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/role.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/role.yaml new file mode 100644 index 000000000..ab67f1d5b --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/role.yaml @@ -0,0 +1,34 @@ +{{- if .Values.enabled }} +{{- if and .Values.rbac.create (not .Values.rbac.useExistingRole) -}} +apiVersion: {{ template "grafana.rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +{{- if or .Values.rbac.pspEnabled (and .Values.rbac.namespaced (or .Values.sidecar.dashboards.enabled (or .Values.sidecar.datasources.enabled .Values.rbac.extraRoleRules))) }} +rules: +{{- if .Values.rbac.pspEnabled }} +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ template "grafana.fullname" . }}] +{{- end }} +{{- if and .Values.rbac.namespaced (or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled) }} +- apiGroups: [""] # "" indicates the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "watch", "list"] +{{- end }} +{{- with .Values.rbac.extraRoleRules }} +{{ toYaml . | indent 0 }} +{{- end}} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end}} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/rolebinding.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/rolebinding.yaml new file mode 100644 index 000000000..bd0bd5dea --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if .Values.enabled }} +{{- if .Values.rbac.create -}} +apiVersion: {{ template "grafana.rbac.apiVersion" . }} +kind: RoleBinding +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- if (not .Values.rbac.useExistingRole) }} + name: {{ template "grafana.fullname" . }} +{{- else }} + name: {{ .Values.rbac.useExistingRole }} +{{- end }} +subjects: +- kind: ServiceAccount + name: {{ template "grafana.serviceAccountName" . }} + namespace: {{ template "grafana.namespace" . }} +{{- end -}} +{{- end}} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/secret-env.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/secret-env.yaml new file mode 100644 index 000000000..be272234c --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/secret-env.yaml @@ -0,0 +1,16 @@ +{{- if .Values.enabled }} +{{- if .Values.envRenderSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "grafana.fullname" . }}-env + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +type: Opaque +data: +{{- range $key, $val := .Values.envRenderSecret }} + {{ $key }}: {{ $val | b64enc | quote }} +{{- end -}} +{{- end }} +{{- end}} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/secret.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/secret.yaml new file mode 100644 index 000000000..1bcd865d5 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/secret.yaml @@ -0,0 +1,28 @@ +{{- if .Values.enabled }} +{{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +type: Opaque +data: + {{- if and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) }} + admin-user: {{ .Values.adminUser | b64enc | quote }} + {{- if .Values.adminPassword }} + admin-password: {{ .Values.adminPassword | b64enc | quote }} + {{- else }} + admin-password: {{ template "grafana.password" . }} + {{- end }} + {{- end }} + {{- if not .Values.ldap.existingSecret }} + ldap-toml: {{ tpl .Values.ldap.config $ | b64enc | quote }} + {{- end }} +{{- end }} +{{- end}} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/service.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/service.yaml new file mode 100644 index 000000000..5f21759c9 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/service.yaml @@ -0,0 +1,58 @@ +{{- if .Values.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- if .Values.service.labels }} +{{ toYaml .Values.service.labels | indent 4 }} +{{- end }} + annotations: + getambassador.io/config: | + --- + apiVersion: ambassador/v1 + kind: Mapping + name: grafana-server-mapping + prefix: /{{- include "k10.ingressPath" . | trimSuffix "/" }}/grafana/ + rewrite: / + service: {{ template "grafana.fullname" .}}:{{ .Values.service.port }} + timeout_ms: 15000 + +spec: +{{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }} + type: ClusterIP + {{- if .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP }} + {{end}} +{{- else if eq .Values.service.type "LoadBalancer" }} + type: {{ .Values.service.type }} + {{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }} + {{- end -}} +{{- else }} + type: {{ .Values.service.type }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: +{{ toYaml .Values.service.externalIPs | indent 4 }} +{{- end }} + ports: + - name: {{ .Values.service.portName }} + port: {{ .Values.service.port }} + protocol: TCP + targetPort: {{ .Values.service.targetPort }} +{{ if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }} + nodePort: {{.Values.service.nodePort}} +{{ end }} + {{- if .Values.extraExposePorts }} + {{- tpl (toYaml .Values.extraExposePorts) . | indent 4 }} + {{- end }} + selector: + {{- include "grafana.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/serviceaccount.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/serviceaccount.yaml new file mode 100644 index 000000000..4d178e1b5 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.enabled }} +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.serviceAccount.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + name: {{ template "grafana.serviceAccountName" . }} + namespace: {{ template "grafana.namespace" . }} +{{- end }} +{{- end}} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/servicemonitor.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/servicemonitor.yaml new file mode 100644 index 000000000..cbe9890d8 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/servicemonitor.yaml @@ -0,0 +1,42 @@ +{{- if .Values.enabled }} +{{- if .Values.serviceMonitor.enabled }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "grafana.fullname" . }} + {{- if .Values.serviceMonitor.namespace }} + namespace: {{ .Values.serviceMonitor.namespace }} + {{- end }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- if .Values.serviceMonitor.labels }} + {{- toYaml .Values.serviceMonitor.labels | nindent 4 }} + {{- end }} +spec: + endpoints: + - interval: {{ .Values.serviceMonitor.interval }} + {{- if .Values.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }} + {{- end }} + honorLabels: true + port: {{ .Values.service.portName }} + path: {{ .Values.serviceMonitor.path }} + scheme: {{ .Values.serviceMonitor.scheme }} + {{- if .Values.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml .Values.serviceMonitor.tlsConfig | nindent 6 }} + {{- end }} + {{- if .Values.serviceMonitor.relabelings }} + relabelings: + {{- toYaml .Values.serviceMonitor.relabelings | nindent 4 }} + {{- end }} + jobLabel: "{{ .Release.Name }}" + selector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 8 }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end }} +{{- end}} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/templates/statefulset.yaml b/charts/k10/k10/4.5.1100/charts/grafana/templates/statefulset.yaml new file mode 100644 index 000000000..86f04c1a5 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/templates/statefulset.yaml @@ -0,0 +1,55 @@ +{{- if .Values.enabled }} +{{- if and .Values.global.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.persistence.type "statefulset")}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 6 }} + serviceName: {{ template "grafana.fullname" . }}-headless + template: + metadata: + labels: + {{- include "grafana.selectorLabels" . | nindent 8 }} +{{- with .Values.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/dashboards-json-config: {{ include (print $.Template.BasePath "/dashboards-json-configmap.yaml") . | sha256sum }} + checksum/sc-dashboard-provider-config: {{ include (print $.Template.BasePath "/configmap-dashboard-provider.yaml") . | sha256sum }} + {{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} +{{- end }} +{{- with .Values.podAnnotations }} +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- include "grafana.pod" . | nindent 6 }} + volumeClaimTemplates: + - metadata: + name: storage + spec: + accessModes: + - {{ .Values.global.persistence.accessMode }} + storageClassName: {{ .Values.global.persistence.storageClass }} + resources: + requests: + storage: {{ .Values.global.persistence.size }} + {{- with .Values.persistence.selectorLabels }} + selector: + matchLabels: +{{ toYaml . | indent 10 }} + {{- end }} +{{- end }} +{{- end}} diff --git a/charts/k10/k10/4.5.1100/charts/grafana/values.yaml b/charts/k10/k10/4.5.1100/charts/grafana/values.yaml new file mode 100644 index 000000000..be8b5f6fc --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/grafana/values.yaml @@ -0,0 +1,3126 @@ +# Value to control if grafana installation +enabled: true + +# Values for prometheus datasource +prometheusName: prometheus-server +prometheusPrefixURL: /k10/prometheus + +#general purpose image for init container +ubi: + image: + repository: registry.access.redhat.com/ubi8/ubi-minimal + tag: 8.5-230.1645809059 + pullPolicy: IfNotPresent + +k10image: + registry: gcr.io + repository: kasten-images + +rbac: + create: true + ## Use an existing ClusterRole/Role (depending on rbac.namespaced false/true) + # useExistingRole: name-of-some-(cluster)role + pspEnabled: true + pspUseAppArmor: true + namespaced: false + extraRoleRules: [] + # - apiGroups: [] + # resources: [] + # verbs: [] + extraClusterRoleRules: [] + # - apiGroups: [] + # resources: [] + # verbs: [] +serviceAccount: + create: true + name: + nameTest: +# annotations: +# eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here + autoMount: true + +replicas: 1 + +## Create HorizontalPodAutoscaler object for deployment type +# +autoscaling: + enabled: false +# minReplicas: 1 +# maxReplicas: 10 +# metrics: +# - type: Resource +# resource: +# name: cpu +# targetAverageUtilization: 60 +# - type: Resource +# resource: +# name: memory +# targetAverageUtilization: 60 + +## See `kubectl explain poddisruptionbudget.spec` for more +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +podDisruptionBudget: {} +# minAvailable: 1 +# maxUnavailable: 1 + +## See `kubectl explain deployment.spec.strategy` for more +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +deploymentStrategy: + type: Recreate + +readinessProbe: + httpGet: + path: /api/health + port: 3000 + +livenessProbe: + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 60 + timeoutSeconds: 30 + failureThreshold: 10 + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: "default-scheduler" + +image: + repository: grafana/grafana + tag: 8.1.0 + sha: "" + pullPolicy: IfNotPresent + + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistrKeySecretName + +testFramework: + enabled: false + image: "bats/bats" + tag: "v1.1.0" + imagePullPolicy: IfNotPresent + securityContext: {} + +securityContext: + runAsUser: 472 + runAsGroup: 472 + fsGroup: 472 + +containerSecurityContext: + {} + +extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /etc/grafana/ssl/ + # subPath: certificates.crt # (optional) + # configMap: certs-configmap + # readOnly: true + + +extraEmptyDirMounts: [] + # - name: provisioning-notifiers + # mountPath: /etc/grafana/provisioning/notifiers + + +# Apply extra labels to common labels. +extraLabels: {} + +## Assign a PriorityClassName to pods if set +# priorityClassName: + +downloadDashboardsImage: + repository: curlimages/curl + tag: 7.73.0 + sha: "" + pullPolicy: IfNotPresent + +downloadDashboards: + env: {} + envFromSecret: "" + resources: {} + +## Pod Annotations +# podAnnotations: {} + +## Pod Labels +# podLabels: {} + +podPortName: grafana + +## Deployment annotations +# annotations: {} + +## Expose the grafana service to be accessed from outside the cluster (LoadBalancer service). +## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it. +## ref: http://kubernetes.io/docs/user-guide/services/ +## + +service: + enabled: true + type: ClusterIP + port: 80 + targetPort: 3000 + # targetPort: 4181 To be used with a proxy extraContainer + annotations: {} + labels: {} + portName: service + +serviceMonitor: + ## If true, a ServiceMonitor CRD is created for a prometheus operator + ## https://github.com/coreos/prometheus-operator + ## + enabled: false + path: /metrics + # namespace: monitoring (defaults to use the namespace this chart is deployed to) + labels: {} + interval: 1m + scheme: http + tlsConfig: {} + scrapeTimeout: 30s + relabelings: [] + +extraExposePorts: [] + # - name: keycloak + # port: 8080 + # targetPort: 8080 + # type: ClusterIP + +# overrides pod.spec.hostAliases in the grafana deployment's pods +hostAliases: [] + # - ip: "1.2.3.4" + # hostnames: + # - "my.host.com" + +ingress: + enabled: false + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + # Values can be templated + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + labels: {} + path: / + + # pathType is only for k8s >= 1.1= + pathType: Prefix + + hosts: + - chart-example.local + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + ## Or for k8s > 1.19 + # - path: /* + # pathType: Prefix + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + + + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi + +## Node labels for pod assignment +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +# +nodeSelector: {} + +## Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] + +## Affinity for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} + +extraInitContainers: [] + +## Enable an Specify container in extraContainers. This is meant to allow adding an authentication proxy to a grafana pod +extraContainers: | +# - name: proxy +# image: quay.io/gambol99/keycloak-proxy:latest +# args: +# - -provider=github +# - -client-id= +# - -client-secret= +# - -github-org= +# - -email-domain=* +# - -cookie-secret= +# - -http-address=http://0.0.0.0:4181 +# - -upstream-url=http://127.0.0.1:3000 +# ports: +# - name: proxy-web +# containerPort: 4181 + +## Volumes that can be used in init containers that will not be mounted to deployment pods +extraContainerVolumes: [] +# - name: volume-from-secret +# secret: +# secretName: secret-to-mount +# - name: empty-dir-volume +# emptyDir: {} + +## Enable persistence using Persistent Volume Claims +## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +## +persistence: + type: pvc + enabled: true + # storageClassName: default + accessModes: + - ReadWriteOnce + size: 5Gi + # annotations: {} + finalizers: + - kubernetes.io/pvc-protection + # selectorLabels: {} + # subPath: "" + # existingClaim: + + ## If persistence is not enabled, this allows to mount the + ## local storage in-memory to improve performance + ## + inMemory: + enabled: false + ## The maximum usage on memory medium EmptyDir would be + ## the minimum value between the SizeLimit specified + ## here and the sum of memory limits of all containers in a pod + ## + # sizeLimit: 300Mi + +initChownData: + ## If false, data ownership will not be reset at startup + ## This allows the prometheus-server to be run with an arbitrary user + ## + enabled: true + + ## initChownData container image + ## +# image: +# repository: busybox +# tag: "1.31.1" +# sha: "" +# pullPolicy: IfNotPresent + + ## initChownData resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + +# Administrator credentials when not using an existing secret (see below) +adminUser: admin +# adminPassword: strongpassword + +# Use an existing secret for the admin user. +admin: + existingSecret: "" + userKey: admin-user + passwordKey: admin-password + +## Define command to be executed at startup by grafana container +## Needed if using `vault-env` to manage secrets (ref: https://banzaicloud.com/blog/inject-secrets-into-pods-vault/) +## Default is "run.sh" as defined in grafana's Dockerfile +# command: +# - "sh" +# - "/run.sh" + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +## Extra environment variables that will be pass onto deployment pods +## +## to provide grafana with access to CloudWatch on AWS EKS: +## 1. create an iam role of type "Web identity" with provider oidc.eks.* (note the provider for later) +## 2. edit the "Trust relationships" of the role, add a line inside the StringEquals clause using the +## same oidc eks provider as noted before (same as the existing line) +## also, replace NAMESPACE and prometheus-operator-grafana with the service account namespace and name +## +## "oidc.eks.us-east-1.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:sub": "system:serviceaccount:NAMESPACE:prometheus-operator-grafana", +## +## 3. attach a policy to the role, you can use a built in policy called CloudWatchReadOnlyAccess +## 4. use the following env: (replace 123456789000 and iam-role-name-here with your aws account number and role name) +## +## env: +## AWS_ROLE_ARN: arn:aws:iam::123456789000:role/iam-role-name-here +## AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token +## AWS_REGION: us-east-1 +## +## 5. uncomment the EKS section in extraSecretMounts: below +## 6. uncomment the annotation section in the serviceAccount: above +## make sure to replace arn:aws:iam::123456789000:role/iam-role-name-here with your role arn + +env: {} + +## "valueFrom" environment variable references that will be added to deployment pods +## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#envvarsource-v1-core +## Renders in container spec as: +## env: +## ... +## - name: +## valueFrom: +## +envValueFrom: {} + +## The name of a secret in the same kubernetes namespace which contain values to be added to the environment +## This can be useful for auth tokens, etc. Value is templated. +envFromSecret: "" + +## Sensible environment variables that will be rendered as new secret object +## This can be useful for auth tokens, etc +envRenderSecret: {} + +# Inject Kubernetes services as environment variables. +# See https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#environment-variables +enableServiceLinks: true + +## Additional grafana server secret mounts +# Defines additional mounts with secrets. Secrets must be manually created in the namespace. +extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # secretName: grafana-secret-files + # readOnly: true + # subPath: "" + # + # for AWS EKS (cloudwatch) use the following (see also instruction in env: above) + # - name: aws-iam-token + # mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount + # readOnly: true + # projected: + # defaultMode: 420 + # sources: + # - serviceAccountToken: + # audience: sts.amazonaws.com + # expirationSeconds: 86400 + # path: token + # + # for CSI e.g. Azure Key Vault use the following + # - name: secrets-store-inline + # mountPath: /run/secrets + # readOnly: true + # csi: + # driver: secrets-store.csi.k8s.io + # readOnly: true + # volumeAttributes: + # secretProviderClass: "akv-grafana-spc" + # nodePublishSecretRef: # Only required when using service principal mode + # name: grafana-akv-creds # Only required when using service principal mode + +## Additional grafana server volume mounts +# Defines additional volume mounts. +extraVolumeMounts: [] + # - name: extra-volume-0 + # mountPath: /mnt/volume0 + # readOnly: true + # existingClaim: volume-claim + # - name: extra-volume-1 + # mountPath: /mnt/volume1 + # readOnly: true + # hostPath: /usr/shared/ + +## Pass the plugins you want installed as a list. +## +plugins: [] + # - digrich-bubblechart-panel + # - grafana-clock-panel + +## Configure grafana datasources +## ref: http://docs.grafana.org/administration/provisioning/#datasources +## +#datasources: +# datasources.yaml: +# apiVersion: 1 +# datasources: +# - name: Prometheus +# type: prometheus +# url: prometheus-server-exp/k10/prometheus +# access: proxy +# isDefault: true +# - name: CloudWatch +# type: cloudwatch +# access: proxy +# uid: cloudwatch +# editable: false +# jsonData: +# authType: default +# defaultRegion: us-east-1 + +## Configure notifiers +## ref: http://docs.grafana.org/administration/provisioning/#alert-notification-channels +## +notifiers: {} +# notifiers.yaml: +# notifiers: +# - name: email-notifier +# type: email +# uid: email1 +# # either: +# org_id: 1 +# # or +# org_name: Main Org. +# is_default: true +# settings: +# addresses: an_email_address@example.com +# delete_notifiers: + +## Configure grafana dashboard providers +## ref: http://docs.grafana.org/administration/provisioning/#dashboards +## +## `path` must be /var/lib/grafana/dashboards/ +## +dashboardProviders: + dashboardproviders.yaml: + apiVersion: 1 + providers: + - name: 'default' + orgId: 1 + folder: '' + type: file + disableDeletion: true + editable: false + options: + path: /var/lib/grafana/dashboards + +## Configure grafana dashboard to import +## NOTE: To use dashboards you must also enable/configure dashboardProviders +## ref: https://grafana.com/dashboards +## +## dashboards per provider, use provider name as key. +## +dashboards: + default: + default: + json: | + { + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "gnetId": null, + "graphTooltip": 0, + "id": 1, + "iteration": 1645712665620, + "links": [], + "panels": [ + { + "collapsed": false, + "datasource": null, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 18, + "panels": [], + "title": "Applications", + "type": "row" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "yellow", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 5, + "x": 0, + "y": 1 + }, + "id": 24, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_backup_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Backups Completed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 5, + "y": 1 + }, + "id": 33, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_backup_ended_overall{cluster=\"$cluster\", state=~\"failed|cancelled\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Backups Failed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "#EAB839", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 8, + "y": 1 + }, + "id": 34, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_backup_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Backups Skipped", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 5, + "x": 13, + "y": 1 + }, + "id": 35, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_restore_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Restores Completed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 18, + "y": 1 + }, + "id": 36, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_restore_ended_overall{cluster=\"$cluster\", state=~\"failed|cancelled\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Restores Failed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "#EAB839", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 21, + "y": 1 + }, + "id": 23, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_restore_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Restores Skipped", + "type": "stat" + }, + { + "collapsed": false, + "datasource": null, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 8 + }, + "id": 16, + "panels": [], + "title": "Cluster", + "type": "row" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "yellow", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 5, + "x": 0, + "y": 9 + }, + "id": 10, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_backup_cluster_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Cluster Backups Completed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 5, + "y": 9 + }, + "id": 19, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_backup_cluster_ended_overall{cluster=\"$cluster\", state=~\"failed|cancelled\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Cluster Backups Failed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "#EAB839", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 8, + "y": 9 + }, + "id": 28, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_backup_cluster_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Cluster Backups Skipped", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 5, + "x": 13, + "y": 9 + }, + "id": 21, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_restore_cluster_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Cluster Restores Completed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 18, + "y": 9 + }, + "id": 22, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_restore_cluster_ended_overall{cluster=\"$cluster\", state=~\"failed|cancelled\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Cluster Restores Failed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "#EAB839", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 21, + "y": 9 + }, + "id": 25, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_restore_cluster_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Cluster Restores Skipped", + "type": "stat" + }, + { + "collapsed": false, + "datasource": null, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 16 + }, + "id": 31, + "panels": [], + "title": "Backup Exports", + "type": "row" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 5, + "x": 0, + "y": 17 + }, + "id": 38, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_export_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Exports Completed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 5, + "y": 17 + }, + "id": 29, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_export_ended_overall{cluster=\"$cluster\", state=~\"failed|cancelled\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Exports Failed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "#EAB839", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 8, + "y": 17 + }, + "id": 20, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_export_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Exports Skipped", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 5, + "x": 13, + "y": 17 + }, + "id": 27, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_import_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Imports Completed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 18, + "y": 17 + }, + "id": 39, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_import_ended_overall{cluster=\"$cluster\", state=~\"failed|cancelled\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Imports Failed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "#EAB839", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 21, + "y": 17 + }, + "id": 37, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_import_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Imports Skipped", + "type": "stat" + }, + { + "collapsed": false, + "datasource": null, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 23 + }, + "id": 14, + "panels": [], + "title": "System", + "type": "row" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + }, + "unit": "runs" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 0, + "y": 24 + }, + "id": 12, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_run_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "format": "time_series", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "timeFrom": null, + "title": "Policy Runs", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "yellow", + "value": 1 + } + ] + }, + "unit": "runs" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 3, + "y": 24 + }, + "id": 40, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "sum(round(increase(action_run_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "format": "time_series", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "timeFrom": null, + "title": "Policy Runs Skipped", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 6, + "y": 24 + }, + "id": 6, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "catalog_persistent_volume_disk_space_used_bytes{cluster=\"$cluster\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Catalog Volume Used", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "max": 100, + "min": 0, + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "yellow", + "value": 70 + }, + { + "color": "orange", + "value": 80 + }, + { + "color": "red", + "value": 90 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 9, + "y": 24 + }, + "id": 2, + "options": { + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "text": {} + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "100-catalog_persistent_volume_free_space_percent{cluster=\"$cluster\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Catalog Volume Used Space", + "type": "gauge" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 12, + "y": 24 + }, + "id": 8, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "jobs_persistent_volume_disk_space_used_bytes{cluster=\"$cluster\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Jobs Volume Used", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "max": 100, + "min": 0, + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "yellow", + "value": 70 + }, + { + "color": "orange", + "value": 80 + }, + { + "color": "red", + "value": 90 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 15, + "y": 24 + }, + "id": 4, + "options": { + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "text": {} + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "100-jobs_persistent_volume_free_space_percent{cluster=\"$cluster\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Jobs Volume Used Space", + "type": "gauge" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 18, + "y": 24 + }, + "id": 7, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "logging_persistent_volume_disk_space_used_bytes{cluster=\"$cluster\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Logging Volume Used", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "max": 100, + "min": 0, + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "yellow", + "value": 70 + }, + { + "color": "orange", + "value": 80 + }, + { + "color": "red", + "value": 90 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 21, + "y": 24 + }, + "id": 3, + "options": { + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "text": {} + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "100-logging_persistent_volume_free_space_percent{cluster=\"$cluster\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Logging Volume Used Space", + "type": "gauge" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 0, + "y": 30 + }, + "id": 41, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "compliance_count{state=\"Compliant\"}", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Compliant Applications", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 3, + "y": 30 + }, + "id": 42, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "compliance_count{state=\"NotCompliant\"}", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Non-Compliant Applications", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 6, + "y": 30 + }, + "id": 43, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": false, + "expr": "compliance_count{state=\"Unmanaged\"}", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "timeFrom": null, + "title": "Unmanaged Applications", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 12, + "y": 30 + }, + "id": 44, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "snapshot_storage_size_bytes{cluster=\"$cluster\", type=\"physical\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Snapshot Size (Physical)", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 15, + "y": 30 + }, + "id": 45, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "snapshot_storage_size_bytes{cluster=\"$cluster\", type=\"logical\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Snapshot Size (Logical)", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 18, + "y": 30 + }, + "id": 46, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "export_storage_size_bytes{cluster=\"$cluster\", type=\"physical\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Export Size (Physical)", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 21, + "y": 30 + }, + "id": 47, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.1.8", + "targets": [ + { + "exemplar": true, + "expr": "export_storage_size_bytes{cluster=\"$cluster\", type=\"logical\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Export Size (Logical)", + "type": "stat" + } + ], + "schemaVersion": 30, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "description": null, + "error": null, + "hide": 2, + "label": "Cluster", + "name": "cluster", + "query": "", + "skipUrlSync": false, + "type": "constant" + } + ] + }, + "time": { + "from": "now-24h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "K10 Dashboard", + "uid": "8Ebb3xS7k", + "version": 1 + } + + # custom-dashboard: + # file: dashboards/custom-dashboard.json + # prometheus-stats: + # gnetId: 2 + # revision: 2 + # datasource: Prometheus + # local-dashboard: + # url: https://example.com/repository/test.json + # token: '' + # local-dashboard-base64: + # url: https://example.com/repository/test-b64.json + # token: '' + # b64content: true + +## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value. +## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both. +## ConfigMap data example: +## +## data: +## example-dashboard.json: | +## RAW_JSON +## +dashboardsConfigMaps: {} +# default: "" + +## Grafana's primary configuration +## NOTE: values in map will be converted to ini format +## ref: http://docs.grafana.org/installation/configuration/ +## +grafana.ini: + paths: + data: /var/lib/grafana/ + logs: /var/log/grafana + plugins: /var/lib/grafana/plugins + provisioning: /etc/grafana/provisioning + analytics: + check_for_updates: true + log: + mode: console + grafana_net: + url: https://grafana.net + dashboards: + default_home_dashboard_path: /var/lib/grafana/dashboards/default/default.json +## grafana Authentication can be enabled with the following values on grafana.ini +# server: +# # The full public facing url you use in browser, used for redirects and emails +## domain: +# root_url: /k10/grafana +# serve_from_sub_path: true + + auth: + disable_login_form: true + disable_signout_menu: true + + auth.basic: + enabled: false + + auth.anonymous: + enabled: true + org_name: Main Org. + org_role: Admin + # https://grafana.com/docs/grafana/latest/auth/github/#enable-github-in-grafana + # auth.github: + # enabled: false + # allow_sign_up: false + # scopes: user:email,read:org + # auth_url: https://github.com/login/oauth/authorize + # token_url: https://github.com/login/oauth/access_token + # api_url: https://api.github.com/user + # team_ids: + # allowed_organizations: + # client_id: + # client_secret: +## LDAP Authentication can be enabled with the following values on grafana.ini +## NOTE: Grafana will fail to start if the value for ldap.toml is invalid + # auth.ldap: + # enabled: true + # allow_sign_up: true + # config_file: /etc/grafana/ldap.toml + +## Grafana's LDAP configuration +## Templated by the template in _helpers.tpl +## NOTE: To enable the grafana.ini must be configured with auth.ldap.enabled +## ref: http://docs.grafana.org/installation/configuration/#auth-ldap +## ref: http://docs.grafana.org/installation/ldap/#configuration +ldap: + enabled: false + # `existingSecret` is a reference to an existing secret containing the ldap configuration + # for Grafana in a key `ldap-toml`. + existingSecret: "" + # `config` is the content of `ldap.toml` that will be stored in the created secret + config: "" + # config: |- + # verbose_logging = true + + # [[servers]] + # host = "my-ldap-server" + # port = 636 + # use_ssl = true + # start_tls = false + # ssl_skip_verify = false + # bind_dn = "uid=%s,ou=users,dc=myorg,dc=com" + +## Grafana's SMTP configuration +## NOTE: To enable, grafana.ini must be configured with smtp.enabled +## ref: http://docs.grafana.org/installation/configuration/#smtp +smtp: + # `existingSecret` is a reference to an existing secret containing the smtp configuration + # for Grafana. + existingSecret: "" + userKey: "user" + passwordKey: "password" + +## Sidecars that collect the configmaps with specified label and stores the included files them into the respective folders +## Requires at least Grafana 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards +sidecar: + image: + repository: quay.io/kiwigrid/k8s-sidecar + tag: 1.12.2 + sha: "" + imagePullPolicy: IfNotPresent + resources: {} +# limits: +# cpu: 100m +# memory: 100Mi +# requests: +# cpu: 50m +# memory: 50Mi + # skipTlsVerify Set to true to skip tls verification for kube api calls + # skipTlsVerify: true + enableUniqueFilenames: false + dashboards: + enabled: false + SCProvider: true + # label that the configmaps with dashboards are marked with + label: grafana_dashboard + # value of label that the configmaps with dashboards are set to + labelValue: null + # folder in the pod that should hold the collected dashboards (unless `defaultFolderName` is set) + folder: /tmp/dashboards + # The default folder name, it will create a subfolder under the `folder` and put dashboards in there instead + defaultFolderName: null + # If specified, the sidecar will search for dashboard config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # search in configmap, secret or both + resource: both + # If specified, the sidecar will look for annotation with this name to create folder and put graph here. + # You can use this parameter together with `provider.foldersFromFilesStructure`to annotate configmaps and create folder structure. + folderAnnotation: null + # provider configuration that lets grafana manage the dashboards + provider: + # name of the provider, should be unique + name: sidecarProvider + # orgid as configured in grafana + orgid: 1 + # folder in which the dashboards should be imported in grafana + folder: '' + # type of the provider + type: file + # disableDelete to activate a import-only behaviour + disableDelete: false + # allow updating provisioned dashboards from the UI + allowUiUpdates: false + # allow Grafana to replicate dashboard structure from filesystem + foldersFromFilesStructure: false + datasources: + enabled: false + # label that the configmaps with datasources are marked with + label: grafana_datasource + # value of label that the configmaps with datasources are set to + labelValue: null + # If specified, the sidecar will search for datasource config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # search in configmap, secret or both + resource: both + notifiers: + enabled: false + # label that the configmaps with notifiers are marked with + label: grafana_notifier + # If specified, the sidecar will search for notifier config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # search in configmap, secret or both + resource: both + +## Override the deployment namespace +## +namespaceOverride: "" + +## Number of old ReplicaSets to retain +## +revisionHistoryLimit: 10 + +## Add a seperate remote image renderer deployment/service +imageRenderer: + # Enable the image-renderer deployment & service + enabled: false + replicas: 1 + image: + # image-renderer Image repository + repository: grafana/grafana-image-renderer + # image-renderer Image tag + tag: latest + # image-renderer Image sha (optional) + sha: "" + # image-renderer ImagePullPolicy + pullPolicy: Always + # extra environment variables + env: + HTTP_HOST: "0.0.0.0" + # RENDERING_ARGS: --disable-gpu,--window-size=1280x758 + # RENDERING_MODE: clustered + # image-renderer deployment serviceAccount + serviceAccountName: "" + # image-renderer deployment securityContext + securityContext: {} + # image-renderer deployment Host Aliases + hostAliases: [] + # image-renderer deployment priority class + priorityClassName: '' + service: + # Enable the image-renderer service + enabled: true + # image-renderer service port name + portName: 'http' + # image-renderer service port used by both service and deployment + port: 8081 + targetPort: 8081 + # In case a sub_path is used this needs to be added to the image renderer callback + grafanaSubPath: "" + # name of the image-renderer port on the pod + podPortName: http + # number of image-renderer replica sets to keep + revisionHistoryLimit: 10 + networkPolicy: + # Enable a NetworkPolicy to limit inbound traffic to only the created grafana pods + limitIngress: true + # Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods + limitEgress: false + resources: {} +# limits: +# cpu: 100m +# memory: 100Mi +# requests: +# cpu: 50m +# memory: 50Mi diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/Chart.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/Chart.yaml new file mode 100644 index 000000000..3aa2d8141 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/Chart.yaml @@ -0,0 +1,30 @@ +apiVersion: v2 +appVersion: 2.26.0 +dependencies: +- condition: kubeStateMetrics.enabled + name: kube-state-metrics + repository: https://prometheus-community.github.io/helm-charts + version: 3.4.* +description: Prometheus is a monitoring system and time series database. +home: https://prometheus.io/ +icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png +maintainers: +- email: gianrubio@gmail.com + name: gianrubio +- email: zanhsieh@gmail.com + name: zanhsieh +- email: miroslav.hadzhiev@gmail.com + name: Xtigyro +- email: monotek23@gmail.com + name: monotek +- email: naseem@transit.app + name: naseemkullah +name: prometheus +sources: +- https://github.com/prometheus/alertmanager +- https://github.com/prometheus/prometheus +- https://github.com/prometheus/pushgateway +- https://github.com/prometheus/node_exporter +- https://github.com/kubernetes/kube-state-metrics +type: application +version: 14.6.0 diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/README.md b/charts/k10/k10/4.5.1100/charts/prometheus/README.md new file mode 100644 index 000000000..25f27f3f6 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/README.md @@ -0,0 +1,224 @@ +# Prometheus + +[Prometheus](https://prometheus.io/), a [Cloud Native Computing Foundation](https://cncf.io/) project, is a systems and service monitoring system. It collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true. + +This chart bootstraps a [Prometheus](https://prometheus.io/) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes 1.16+ +- Helm 3+ + +## Get Repo Info + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kube-state-metrics https://kubernetes.github.io/kube-state-metrics +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +```console +# Helm +$ helm install [RELEASE_NAME] prometheus-community/prometheus +``` + +_See [configuration](#configuration) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Dependencies + +By default this chart installs additional, dependent charts: + +- [stable/kube-state-metrics](https://github.com/helm/charts/tree/master/stable/kube-state-metrics) + +To disable the dependency during installation, set `kubeStateMetrics.enabled` to `false`. + +_See [helm dependency](https://helm.sh/docs/helm/helm_dependency/) for command documentation._ + +## Uninstall Chart + +```console +# Helm +$ helm uninstall [RELEASE_NAME] +``` + +This removes all the Kubernetes components associated with the chart and deletes the release. + +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ + +## Upgrading Chart + +```console +# Helm +$ helm upgrade [RELEASE_NAME] [CHART] --install +``` + +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ + +### To 9.0 + +Version 9.0 adds a new option to enable or disable the Prometheus Server. This supports the use case of running a Prometheus server in one k8s cluster and scraping exporters in another cluster while using the same chart for each deployment. To install the server `server.enabled` must be set to `true`. + +### To 5.0 + +As of version 5.0, this chart uses Prometheus 2.x. This version of prometheus introduces a new data format and is not compatible with prometheus 1.x. It is recommended to install this as a new release, as updating existing releases will not work. See the [prometheus docs](https://prometheus.io/docs/prometheus/latest/migration/#storage) for instructions on retaining your old data. + +Prometheus version 2.x has made changes to alertmanager, storage and recording rules. Check out the migration guide [here](https://prometheus.io/docs/prometheus/2.0/migration/). + +Users of this chart will need to update their alerting rules to the new format before they can upgrade. + +### Example Migration + +Assuming you have an existing release of the prometheus chart, named `prometheus-old`. In order to update to prometheus 2.x while keeping your old data do the following: + +1. Update the `prometheus-old` release. Disable scraping on every component besides the prometheus server, similar to the configuration below: + + ```yaml + alertmanager: + enabled: false + alertmanagerFiles: + alertmanager.yml: "" + kubeStateMetrics: + enabled: false + nodeExporter: + enabled: false + pushgateway: + enabled: false + server: + extraArgs: + storage.local.retention: 720h + serverFiles: + alerts: "" + prometheus.yml: "" + rules: "" + ``` + +1. Deploy a new release of the chart with version 5.0+ using prometheus 2.x. In the values.yaml set the scrape config as usual, and also add the `prometheus-old` instance as a remote-read target. + + ```yaml + prometheus.yml: + ... + remote_read: + - url: http://prometheus-old/api/v1/read + ... + ``` + + Old data will be available when you query the new prometheus instance. + +## Configuration + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: + +```console +# Helm 2 +$ helm inspect values prometheus-community/prometheus + +# Helm 3 +$ helm show values prometheus-community/prometheus +``` + +You may similarly use the above configuration commands on each chart [dependency](#dependencies) to see it's configurations. + +### Scraping Pod Metrics via Annotations + +This chart uses a default configuration that causes prometheus to scrape a variety of kubernetes resource types, provided they have the correct annotations. In this section we describe how to configure pods to be scraped; for information on how other resource types can be scraped you can do a `helm template` to get the kubernetes resource definitions, and then reference the prometheus configuration in the ConfigMap against the prometheus documentation for [relabel_config](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) and [kubernetes_sd_config](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#kubernetes_sd_config). + +In order to get prometheus to scrape pods, you must add annotations to the the pods as below: + +```yaml +metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: /metrics + prometheus.io/port: "8080" +``` + +You should adjust `prometheus.io/path` based on the URL that your pod serves metrics from. `prometheus.io/port` should be set to the port that your pod serves metrics from. Note that the values for `prometheus.io/scrape` and `prometheus.io/port` must be enclosed in double quotes. + +### Sharing Alerts Between Services + +Note that when [installing](#install-chart) or [upgrading](#upgrading-chart) you may use multiple values override files. This is particularly useful when you have alerts belonging to multiple services in the cluster. For example, + +```yaml +# values.yaml +# ... + +# service1-alert.yaml +serverFiles: + alerts: + service1: + - alert: anAlert + # ... + +# service2-alert.yaml +serverFiles: + alerts: + service2: + - alert: anAlert + # ... +``` + +```console +helm install [RELEASE_NAME] prometheus-community/prometheus -f values.yaml -f service1-alert.yaml -f service2-alert.yaml +``` + +### RBAC Configuration + +Roles and RoleBindings resources will be created automatically for `server` service. + +To manually setup RBAC you need to set the parameter `rbac.create=false` and specify the service account to be used for each service by setting the parameters: `serviceAccounts.{{ component }}.create` to `false` and `serviceAccounts.{{ component }}.name` to the name of a pre-existing service account. + +> **Tip**: You can refer to the default `*-clusterrole.yaml` and `*-clusterrolebinding.yaml` files in [templates](templates/) to customize your own. + +### ConfigMap Files + +AlertManager is configured through [alertmanager.yml](https://prometheus.io/docs/alerting/configuration/). This file (and any others listed in `alertmanagerFiles`) will be mounted into the `alertmanager` pod. + +Prometheus is configured through [prometheus.yml](https://prometheus.io/docs/operating/configuration/). This file (and any others listed in `serverFiles`) will be mounted into the `server` pod. + +### Ingress TLS + +If your cluster allows automatic creation/retrieval of TLS certificates (e.g. [cert-manager](https://github.com/jetstack/cert-manager)), please refer to the documentation for that mechanism. + +To manually configure TLS, first create/retrieve a key & certificate pair for the address(es) you wish to protect. Then create a TLS secret in the namespace: + +```console +kubectl create secret tls prometheus-server-tls --cert=path/to/tls.cert --key=path/to/tls.key +``` + +Include the secret's name, along with the desired hostnames, in the alertmanager/server Ingress TLS section of your custom `values.yaml` file: + +```yaml +server: + ingress: + ## If true, Prometheus server Ingress will be created + ## + enabled: true + + ## Prometheus server Ingress hostnames + ## Must be provided if Ingress is enabled + ## + hosts: + - prometheus.domain.com + + ## Prometheus server Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: + - secretName: prometheus-server-tls + hosts: + - prometheus.domain.com +``` + +### NetworkPolicy + +Enabling Network Policy for Prometheus will secure connections to Alert Manager and Kube State Metrics by only accepting connections from Prometheus Server. All inbound connections to Prometheus Server are still allowed. + +To enable network policy for Prometheus, install a networking plugin that implements the Kubernetes NetworkPolicy spec, and set `networkPolicy.enabled` to true. + +If NetworkPolicy is enabled for Prometheus' scrape targets, you may also need to manually create a networkpolicy which allows it. diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/NOTES.txt b/charts/k10/k10/4.5.1100/charts/prometheus/templates/NOTES.txt new file mode 100644 index 000000000..0e8868f0b --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/NOTES.txt @@ -0,0 +1,112 @@ +{{- if .Values.server.enabled -}} +The Prometheus server can be accessed via port {{ .Values.server.service.servicePort }} on the following DNS name from within your cluster: +{{ template "prometheus.server.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + +{{ if .Values.server.ingress.enabled -}} +From outside the cluster, the server URL(s) are: +{{- range .Values.server.ingress.hosts }} +http://{{ . }} +{{- end }} +{{- else }} +Get the Prometheus server URL by running these commands in the same shell: +{{- if contains "NodePort" .Values.server.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.server.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.server.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.server.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.server.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.server.service.servicePort }} +{{- else if contains "ClusterIP" .Values.server.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus.name" . }},component={{ .Values.server.name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9090 +{{- end }} +{{- end }} + +{{- if .Values.server.persistentVolume.enabled }} +{{- else }} +################################################################################# +###### WARNING: Persistence is disabled!!! You will lose your data when ##### +###### the Server pod is terminated. ##### +################################################################################# +{{- end }} +{{- end }} + +{{ if .Values.alertmanager.enabled }} +The Prometheus alertmanager can be accessed via port {{ .Values.alertmanager.service.servicePort }} on the following DNS name from within your cluster: +{{ template "prometheus.alertmanager.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + +{{ if .Values.alertmanager.ingress.enabled -}} +From outside the cluster, the alertmanager URL(s) are: +{{- range .Values.alertmanager.ingress.hosts }} +http://{{ . }} +{{- end }} +{{- else }} +Get the Alertmanager URL by running these commands in the same shell: +{{- if contains "NodePort" .Values.alertmanager.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.alertmanager.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.alertmanager.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.alertmanager.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.alertmanager.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.alertmanager.service.servicePort }} +{{- else if contains "ClusterIP" .Values.alertmanager.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus.name" . }},component={{ .Values.alertmanager.name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9093 +{{- end }} +{{- end }} + +{{- if .Values.alertmanager.persistentVolume.enabled }} +{{- else }} +################################################################################# +###### WARNING: Persistence is disabled!!! You will lose your data when ##### +###### the AlertManager pod is terminated. ##### +################################################################################# +{{- end }} +{{- end }} + +{{- if .Values.nodeExporter.podSecurityPolicy.enabled }} +{{- else }} +################################################################################# +###### WARNING: Pod Security Policy has been moved to a global property. ##### +###### use .Values.podSecurityPolicy.enabled with pod-based ##### +###### annotations ##### +###### (e.g. .Values.nodeExporter.podSecurityPolicy.annotations) ##### +################################################################################# +{{- end }} + +{{ if .Values.pushgateway.enabled }} +The Prometheus PushGateway can be accessed via port {{ .Values.pushgateway.service.servicePort }} on the following DNS name from within your cluster: +{{ template "prometheus.pushgateway.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + +{{ if .Values.pushgateway.ingress.enabled -}} +From outside the cluster, the pushgateway URL(s) are: +{{- range .Values.pushgateway.ingress.hosts }} +http://{{ . }} +{{- end }} +{{- else }} +Get the PushGateway URL by running these commands in the same shell: +{{- if contains "NodePort" .Values.pushgateway.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.pushgateway.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.pushgateway.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.pushgateway.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.pushgateway.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.pushgateway.service.servicePort }} +{{- else if contains "ClusterIP" .Values.pushgateway.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus.name" . }},component={{ .Values.pushgateway.name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9091 +{{- end }} +{{- end }} +{{- end }} + +For more information on running Prometheus, visit: +https://prometheus.io/ diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/_definitions.tpl b/charts/k10/k10/4.5.1100/charts/prometheus/templates/_definitions.tpl new file mode 100644 index 000000000..d93364c7f --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/_definitions.tpl @@ -0,0 +1,3 @@ +{{/* Autogenerated, do NOT modify */}} +{{- define "k10.prometheusImageTag" -}}v2.26.0{{- end -}} +{{- define "k10.prometheusConfigMapReloaderImageTag" -}}v0.5.0{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/_helpers.tpl b/charts/k10/k10/4.5.1100/charts/prometheus/templates/_helpers.tpl new file mode 100644 index 000000000..287ed192a --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/_helpers.tpl @@ -0,0 +1,400 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "prometheus.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "prometheus.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create unified labels for prometheus components +*/}} +{{- define "prometheus.common.matchLabels" -}} +app: {{ template "prometheus.name" . }} +release: {{ .Release.Name }} +{{- end -}} + +{{- define "prometheus.common.metaLabels" -}} +chart: {{ template "prometheus.chart" . }} +heritage: {{ .Release.Service }} +{{- end -}} + +{{- define "prometheus.alertmanager.labels" -}} +{{ include "prometheus.alertmanager.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{- define "prometheus.alertmanager.matchLabels" -}} +component: {{ .Values.alertmanager.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{- define "prometheus.nodeExporter.labels" -}} +{{ include "prometheus.nodeExporter.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{- define "prometheus.nodeExporter.matchLabels" -}} +component: {{ .Values.nodeExporter.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{- define "prometheus.pushgateway.labels" -}} +{{ include "prometheus.pushgateway.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{- define "prometheus.pushgateway.matchLabels" -}} +component: {{ .Values.pushgateway.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{- define "prometheus.server.labels" -}} +{{ include "prometheus.server.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{- define "prometheus.server.matchLabels" -}} +component: {{ .Values.server.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Figure out the config based on +the value of airgapped.repository +*/}} +{{- define "get.cmreloadimage" }} +{{- if not .Values.global.rhMarketPlace }} +{{- if .Values.global.airgapped.repository }} +{{- printf "%s/configmap-reload:%s" .Values.global.airgapped.repository (include "get.cmReloadImageTag" .) }} +{{- else }} +{{- printf "%s:%s" (include "get.cmReloadImageRepo" .) (include "get.cmReloadImageTag" .) }} +{{- end }} +{{- else }} +{{- printf "%s" (get .Values.global.images "configmap-reload") }} +{{- end -}} +{{- end }} + +{{/* +Figure out the config based on +the value of airgapped.repository +*/}} +{{- define "get.serverimage" }} +{{- if not .Values.global.rhMarketPlace }} +{{- if .Values.global.airgapped.repository }} +{{- printf "%s/prometheus:%s" .Values.global.airgapped.repository (include "get.promImageTag" .) }} +{{- else }} +{{- printf "%s:%s" (include "get.promImageRepo" .) (include "get.promImageTag" .) }} +{{- end }} +{{- else }} +{{- printf "%s" (get .Values.global.images "prometheus") }} +{{- end -}} +{{- end }} + + +{{/* +Figure out the configmap-reload image tag +based on the value of global.upstreamCertifiedImages +*/}} +{{- define "get.cmReloadImageTag"}} +{{- if .Values.global.upstreamCertifiedImages }} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s-rh-ubi" (include "k10.prometheusConfigMapReloaderImageTag" .) }} +{{- else }} +{{- printf "%s-rh-ubi" (include "k10.prometheusConfigMapReloaderImageTag" .) }} +{{- end }} +{{- else }} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s" (include "k10.prometheusConfigMapReloaderImageTag" .) }} +{{- else }} +{{- printf "%s" (include "k10.prometheusConfigMapReloaderImageTag" .) }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Figure out the prometheus image tag +based on the value of global.upstreamCertifiedImages +*/}} +{{- define "get.promImageTag"}} +{{- if .Values.global.upstreamCertifiedImages }} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s-rh-ubi" (include "k10.prometheusImageTag" .) }} +{{- else }} +{{- printf "%s-rh-ubi" (include "k10.prometheusImageTag" .) }} +{{- end }} +{{- else }} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s" (include "k10.prometheusImageTag" .) }} +{{- else }} +{{- printf "%s" (include "k10.prometheusImageTag" .) }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Figure out the configmap-reload image repo +based on the value of global.upstreamCertifiedImages +*/}} +{{- define "get.cmReloadImageRepo" }} +{{- if .Values.global.upstreamCertifiedImages }} +{{- printf "%s/%s/configmap-reload" .Values.k10image.registry .Values.k10image.repository }} +{{- else }} +{{- print .Values.configmapReload.prometheus.image.repository }} +{{- end }} +{{- end }} + +{{/* +Figure out the prom image repo +based on the value of global.upstreamCertifiedImages +*/}} +{{- define "get.promImageRepo" }} +{{- if .Values.global.upstreamCertifiedImages }} +{{- printf "%s/%s/prometheus" .Values.k10image.registry .Values.k10image.repository }} +{{- else }} +{{- print .Values.server.image.repository }} +{{- end }} +{{- end }} + +{{/* +Create a fully qualified alertmanager name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} + +{{- define "prometheus.alertmanager.fullname" -}} +{{- if .Values.alertmanager.fullnameOverride -}} +{{- .Values.alertmanager.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.alertmanager.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.alertmanager.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified node-exporter name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.nodeExporter.fullname" -}} +{{- if .Values.nodeExporter.fullnameOverride -}} +{{- .Values.nodeExporter.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.nodeExporter.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.nodeExporter.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified Prometheus server name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.server.fullname" -}} +{{- if .Values.server.fullnameOverride -}} +{{- .Values.server.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.server.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.server.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified Prometheus server clusterrole name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.server.clusterrolefullname" -}} +{{- if .Values.server.clusterRoleNameOverride -}} +{{- .Values.server.clusterRoleNameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- if .Values.server.fullnameOverride -}} +{{- printf "%s-%s" .Release.Name .Values.server.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.server.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.server.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified pushgateway name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.pushgateway.fullname" -}} +{{- if .Values.pushgateway.fullnameOverride -}} +{{- .Values.pushgateway.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.pushgateway.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.pushgateway.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get KubeVersion removing pre-release information. +*/}} +{{- define "prometheus.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+" .Capabilities.KubeVersion.Version) -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "prometheus.deployment.apiVersion" -}} +{{- print "apps/v1" -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for daemonset. +*/}} +{{- define "prometheus.daemonset.apiVersion" -}} +{{- print "apps/v1" -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "prometheus.networkPolicy.apiVersion" -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for podsecuritypolicy. +*/}} +{{- define "prometheus.podSecurityPolicy.apiVersion" -}} +{{- print "policy/v1beta1" -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for rbac. +*/}} +{{- define "rbac.apiVersion" -}} +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- end -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19.x" (include "prometheus.kubeVersion" .)) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "extensions/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return if ingress is stable. +*/}} +{{- define "ingress.isStable" -}} + {{- eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return if ingress supports ingressClassName. +*/}} +{{- define "ingress.supportsIngressClassName" -}} + {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "prometheus.kubeVersion" .))) -}} +{{- end -}} +{{/* +Return if ingress supports pathType. +*/}} +{{- define "ingress.supportsPathType" -}} + {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "prometheus.kubeVersion" .))) -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the alertmanager component +*/}} +{{- define "prometheus.serviceAccountName.alertmanager" -}} +{{- if .Values.serviceAccounts.alertmanager.create -}} + {{ default (include "prometheus.alertmanager.fullname" .) .Values.serviceAccounts.alertmanager.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.alertmanager.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the nodeExporter component +*/}} +{{- define "prometheus.serviceAccountName.nodeExporter" -}} +{{- if .Values.serviceAccounts.nodeExporter.create -}} + {{ default (include "prometheus.nodeExporter.fullname" .) .Values.serviceAccounts.nodeExporter.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.nodeExporter.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the pushgateway component +*/}} +{{- define "prometheus.serviceAccountName.pushgateway" -}} +{{- if .Values.serviceAccounts.pushgateway.create -}} + {{ default (include "prometheus.pushgateway.fullname" .) .Values.serviceAccounts.pushgateway.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.pushgateway.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the server component +*/}} +{{- define "prometheus.serviceAccountName.server" -}} +{{- if .Values.serviceAccounts.server.create -}} + {{ default (include "prometheus.server.fullname" .) .Values.serviceAccounts.server.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.server.name }} +{{- end -}} +{{- end -}} + +{{/* +Define the prometheus.namespace template if set with forceNamespace or .Release.Namespace is set +*/}} +{{- define "prometheus.namespace" -}} +{{- if .Values.forceNamespace -}} +{{ printf "namespace: %s" .Values.forceNamespace }} +{{- else -}} +{{ printf "namespace: %s" .Release.Namespace }} +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/clusterrole.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/clusterrole.yaml new file mode 100644 index 000000000..c732ff4e5 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/clusterrole.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.alertmanager.useClusterRole (not .Values.alertmanager.useExistingRole) -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRole +metadata: + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +rules: +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "prometheus.alertmanager.fullname" . }} +{{- else }} + [] +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/clusterrolebinding.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/clusterrolebinding.yaml new file mode 100644 index 000000000..6f13e98b5 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.alertmanager.useClusterRole -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.alertmanager" . }} +{{ include "prometheus.namespace" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- if (not .Values.alertmanager.useExistingRole) }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{- else }} + name: {{ .Values.alertmanager.useExistingRole }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/cm.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/cm.yaml new file mode 100644 index 000000000..cb09bf067 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/cm.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.alertmanager.enabled (and (empty .Values.alertmanager.configMapOverrideName) (empty .Values.alertmanager.configFromSecret)) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +data: +{{- $root := . -}} +{{- range $key, $value := .Values.alertmanagerFiles }} + {{- if $key | regexMatch ".*\\.ya?ml$" }} + {{ $key }}: | +{{ toYaml $value | default "{}" | indent 4 }} + {{- else }} + {{ $key }}: {{ toYaml $value | indent 4 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/deploy.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/deploy.yaml new file mode 100644 index 000000000..fe6e9b9ac --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/deploy.yaml @@ -0,0 +1,161 @@ +{{- if and .Values.alertmanager.enabled (not .Values.alertmanager.statefulSet.enabled) -}} +apiVersion: {{ template "prometheus.deployment.apiVersion" . }} +kind: Deployment +metadata: +{{- if .Values.alertmanager.deploymentAnnotations }} + annotations: + {{ toYaml .Values.alertmanager.deploymentAnnotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + selector: + matchLabels: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }} + replicas: {{ .Values.alertmanager.replicaCount }} + {{- if .Values.alertmanager.strategy }} + strategy: +{{ toYaml .Values.alertmanager.strategy | trim | indent 4 }} + {{ if eq .Values.alertmanager.strategy.type "Recreate" }}rollingUpdate: null{{ end }} +{{- end }} + template: + metadata: + {{- if .Values.alertmanager.podAnnotations }} + annotations: + {{ toYaml .Values.alertmanager.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 8 }} + {{- if .Values.alertmanager.podLabels}} + {{ toYaml .Values.alertmanager.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.alertmanager.schedulerName }} + schedulerName: "{{ .Values.alertmanager.schedulerName }}" +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.alertmanager" . }} + {{- if .Values.alertmanager.extraInitContainers }} + initContainers: +{{ toYaml .Values.alertmanager.extraInitContainers | indent 8 }} + {{- end }} +{{- if .Values.alertmanager.priorityClassName }} + priorityClassName: "{{ .Values.alertmanager.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }} + image: "{{ .Values.alertmanager.image.repository }}:{{ .Values.alertmanager.image.tag }}" + imagePullPolicy: "{{ .Values.alertmanager.image.pullPolicy }}" + env: + {{- range $key, $value := .Values.alertmanager.extraEnv }} + - name: {{ $key }} + value: {{ $value }} + {{- end }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + args: + - --config.file=/etc/config/{{ .Values.alertmanager.configFileName }} + - --storage.path={{ .Values.alertmanager.persistentVolume.mountPath }} + - --cluster.advertise-address=[$(POD_IP)]:6783 + {{- range $key, $value := .Values.alertmanager.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.alertmanager.baseURL }} + - --web.external-url={{ .Values.alertmanager.baseURL }} + {{- end }} + + ports: + - containerPort: 9093 + readinessProbe: + httpGet: + path: {{ .Values.alertmanager.prefixURL }}/-/ready + port: 9093 + initialDelaySeconds: 30 + timeoutSeconds: 30 + resources: +{{ toYaml .Values.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: "{{ .Values.alertmanager.persistentVolume.mountPath }}" + subPath: "{{ .Values.alertmanager.persistentVolume.subPath }}" + {{- range .Values.alertmanager.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + + {{- if .Values.configmapReload.alertmanager.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }}-{{ .Values.configmapReload.alertmanager.name }} + image: "{{ include "get.cmreloadimage" .}}" + imagePullPolicy: "{{ .Values.configmapReload.alertmanager.image.pullPolicy }}" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9093{{ .Values.alertmanager.prefixURL }}/-/reload + resources: +{{ toYaml .Values.configmapReload.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.nodeSelector }} + nodeSelector: +{{ toYaml .Values.alertmanager.nodeSelector | indent 8 }} + {{- end }} + {{- with .Values.alertmanager.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.securityContext }} + securityContext: +{{ toYaml .Values.alertmanager.securityContext | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.tolerations }} + tolerations: +{{ toYaml .Values.alertmanager.tolerations | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.affinity }} + affinity: +{{ toYaml .Values.alertmanager.affinity | indent 8 }} + {{- end }} + volumes: + - name: config-volume + {{- if empty .Values.alertmanager.configFromSecret }} + configMap: + name: {{ if .Values.alertmanager.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.alertmanager.configMapOverrideName }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }} + {{- else }} + secret: + secretName: {{ .Values.alertmanager.configFromSecret }} + {{- end }} + {{- range .Values.alertmanager.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} + - name: storage-volume + {{- if .Values.alertmanager.persistentVolume.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.alertmanager.persistentVolume.existingClaim }}{{ .Values.alertmanager.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }} + {{- else }} + emptyDir: + {{- if .Values.alertmanager.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.alertmanager.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} + {{- end -}} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/headless-svc.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/headless-svc.yaml new file mode 100644 index 000000000..8c402c408 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/headless-svc.yaml @@ -0,0 +1,31 @@ +{{- if and .Values.alertmanager.enabled .Values.alertmanager.statefulSet.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.alertmanager.statefulSet.headless.annotations }} + annotations: +{{ toYaml .Values.alertmanager.statefulSet.headless.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +{{- if .Values.alertmanager.statefulSet.headless.labels }} +{{ toYaml .Values.alertmanager.statefulSet.headless.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.alertmanager.fullname" . }}-headless +{{ include "prometheus.namespace" . | indent 2 }} +spec: + clusterIP: None + ports: + - name: http + port: {{ .Values.alertmanager.statefulSet.headless.servicePort }} + protocol: TCP + targetPort: 9093 +{{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }} + - name: meshpeer + port: 6783 + protocol: TCP + targetPort: 6783 +{{- end }} + selector: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/ingress.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/ingress.yaml new file mode 100644 index 000000000..6e856360b --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/ingress.yaml @@ -0,0 +1,57 @@ +{{- if and .Values.alertmanager.enabled .Values.alertmanager.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} +{{- $releaseName := .Release.Name -}} +{{- $serviceName := include "prometheus.alertmanager.fullname" . }} +{{- $servicePort := .Values.alertmanager.service.servicePort -}} +{{- $ingressPath := .Values.alertmanager.ingress.path -}} +{{- $ingressPathType := .Values.alertmanager.ingress.pathType -}} +{{- $extraPaths := .Values.alertmanager.ingress.extraPaths -}} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: +{{- if .Values.alertmanager.ingress.annotations }} + annotations: +{{ toYaml .Values.alertmanager.ingress.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +{{- range $key, $value := .Values.alertmanager.ingress.extraLabels }} + {{ $key }}: {{ $value }} +{{- end }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.alertmanager.ingress.ingressClassName }} + ingressClassName: {{ .Values.alertmanager.ingress.ingressClassName }} + {{- end }} + rules: + {{- range .Values.alertmanager.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} +{{- if .Values.alertmanager.ingress.tls }} + tls: +{{ toYaml .Values.alertmanager.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/netpol.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/netpol.yaml new file mode 100644 index 000000000..e44ade60e --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/netpol.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.alertmanager.enabled .Values.networkPolicy.enabled -}} +apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }} + ingress: + - from: + - podSelector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 12 }} + - ports: + - port: 9093 +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/pdb.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/pdb.yaml new file mode 100644 index 000000000..41a92f364 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/pdb.yaml @@ -0,0 +1,14 @@ +{{- if .Values.alertmanager.podDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.alertmanager.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + {{- include "prometheus.alertmanager.labels" . | nindent 6 }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/psp.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/psp.yaml new file mode 100644 index 000000000..64fb13003 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/psp.yaml @@ -0,0 +1,46 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} +apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus.alertmanager.fullname" . }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + annotations: +{{- if .Values.alertmanager.podSecurityPolicy.annotations }} +{{ toYaml .Values.alertmanager.podSecurityPolicy.annotations | indent 4 }} +{{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'persistentVolumeClaim' + - 'emptyDir' + - 'secret' + allowedHostPaths: + - pathPrefix: /etc + readOnly: true + - pathPrefix: {{ .Values.alertmanager.persistentVolume.mountPath }} + hostNetwork: false + hostPID: false + hostIPC: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/pvc.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/pvc.yaml new file mode 100644 index 000000000..28774d0e0 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/pvc.yaml @@ -0,0 +1,39 @@ +{{- if not .Values.alertmanager.statefulSet.enabled -}} +{{- if and .Values.alertmanager.enabled .Values.alertmanager.persistentVolume.enabled -}} +{{- if not .Values.alertmanager.persistentVolume.existingClaim -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- if .Values.alertmanager.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.alertmanager.persistentVolume.annotations | indent 4 }} + {{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + accessModes: +{{ toYaml .Values.alertmanager.persistentVolume.accessModes | indent 4 }} +{{- if .Values.alertmanager.persistentVolume.storageClass }} + {{- if (eq "-" .Values.alertmanager.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.alertmanager.persistentVolume.storageClass }}" + {{- end }} +{{- else if .Values.global.persistence.storageClass }} + {{- if (eq "-" .Values.global.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.global.persistence.storageClass }}" + {{- end }} +{{- end }} +{{- if .Values.alertmanager.persistentVolume.volumeBindingMode }} + volumeBindingModeName: "{{ .Values.alertmanager.persistentVolume.volumeBindingMode }}" +{{- end }} + resources: + requests: + storage: "{{ .Values.alertmanager.persistentVolume.size }}" +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/role.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/role.yaml new file mode 100644 index 000000000..ce60eaf0a --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/role.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create (eq .Values.alertmanager.useClusterRole false) (not .Values.alertmanager.useExistingRole) -}} +{{- range $.Values.alertmanager.namespaces }} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: Role +metadata: + labels: + {{- include "prometheus.alertmanager.labels" $ | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" $ }} + namespace: {{ . }} +rules: +{{- if $.Values.podSecurityPolicy.enabled }} + - apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "prometheus.alertmanager.fullname" $ }} +{{- else }} + [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/rolebinding.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/rolebinding.yaml new file mode 100644 index 000000000..906d6522d --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create (eq .Values.alertmanager.useClusterRole false) -}} +{{ range $.Values.alertmanager.namespaces }} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: RoleBinding +metadata: + labels: + {{- include "prometheus.alertmanager.labels" $ | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" $ }} + namespace: {{ . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.alertmanager" $ }} +{{ include "prometheus.namespace" $ | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- if (not $.Values.alertmanager.useExistingRole) }} + name: {{ template "prometheus.alertmanager.fullname" $ }} +{{- else }} + name: {{ $.Values.alertmanager.useExistingRole }} +{{- end }} +{{- end }} +{{ end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/service.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/service.yaml new file mode 100644 index 000000000..9edc9ac65 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/service.yaml @@ -0,0 +1,53 @@ +{{- if .Values.alertmanager.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.alertmanager.service.annotations }} + annotations: +{{ toYaml .Values.alertmanager.service.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +{{- if .Values.alertmanager.service.labels }} +{{ toYaml .Values.alertmanager.service.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: +{{- if .Values.alertmanager.service.clusterIP }} + clusterIP: {{ .Values.alertmanager.service.clusterIP }} +{{- end }} +{{- if .Values.alertmanager.service.externalIPs }} + externalIPs: +{{ toYaml .Values.alertmanager.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.alertmanager.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.alertmanager.service.loadBalancerIP }} +{{- end }} +{{- if .Values.alertmanager.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.alertmanager.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: http + port: {{ .Values.alertmanager.service.servicePort }} + protocol: TCP + targetPort: 9093 + {{- if .Values.alertmanager.service.nodePort }} + nodePort: {{ .Values.alertmanager.service.nodePort }} + {{- end }} +{{- if .Values.alertmanager.service.enableMeshPeer }} + - name: meshpeer + port: 6783 + protocol: TCP + targetPort: 6783 +{{- end }} + selector: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 4 }} +{{- if .Values.alertmanager.service.sessionAffinity }} + sessionAffinity: {{ .Values.alertmanager.service.sessionAffinity }} +{{- end }} + type: "{{ .Values.alertmanager.service.type }}" +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/serviceaccount.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/serviceaccount.yaml new file mode 100644 index 000000000..a5d996a85 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.alertmanager.enabled .Values.serviceAccounts.alertmanager.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.serviceAccountName.alertmanager" . }} +{{ include "prometheus.namespace" . | indent 2 }} + annotations: +{{ toYaml .Values.serviceAccounts.alertmanager.annotations | indent 4 }} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/sts.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/sts.yaml new file mode 100644 index 000000000..95bbfe6c8 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/alertmanager/sts.yaml @@ -0,0 +1,187 @@ +{{- if and .Values.alertmanager.enabled .Values.alertmanager.statefulSet.enabled -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: +{{- if .Values.alertmanager.statefulSet.annotations }} + annotations: + {{ toYaml .Values.alertmanager.statefulSet.annotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + {{- if .Values.alertmanager.statefulSet.labels}} + {{ toYaml .Values.alertmanager.statefulSet.labels | nindent 4 }} + {{- end}} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + serviceName: {{ template "prometheus.alertmanager.fullname" . }}-headless + selector: + matchLabels: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }} + replicas: {{ .Values.alertmanager.replicaCount }} + podManagementPolicy: {{ .Values.alertmanager.statefulSet.podManagementPolicy }} + template: + metadata: + {{- if .Values.alertmanager.podAnnotations }} + annotations: + {{ toYaml .Values.alertmanager.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 8 }} + {{- if .Values.alertmanager.podLabels}} + {{ toYaml .Values.alertmanager.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.alertmanager.affinity }} + affinity: +{{ toYaml .Values.alertmanager.affinity | indent 8 }} +{{- end }} +{{- if .Values.alertmanager.schedulerName }} + schedulerName: "{{ .Values.alertmanager.schedulerName }}" +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.alertmanager" . }} +{{- if .Values.alertmanager.priorityClassName }} + priorityClassName: "{{ .Values.alertmanager.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }} + image: "{{ .Values.alertmanager.image.repository }}:{{ .Values.alertmanager.image.tag }}" + imagePullPolicy: "{{ .Values.alertmanager.image.pullPolicy }}" + env: + {{- range $key, $value := .Values.alertmanager.extraEnv }} + - name: {{ $key }} + value: {{ $value }} + {{- end }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + args: + - --config.file=/etc/config/alertmanager.yml + - --storage.path={{ .Values.alertmanager.persistentVolume.mountPath }} + {{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }} + - --cluster.advertise-address=[$(POD_IP)]:6783 + - --cluster.listen-address=0.0.0.0:6783 + {{- range $n := until (.Values.alertmanager.replicaCount | int) }} + - --cluster.peer={{ template "prometheus.alertmanager.fullname" $ }}-{{ $n }}.{{ template "prometheus.alertmanager.fullname" $ }}-headless:6783 + {{- end }} + {{- else }} + - --cluster.listen-address= + {{- end }} + {{- range $key, $value := .Values.alertmanager.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.alertmanager.baseURL }} + - --web.external-url={{ .Values.alertmanager.baseURL }} + {{- end }} + + ports: + - containerPort: 9093 + {{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }} + - containerPort: 6783 + {{- end }} + readinessProbe: + httpGet: + path: {{ .Values.alertmanager.prefixURL }}/#/status + port: 9093 + initialDelaySeconds: 30 + timeoutSeconds: 30 + resources: +{{ toYaml .Values.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: "{{ .Values.alertmanager.persistentVolume.mountPath }}" + subPath: "{{ .Values.alertmanager.persistentVolume.subPath }}" + {{- range .Values.alertmanager.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.configmapReload.alertmanager.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }}-{{ .Values.configmapReload.alertmanager.name }} + image: "{{ include "get.cmreloadimage" .}}" + imagePullPolicy: "{{ .Values.configmapReload.alertmanager.image.pullPolicy }}" + args: + - --volume-dir=/etc/config + - --webhook-url=http://localhost:9093{{ .Values.alertmanager.prefixURL }}/-/reload + resources: +{{ toYaml .Values.configmapReload.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.nodeSelector }} + nodeSelector: +{{ toYaml .Values.alertmanager.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.securityContext }} + securityContext: +{{ toYaml .Values.alertmanager.securityContext | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.tolerations }} + tolerations: +{{ toYaml .Values.alertmanager.tolerations | indent 8 }} + {{- end }} + volumes: + - name: config-volume + {{- if empty .Values.alertmanager.configFromSecret }} + configMap: + name: {{ if .Values.alertmanager.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.alertmanager.configMapOverrideName }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }} + {{- else }} + secret: + secretName: {{ .Values.alertmanager.configFromSecret }} + {{- end }} + {{- range .Values.alertmanager.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} +{{- if .Values.alertmanager.persistentVolume.enabled }} + volumeClaimTemplates: + - metadata: + name: storage-volume + {{- if .Values.alertmanager.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.alertmanager.persistentVolume.annotations | indent 10 }} + {{- end }} + spec: + accessModes: +{{ toYaml .Values.alertmanager.persistentVolume.accessModes | indent 10 }} + resources: + requests: + storage: "{{ .Values.alertmanager.persistentVolume.size }}" + {{- if .Values.alertmanager.persistentVolume.storageClass }} + {{- if (eq "-" .Values.alertmanager.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.alertmanager.persistentVolume.storageClass }}" + {{- end }} + {{- else if .Values.global.persistence.storageClass }} + {{- if (eq "-" .Values.global.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.global.persistence.storageClass }}" + {{- end }} + {{- end }} +{{- else }} + - name: storage-volume + emptyDir: + {{- if .Values.alertmanager.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.alertmanager.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/daemonset.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/daemonset.yaml new file mode 100644 index 000000000..667be9f49 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/daemonset.yaml @@ -0,0 +1,146 @@ +{{- if .Values.nodeExporter.enabled -}} +apiVersion: {{ template "prometheus.daemonset.apiVersion" . }} +kind: DaemonSet +metadata: +{{- if .Values.nodeExporter.deploymentAnnotations }} + annotations: +{{ toYaml .Values.nodeExporter.deploymentAnnotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} + name: {{ template "prometheus.nodeExporter.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + selector: + matchLabels: + {{- include "prometheus.nodeExporter.matchLabels" . | nindent 6 }} + {{- if .Values.nodeExporter.updateStrategy }} + updateStrategy: +{{ toYaml .Values.nodeExporter.updateStrategy | indent 4 }} + {{- end }} + template: + metadata: + {{- if .Values.nodeExporter.podAnnotations }} + annotations: +{{ toYaml .Values.nodeExporter.podAnnotations | indent 8 }} + {{- end }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 8 }} +{{- if .Values.nodeExporter.pod.labels }} +{{ toYaml .Values.nodeExporter.pod.labels | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ template "prometheus.serviceAccountName.nodeExporter" . }} + {{- if .Values.nodeExporter.extraInitContainers }} + initContainers: +{{ toYaml .Values.nodeExporter.extraInitContainers | indent 8 }} + {{- end }} +{{- if .Values.nodeExporter.priorityClassName }} + priorityClassName: "{{ .Values.nodeExporter.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.nodeExporter.name }} + image: "{{ .Values.nodeExporter.image.repository }}:{{ .Values.nodeExporter.image.tag }}" + imagePullPolicy: "{{ .Values.nodeExporter.image.pullPolicy }}" + args: + - --path.procfs=/host/proc + - --path.sysfs=/host/sys + {{- if .Values.nodeExporter.hostRootfs }} + - --path.rootfs=/host/root + {{- end }} + {{- if .Values.nodeExporter.hostNetwork }} + - --web.listen-address=:{{ .Values.nodeExporter.service.hostPort }} + {{- end }} + {{- range $key, $value := .Values.nodeExporter.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + ports: + - name: metrics + {{- if .Values.nodeExporter.hostNetwork }} + containerPort: {{ .Values.nodeExporter.service.hostPort }} + {{- else }} + containerPort: 9100 + {{- end }} + hostPort: {{ .Values.nodeExporter.service.hostPort }} + resources: +{{ toYaml .Values.nodeExporter.resources | indent 12 }} + volumeMounts: + - name: proc + mountPath: /host/proc + readOnly: true + - name: sys + mountPath: /host/sys + readOnly: true + {{- if .Values.nodeExporter.hostRootfs }} + - name: root + mountPath: /host/root + mountPropagation: HostToContainer + readOnly: true + {{- end }} + {{- range .Values.nodeExporter.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + {{- if .mountPropagation }} + mountPropagation: {{ .mountPropagation }} + {{- end }} + {{- end }} + {{- range .Values.nodeExporter.extraConfigmapMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.nodeExporter.hostNetwork }} + hostNetwork: true + {{- end }} + {{- if .Values.nodeExporter.hostPID }} + hostPID: true + {{- end }} + {{- if .Values.nodeExporter.tolerations }} + tolerations: +{{ toYaml .Values.nodeExporter.tolerations | indent 8 }} + {{- end }} + {{- if .Values.nodeExporter.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeExporter.nodeSelector | indent 8 }} + {{- end }} + {{- with .Values.nodeExporter.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.nodeExporter.securityContext }} + securityContext: +{{ toYaml .Values.nodeExporter.securityContext | indent 8 }} + {{- end }} + volumes: + - name: proc + hostPath: + path: /proc + - name: sys + hostPath: + path: /sys + {{- if .Values.nodeExporter.hostRootfs }} + - name: root + hostPath: + path: / + {{- end }} + {{- range .Values.nodeExporter.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- end }} + {{- range .Values.nodeExporter.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/psp.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/psp.yaml new file mode 100644 index 000000000..bd9c73bee --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/psp.yaml @@ -0,0 +1,55 @@ +{{- if and .Values.nodeExporter.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} +apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus.nodeExporter.fullname" . }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} + annotations: +{{- if .Values.nodeExporter.podSecurityPolicy.annotations }} +{{ toYaml .Values.nodeExporter.podSecurityPolicy.annotations | indent 4 }} +{{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'hostPath' + - 'secret' + allowedHostPaths: + - pathPrefix: /proc + readOnly: true + - pathPrefix: /sys + readOnly: true + - pathPrefix: / + readOnly: true + {{- range .Values.nodeExporter.extraHostPathMounts }} + - pathPrefix: {{ .hostPath }} + readOnly: {{ .readOnly }} + {{- end }} + hostNetwork: {{ .Values.nodeExporter.hostNetwork }} + hostPID: {{ .Values.nodeExporter.hostPID }} + hostIPC: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + hostPorts: + - min: 1 + max: 65535 +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/role.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/role.yaml new file mode 100644 index 000000000..d8ef3ed90 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/role.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.nodeExporter.enabled .Values.rbac.create }} +{{- if or (default .Values.nodeExporter.podSecurityPolicy.enabled false) (.Values.podSecurityPolicy.enabled) }} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ template "prometheus.nodeExporter.fullname" . }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} +{{ include "prometheus.namespace" . | indent 2 }} +rules: +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "prometheus.nodeExporter.fullname" . }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/rolebinding.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/rolebinding.yaml new file mode 100644 index 000000000..06914b70a --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.nodeExporter.enabled .Values.rbac.create }} +{{- if .Values.podSecurityPolicy.enabled }} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: RoleBinding +metadata: + name: {{ template "prometheus.nodeExporter.fullname" . }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} +{{ include "prometheus.namespace" . | indent 2 }} +roleRef: + kind: Role + name: {{ template "prometheus.nodeExporter.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.nodeExporter" . }} +{{ include "prometheus.namespace" . | indent 2 }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/serviceaccount.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/serviceaccount.yaml new file mode 100644 index 000000000..0cf91afba --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.nodeExporter.enabled .Values.serviceAccounts.nodeExporter.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} + name: {{ template "prometheus.serviceAccountName.nodeExporter" . }} +{{ include "prometheus.namespace" . | indent 2 }} + annotations: +{{ toYaml .Values.serviceAccounts.nodeExporter.annotations | indent 4 }} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/svc.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/svc.yaml new file mode 100644 index 000000000..26d1eaa21 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/node-exporter/svc.yaml @@ -0,0 +1,47 @@ +{{- if .Values.nodeExporter.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.nodeExporter.service.annotations }} + annotations: +{{ toYaml .Values.nodeExporter.service.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} +{{- if .Values.nodeExporter.service.labels }} +{{ toYaml .Values.nodeExporter.service.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.nodeExporter.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: +{{- if .Values.nodeExporter.service.clusterIP }} + clusterIP: {{ .Values.nodeExporter.service.clusterIP }} +{{- end }} +{{- if .Values.nodeExporter.service.externalIPs }} + externalIPs: +{{ toYaml .Values.nodeExporter.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.nodeExporter.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.nodeExporter.service.loadBalancerIP }} +{{- end }} +{{- if .Values.nodeExporter.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.nodeExporter.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: metrics + {{- if .Values.nodeExporter.hostNetwork }} + port: {{ .Values.nodeExporter.service.hostPort }} + protocol: TCP + targetPort: {{ .Values.nodeExporter.service.hostPort }} + {{- else }} + port: {{ .Values.nodeExporter.service.servicePort }} + protocol: TCP + targetPort: 9100 + {{- end }} + selector: + {{- include "prometheus.nodeExporter.matchLabels" . | nindent 4 }} + type: "{{ .Values.nodeExporter.service.type }}" +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/clusterrole.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/clusterrole.yaml new file mode 100644 index 000000000..76ecf053f --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/clusterrole.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.pushgateway.enabled .Values.rbac.create -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRole +metadata: + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +rules: +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "prometheus.pushgateway.fullname" . }} +{{- else }} + [] +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/clusterrolebinding.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/clusterrolebinding.yaml new file mode 100644 index 000000000..15770ee50 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.pushgateway.enabled .Values.rbac.create -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.pushgateway" . }} +{{ include "prometheus.namespace" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "prometheus.pushgateway.fullname" . }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/deploy.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/deploy.yaml new file mode 100644 index 000000000..ffdbfcc42 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/deploy.yaml @@ -0,0 +1,119 @@ +{{- if .Values.pushgateway.enabled -}} +apiVersion: {{ template "prometheus.deployment.apiVersion" . }} +kind: Deployment +metadata: +{{- if .Values.pushgateway.deploymentAnnotations }} + annotations: + {{ toYaml .Values.pushgateway.deploymentAnnotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + selector: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} + matchLabels: + {{- include "prometheus.pushgateway.matchLabels" . | nindent 6 }} + replicas: {{ .Values.pushgateway.replicaCount }} + {{- if .Values.pushgateway.strategy }} + strategy: +{{ toYaml .Values.pushgateway.strategy | trim | indent 4 }} + {{ if eq .Values.pushgateway.strategy.type "Recreate" }}rollingUpdate: null{{ end }} +{{- end }} + template: + metadata: + {{- if .Values.pushgateway.podAnnotations }} + annotations: + {{ toYaml .Values.pushgateway.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 8 }} + {{- if .Values.pushgateway.podLabels }} + {{ toYaml .Values.pushgateway.podLabels | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "prometheus.serviceAccountName.pushgateway" . }} + {{- if .Values.pushgateway.extraInitContainers }} + initContainers: +{{ toYaml .Values.pushgateway.extraInitContainers | indent 8 }} + {{- end }} +{{- if .Values.pushgateway.priorityClassName }} + priorityClassName: "{{ .Values.pushgateway.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.pushgateway.name }} + image: "{{ .Values.pushgateway.image.repository }}:{{ .Values.pushgateway.image.tag }}" + imagePullPolicy: "{{ .Values.pushgateway.image.pullPolicy }}" + args: + {{- range $key, $value := .Values.pushgateway.extraArgs }} + {{- $stringvalue := toString $value }} + {{- if eq $stringvalue "true" }} + - --{{ $key }} + {{- else }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + ports: + - containerPort: 9091 + livenessProbe: + httpGet: + {{- if (index .Values "pushgateway" "extraArgs" "web.route-prefix") }} + path: /{{ index .Values "pushgateway" "extraArgs" "web.route-prefix" }}/-/healthy + {{- else }} + path: /-/healthy + {{- end }} + port: 9091 + initialDelaySeconds: 10 + timeoutSeconds: 10 + readinessProbe: + httpGet: + {{- if (index .Values "pushgateway" "extraArgs" "web.route-prefix") }} + path: /{{ index .Values "pushgateway" "extraArgs" "web.route-prefix" }}/-/ready + {{- else }} + path: /-/ready + {{- end }} + port: 9091 + initialDelaySeconds: 10 + timeoutSeconds: 10 + resources: +{{ toYaml .Values.pushgateway.resources | indent 12 }} + {{- if .Values.pushgateway.persistentVolume.enabled }} + volumeMounts: + - name: storage-volume + mountPath: "{{ .Values.pushgateway.persistentVolume.mountPath }}" + subPath: "{{ .Values.pushgateway.persistentVolume.subPath }}" + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.nodeSelector }} + nodeSelector: +{{ toYaml .Values.pushgateway.nodeSelector | indent 8 }} + {{- end }} + {{- with .Values.pushgateway.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.securityContext }} + securityContext: +{{ toYaml .Values.pushgateway.securityContext | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.tolerations }} + tolerations: +{{ toYaml .Values.pushgateway.tolerations | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.affinity }} + affinity: +{{ toYaml .Values.pushgateway.affinity | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.persistentVolume.enabled }} + volumes: + - name: storage-volume + persistentVolumeClaim: + claimName: {{ if .Values.pushgateway.persistentVolume.existingClaim }}{{ .Values.pushgateway.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.pushgateway.fullname" . }}{{- end }} + {{- end -}} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/ingress.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/ingress.yaml new file mode 100644 index 000000000..5f176aed4 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/ingress.yaml @@ -0,0 +1,54 @@ +{{- if and .Values.pushgateway.enabled .Values.pushgateway.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} +{{- $releaseName := .Release.Name -}} +{{- $serviceName := include "prometheus.pushgateway.fullname" . }} +{{- $servicePort := .Values.pushgateway.service.servicePort -}} +{{- $ingressPath := .Values.pushgateway.ingress.path -}} +{{- $ingressPathType := .Values.pushgateway.ingress.pathType -}} +{{- $extraPaths := .Values.pushgateway.ingress.extraPaths -}} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: +{{- if .Values.pushgateway.ingress.annotations }} + annotations: +{{ toYaml .Values.pushgateway.ingress.annotations | indent 4}} +{{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.pushgateway.ingress.ingressClassName }} + ingressClassName: {{ .Values.pushgateway.ingress.ingressClassName }} + {{- end }} + rules: + {{- range .Values.pushgateway.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} +{{- if .Values.pushgateway.ingress.tls }} + tls: +{{ toYaml .Values.pushgateway.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/netpol.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/netpol.yaml new file mode 100644 index 000000000..c8d1fb37e --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/netpol.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.pushgateway.enabled .Values.networkPolicy.enabled -}} +apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "prometheus.pushgateway.matchLabels" . | nindent 6 }} + ingress: + - from: + - podSelector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 12 }} + - ports: + - port: 9091 +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/pdb.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/pdb.yaml new file mode 100644 index 000000000..50beb486d --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/pdb.yaml @@ -0,0 +1,14 @@ +{{- if .Values.pushgateway.podDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.pushgateway.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + {{- include "prometheus.pushgateway.labels" . | nindent 6 }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/psp.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/psp.yaml new file mode 100644 index 000000000..1ca3267f8 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/psp.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.pushgateway.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} +apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus.pushgateway.fullname" . }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + annotations: +{{- if .Values.pushgateway.podSecurityPolicy.annotations }} +{{ toYaml .Values.pushgateway.podSecurityPolicy.annotations | indent 4 }} +{{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'persistentVolumeClaim' + - 'secret' + allowedHostPaths: + - pathPrefix: {{ .Values.pushgateway.persistentVolume.mountPath }} + hostNetwork: false + hostPID: false + hostIPC: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/pvc.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/pvc.yaml new file mode 100644 index 000000000..908f4e2f2 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/pvc.yaml @@ -0,0 +1,37 @@ +{{- if .Values.pushgateway.persistentVolume.enabled -}} +{{- if not .Values.pushgateway.persistentVolume.existingClaim -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- if .Values.pushgateway.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.pushgateway.persistentVolume.annotations | indent 4 }} + {{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + accessModes: +{{ toYaml .Values.pushgateway.persistentVolume.accessModes | indent 4 }} +{{- if .Values.pushgateway.persistentVolume.storageClass }} + {{- if (eq "-" .Values.pushgateway.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.pushgateway.persistentVolume.storageClass }}" + {{- end }} +{{- else if .Values.global.persistence.storageClass }} + {{- if (eq "-" .Values.global.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.global.persistence.storageClass }}" + {{- end }} +{{- end }} +{{- if .Values.pushgateway.persistentVolume.volumeBindingMode }} + volumeBindingModeName: "{{ .Values.pushgateway.persistentVolume.volumeBindingMode }}" +{{- end }} + resources: + requests: + storage: "{{ .Values.pushgateway.persistentVolume.size }}" +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/service.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/service.yaml new file mode 100644 index 000000000..f05f17c42 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/service.yaml @@ -0,0 +1,41 @@ +{{- if .Values.pushgateway.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.pushgateway.service.annotations }} + annotations: +{{ toYaml .Values.pushgateway.service.annotations | indent 4}} +{{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} +{{- if .Values.pushgateway.service.labels }} +{{ toYaml .Values.pushgateway.service.labels | indent 4}} +{{- end }} + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: +{{- if .Values.pushgateway.service.clusterIP }} + clusterIP: {{ .Values.pushgateway.service.clusterIP }} +{{- end }} +{{- if .Values.pushgateway.service.externalIPs }} + externalIPs: +{{ toYaml .Values.pushgateway.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.pushgateway.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.pushgateway.service.loadBalancerIP }} +{{- end }} +{{- if .Values.pushgateway.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.pushgateway.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: http + port: {{ .Values.pushgateway.service.servicePort }} + protocol: TCP + targetPort: 9091 + selector: + {{- include "prometheus.pushgateway.matchLabels" . | nindent 4 }} + type: "{{ .Values.pushgateway.service.type }}" +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/serviceaccount.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/serviceaccount.yaml new file mode 100644 index 000000000..8c0b876f3 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/pushgateway/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.pushgateway.enabled .Values.serviceAccounts.pushgateway.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.serviceAccountName.pushgateway" . }} +{{ include "prometheus.namespace" . | indent 2 }} + annotations: +{{ toYaml .Values.serviceAccounts.pushgateway.annotations | indent 4 }} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/clusterrole.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/clusterrole.yaml new file mode 100644 index 000000000..539c56304 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/clusterrole.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.server.enabled .Values.rbac.create (empty .Values.server.useExistingClusterRoleName) -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRole +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.clusterrolefullname" . }} +rules: +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "prometheus.server.fullname" . }} +{{- end }} + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/clusterrolebinding.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/clusterrolebinding.yaml new file mode 100644 index 000000000..3c42e5827 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.server.enabled .Values.rbac.create (empty .Values.server.namespaces) (empty .Values.server.useExistingClusterRoleName) -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.clusterrolefullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.server" . }} +{{ include "prometheus.namespace" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "prometheus.server.clusterrolefullname" . }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/cm.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/cm.yaml new file mode 100644 index 000000000..e012694fc --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/cm.yaml @@ -0,0 +1,82 @@ +{{- if .Values.server.enabled -}} +{{- if (empty .Values.server.configMapOverrideName) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +data: +{{- $root := . -}} +{{- range $key, $value := .Values.serverFiles }} + {{ $key }}: | +{{- if eq $key "prometheus.yml" }} + global: +{{ $root.Values.server.global | toYaml | trimSuffix "\n" | indent 6 }} +{{- if $root.Values.server.remoteWrite }} + remote_write: +{{ $root.Values.server.remoteWrite | toYaml | indent 4 }} +{{- end }} +{{- if $root.Values.server.remoteRead }} + remote_read: +{{ $root.Values.server.remoteRead | toYaml | indent 4 }} +{{- end }} +{{- end }} +{{- if eq $key "alerts" }} +{{- if and (not (empty $value)) (empty $value.groups) }} + groups: +{{- range $ruleKey, $ruleValue := $value }} + - name: {{ $ruleKey -}}.rules + rules: +{{ $ruleValue | toYaml | trimSuffix "\n" | indent 6 }} +{{- end }} +{{- else }} +{{ toYaml $value | indent 4 }} +{{- end }} +{{- else }} +{{ toYaml $value | default "{}" | indent 4 }} +{{- end }} +{{- if eq $key "prometheus.yml" -}} +{{- if $root.Values.extraScrapeConfigs }} +{{ tpl $root.Values.extraScrapeConfigs $root | indent 4 }} +{{- end -}} +{{- if or ($root.Values.alertmanager.enabled) ($root.Values.server.alertmanagers) }} + alerting: +{{- if $root.Values.alertRelabelConfigs }} +{{ $root.Values.alertRelabelConfigs | toYaml | trimSuffix "\n" | indent 6 }} +{{- end }} + alertmanagers: +{{- if $root.Values.server.alertmanagers }} +{{ toYaml $root.Values.server.alertmanagers | indent 8 }} +{{- else }} + - kubernetes_sd_configs: + - role: pod + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + {{- if $root.Values.alertmanager.prefixURL }} + path_prefix: {{ $root.Values.alertmanager.prefixURL }} + {{- end }} + relabel_configs: + - source_labels: [__meta_kubernetes_namespace] + regex: {{ $root.Release.Namespace }} + action: keep + - source_labels: [__meta_kubernetes_pod_label_app] + regex: {{ template "prometheus.name" $root }} + action: keep + - source_labels: [__meta_kubernetes_pod_label_component] + regex: alertmanager + action: keep + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_probe] + regex: {{ index $root.Values.alertmanager.podAnnotations "prometheus.io/probe" | default ".*" }} + action: keep + - source_labels: [__meta_kubernetes_pod_container_port_number] + regex: "9093" + action: keep +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/deploy.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/deploy.yaml new file mode 100644 index 000000000..4b9e11909 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/deploy.yaml @@ -0,0 +1,261 @@ +{{- if .Values.server.enabled -}} +{{- if not .Values.server.statefulSet.enabled -}} +apiVersion: {{ template "prometheus.deployment.apiVersion" . }} +kind: Deployment +metadata: +{{- if .Values.server.deploymentAnnotations }} + annotations: + {{ toYaml .Values.server.deploymentAnnotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + selector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 6 }} + replicas: {{ .Values.server.replicaCount }} + {{- if .Values.server.strategy }} + strategy: +{{ toYaml .Values.server.strategy | trim | indent 4 }} + {{ if eq .Values.server.strategy.type "Recreate" }}rollingUpdate: null{{ end }} +{{- end }} + template: + metadata: + {{- if .Values.server.podAnnotations }} + annotations: + {{ toYaml .Values.server.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 8 }} + {{- if .Values.server.podLabels}} + {{ toYaml .Values.server.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.server.priorityClassName }} + priorityClassName: "{{ .Values.server.priorityClassName }}" +{{- end }} +{{- if .Values.server.schedulerName }} + schedulerName: "{{ .Values.server.schedulerName }}" +{{- end }} +{{- if semverCompare ">=1.13-0" .Capabilities.KubeVersion.GitVersion }} + {{- if or (.Values.server.enableServiceLinks) (eq (.Values.server.enableServiceLinks | toString) "") }} + enableServiceLinks: true + {{- else }} + enableServiceLinks: false + {{- end }} +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.server" . }} + {{- if .Values.server.extraInitContainers }} + initContainers: +{{ toYaml .Values.server.extraInitContainers | indent 8 }} + {{- end }} + containers: + {{- if .Values.configmapReload.prometheus.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }}-{{ .Values.configmapReload.prometheus.name }} + image: "{{ include "get.cmreloadimage" .}}" + imagePullPolicy: "{{ .Values.configmapReload.prometheus.image.pullPolicy }}" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090{{ .Values.server.prefixURL }}/-/reload + {{- range $key, $value := .Values.configmapReload.prometheus.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraVolumeDirs }} + - --volume-dir={{ . }} + {{- end }} + resources: +{{ toYaml .Values.configmapReload.prometheus.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- end }} + + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }} + image: "{{ include "get.serverimage" .}}" + imagePullPolicy: "{{ .Values.server.image.pullPolicy }}" + {{- if .Values.server.env }} + env: +{{ toYaml .Values.server.env | indent 12}} + {{- end }} + args: + {{- if .Values.server.prefixURL }} + - --web.route-prefix={{ .Values.server.prefixURL }} + {{- end }} + {{- if .Values.server.retention }} + - --storage.tsdb.retention.time={{ .Values.server.retention }} + {{- end }} + - --config.file={{ .Values.server.configPath }} + {{- if .Values.server.storagePath }} + - --storage.tsdb.path={{ .Values.server.storagePath }} + {{- else }} + - --storage.tsdb.path={{ .Values.server.persistentVolume.mountPath }} + {{- end }} + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + {{- range .Values.server.extraFlags }} + - --{{ . }} + {{- end }} + {{- range $key, $value := .Values.server.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.server.baseURL }} + - --web.external-url={{ .Values.server.baseURL }} + {{- end }} + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: {{ .Values.server.prefixURL }}/-/ready + port: 9090 + initialDelaySeconds: {{ .Values.server.readinessProbeInitialDelay }} + periodSeconds: {{ .Values.server.readinessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.readinessProbeTimeout }} + failureThreshold: {{ .Values.server.readinessProbeFailureThreshold }} + successThreshold: {{ .Values.server.readinessProbeSuccessThreshold }} + livenessProbe: + httpGet: + path: {{ .Values.server.prefixURL }}/-/healthy + port: 9090 + initialDelaySeconds: {{ .Values.server.livenessProbeInitialDelay }} + periodSeconds: {{ .Values.server.livenessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.livenessProbeTimeout }} + failureThreshold: {{ .Values.server.livenessProbeFailureThreshold }} + successThreshold: {{ .Values.server.livenessProbeSuccessThreshold }} + resources: +{{ toYaml .Values.server.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: {{ .Values.server.persistentVolume.mountPath }} + subPath: "{{ .Values.server.persistentVolume.subPath }}" + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.server.extraVolumeMounts }} + {{ toYaml .Values.server.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- if .Values.server.sidecarContainers }} + {{- range $name, $spec := .Values.server.sidecarContainers }} + - name: {{ $name }} + {{- if kindIs "string" $spec }} + {{- tpl $spec $ | nindent 10 }} + {{- else }} + {{- toYaml $spec | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + hostNetwork: {{ .Values.server.hostNetwork }} + {{- if .Values.server.dnsPolicy }} + dnsPolicy: {{ .Values.server.dnsPolicy }} + {{- end }} + {{- if (or .Values.global.imagePullSecret .Values.imagePullSecrets) }} + imagePullSecrets: + {{- if .Values.global.imagePullSecret }} + - name: {{ .Values.global.imagePullSecret }} + {{- end }} + {{- if .Values.imagePullSecrets }} +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: +{{ toYaml .Values.server.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.server.hostAliases }} + hostAliases: +{{ toYaml .Values.server.hostAliases | indent 8 }} + {{- end }} + {{- if .Values.server.dnsConfig }} + dnsConfig: +{{ toYaml .Values.server.dnsConfig | indent 8 }} + {{- end }} + {{- if .Values.server.securityContext }} + securityContext: +{{ toYaml .Values.server.securityContext | indent 8 }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: +{{ toYaml .Values.server.tolerations | indent 8 }} + {{- end }} + {{- if .Values.server.affinity }} + affinity: +{{ toYaml .Values.server.affinity | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} + volumes: + - name: config-volume + configMap: + name: {{ if .Values.server.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.server.configMapOverrideName }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} +{{- if .Values.server.extraVolumes }} +{{ toYaml .Values.server.extraVolumes | indent 8}} +{{- end }} + - name: storage-volume + {{- if .Values.server.persistentVolume.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.server.persistentVolume.existingClaim }}{{ .Values.server.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} + {{- else }} + emptyDir: + {{- if .Values.server.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.server.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/headless-svc.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/headless-svc.yaml new file mode 100644 index 000000000..d519f4e0e --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/headless-svc.yaml @@ -0,0 +1,37 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.server.statefulSet.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.server.statefulSet.headless.annotations }} + annotations: +{{ toYaml .Values.server.statefulSet.headless.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +{{- if .Values.server.statefulSet.headless.labels }} +{{ toYaml .Values.server.statefulSet.headless.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.server.fullname" . }}-headless +{{ include "prometheus.namespace" . | indent 2 }} +spec: + clusterIP: None + ports: + - name: http + port: {{ .Values.server.statefulSet.headless.servicePort }} + protocol: TCP + targetPort: 9090 + {{- if .Values.server.statefulSet.headless.gRPC.enabled }} + - name: grpc + port: {{ .Values.server.statefulSet.headless.gRPC.servicePort }} + protocol: TCP + targetPort: 10901 + {{- if .Values.server.statefulSet.headless.gRPC.nodePort }} + nodePort: {{ .Values.server.statefulSet.headless.gRPC.nodePort }} + {{- end }} + {{- end }} + + selector: + {{- include "prometheus.server.matchLabels" . | nindent 4 }} +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/ingress.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/ingress.yaml new file mode 100644 index 000000000..000f39cab --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/ingress.yaml @@ -0,0 +1,59 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.server.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} +{{- $releaseName := .Release.Name -}} +{{- $serviceName := include "prometheus.server.fullname" . }} +{{- $servicePort := .Values.server.service.servicePort -}} +{{- $ingressPath := .Values.server.ingress.path -}} +{{- $ingressPathType := .Values.server.ingress.pathType -}} +{{- $extraPaths := .Values.server.ingress.extraPaths -}} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: +{{- if .Values.server.ingress.annotations }} + annotations: +{{ toYaml .Values.server.ingress.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +{{- range $key, $value := .Values.server.ingress.extraLabels }} + {{ $key }}: {{ $value }} +{{- end }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.server.ingress.ingressClassName }} + ingressClassName: {{ .Values.server.ingress.ingressClassName }} + {{- end }} + rules: + {{- range .Values.server.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} +{{- if .Values.server.ingress.tls }} + tls: +{{ toYaml .Values.server.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/netpol.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/netpol.yaml new file mode 100644 index 000000000..c8870e9ff --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/netpol.yaml @@ -0,0 +1,18 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.networkPolicy.enabled }} +apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 6 }} + ingress: + - ports: + - port: 9090 +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/pdb.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/pdb.yaml new file mode 100644 index 000000000..364cb5b49 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/pdb.yaml @@ -0,0 +1,14 @@ +{{- if .Values.server.podDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.server.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + {{- include "prometheus.server.labels" . | nindent 6 }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/psp.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/psp.yaml new file mode 100644 index 000000000..e2b885f16 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/psp.yaml @@ -0,0 +1,51 @@ +{{- if and .Values.server.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} +apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus.server.fullname" . }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + annotations: +{{- if .Values.server.podSecurityPolicy.annotations }} +{{ toYaml .Values.server.podSecurityPolicy.annotations | indent 4 }} +{{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + allowedCapabilities: + - 'CHOWN' + volumes: + - 'configMap' + - 'persistentVolumeClaim' + - 'emptyDir' + - 'secret' + - 'hostPath' + allowedHostPaths: + - pathPrefix: /etc + readOnly: true + - pathPrefix: {{ .Values.server.persistentVolume.mountPath }} + {{- range .Values.server.extraHostPathMounts }} + - pathPrefix: {{ .hostPath }} + readOnly: {{ .readOnly }} + {{- end }} + hostNetwork: false + hostPID: false + hostIPC: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/pvc.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/pvc.yaml new file mode 100644 index 000000000..cef89151b --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/pvc.yaml @@ -0,0 +1,41 @@ +{{- if .Values.server.enabled -}} +{{- if not .Values.server.statefulSet.enabled -}} +{{- if .Values.server.persistentVolume.enabled -}} +{{- if not .Values.server.persistentVolume.existingClaim -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- if .Values.server.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.server.persistentVolume.annotations | indent 4 }} + {{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + accessModes: +{{ toYaml .Values.server.persistentVolume.accessModes | indent 4 }} +{{- if .Values.server.persistentVolume.storageClass }} + {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" + {{- end }} +{{- else if .Values.global.persistence.storageClass }} + {{- if (eq "-" .Values.global.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.global.persistence.storageClass }}" + {{- end }} +{{- end }} +{{- if .Values.server.persistentVolume.volumeBindingMode }} + volumeBindingModeName: "{{ .Values.server.persistentVolume.volumeBindingMode }}" +{{- end }} + resources: + requests: + storage: "{{ .Values.server.persistentVolume.size }}" +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/rolebinding.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/rolebinding.yaml new file mode 100644 index 000000000..93ce3ee13 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.server.enabled .Values.rbac.create .Values.server.useExistingClusterRoleName .Values.server.namespaces -}} +{{ range $.Values.server.namespaces -}} +--- +apiVersion: {{ template "rbac.apiVersion" $ }} +kind: RoleBinding +metadata: + labels: + {{- include "prometheus.server.labels" $ | nindent 4 }} + name: {{ template "prometheus.server.fullname" $ }} + namespace: {{ . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.server" $ }} +{{ include "prometheus.namespace" $ | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $.Values.server.useExistingClusterRoleName }} +{{ end -}} +{{ end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/service.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/service.yaml new file mode 100644 index 000000000..68f988927 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/service.yaml @@ -0,0 +1,60 @@ +{{- if .Values.server.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.server.service.annotations }} + annotations: +{{ toYaml .Values.server.service.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +{{- if .Values.server.service.labels }} +{{ toYaml .Values.server.service.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: +{{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP }} +{{- end }} +{{- if .Values.server.service.externalIPs }} + externalIPs: +{{ toYaml .Values.server.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.server.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.server.service.loadBalancerIP }} +{{- end }} +{{- if .Values.server.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.server.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: http + port: {{ .Values.server.service.servicePort }} + protocol: TCP + targetPort: 9090 + {{- if .Values.server.service.nodePort }} + nodePort: {{ .Values.server.service.nodePort }} + {{- end }} + {{- if .Values.server.service.gRPC.enabled }} + - name: grpc + port: {{ .Values.server.service.gRPC.servicePort }} + protocol: TCP + targetPort: 10901 + {{- if .Values.server.service.gRPC.nodePort }} + nodePort: {{ .Values.server.service.gRPC.nodePort }} + {{- end }} + {{- end }} + selector: + {{- if and .Values.server.statefulSet.enabled .Values.server.service.statefulsetReplica.enabled }} + statefulset.kubernetes.io/pod-name: {{ template "prometheus.server.fullname" . }}-{{ .Values.server.service.statefulsetReplica.replica }} + {{- else -}} + {{- include "prometheus.server.matchLabels" . | nindent 4 }} +{{- if .Values.server.service.sessionAffinity }} + sessionAffinity: {{ .Values.server.service.sessionAffinity }} +{{- end }} + {{- end }} + type: "{{ .Values.server.service.type }}" +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/serviceaccount.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/serviceaccount.yaml new file mode 100644 index 000000000..9c0502ab7 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.serviceAccounts.server.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.serviceAccountName.server" . }} +{{ include "prometheus.namespace" . | indent 2 }} + annotations: +{{ toYaml .Values.serviceAccounts.server.annotations | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/sts.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/sts.yaml new file mode 100644 index 000000000..b0e1e8bdb --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/sts.yaml @@ -0,0 +1,285 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.server.statefulSet.enabled -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: +{{- if .Values.server.statefulSet.annotations }} + annotations: + {{ toYaml .Values.server.statefulSet.annotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + {{- if .Values.server.statefulSet.labels}} + {{ toYaml .Values.server.statefulSet.labels | nindent 4 }} + {{- end}} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + serviceName: {{ template "prometheus.server.fullname" . }}-headless + selector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 6 }} + replicas: {{ .Values.server.replicaCount }} + podManagementPolicy: {{ .Values.server.statefulSet.podManagementPolicy }} + template: + metadata: + {{- if .Values.server.podAnnotations }} + annotations: + {{ toYaml .Values.server.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 8 }} + {{- if .Values.server.podLabels}} + {{ toYaml .Values.server.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.server.priorityClassName }} + priorityClassName: "{{ .Values.server.priorityClassName }}" +{{- end }} +{{- if .Values.server.schedulerName }} + schedulerName: "{{ .Values.server.schedulerName }}" +{{- end }} +{{- if semverCompare ">=1.13-0" .Capabilities.KubeVersion.GitVersion }} + {{- if or (.Values.server.enableServiceLinks) (eq (.Values.server.enableServiceLinks | toString) "") }} + enableServiceLinks: true + {{- else }} + enableServiceLinks: false + {{- end }} +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.server" . }} + {{- if .Values.server.extraInitContainers }} + initContainers: +{{ toYaml .Values.server.extraInitContainers | indent 8 }} + {{- end }} + containers: + {{- if .Values.configmapReload.prometheus.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }}-{{ .Values.configmapReload.prometheus.name }} + image: "{{ include "get.cmreloadimage" .}}" + imagePullPolicy: "{{ .Values.configmapReload.prometheus.image.pullPolicy }}" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090{{ .Values.server.prefixURL }}/-/reload + {{- range $key, $value := .Values.configmapReload.prometheus.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraVolumeDirs }} + - --volume-dir={{ . }} + {{- end }} + resources: +{{ toYaml .Values.configmapReload.prometheus.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- end }} + + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }} + image: "{{ include "get.serverimage" .}}" + imagePullPolicy: "{{ .Values.server.image.pullPolicy }}" + {{- if .Values.server.env }} + env: +{{ toYaml .Values.server.env | indent 12}} + {{- end }} + args: + {{- if .Values.server.prefixURL }} + - --web.route-prefix={{ .Values.server.prefixURL }} + {{- end }} + {{- if .Values.server.retention }} + - --storage.tsdb.retention.time={{ .Values.server.retention }} + {{- end }} + - --config.file={{ .Values.server.configPath }} + {{- if .Values.server.storagePath }} + - --storage.tsdb.path={{ .Values.server.storagePath }} + {{- else }} + - --storage.tsdb.path={{ .Values.server.persistentVolume.mountPath }} + {{- end }} + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + {{- range .Values.server.extraFlags }} + - --{{ . }} + {{- end }} + {{- range $key, $value := .Values.server.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.server.baseURL }} + - --web.external-url={{ .Values.server.baseURL }} + {{- end }} + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: {{ .Values.server.prefixURL }}/-/ready + port: 9090 + initialDelaySeconds: {{ .Values.server.readinessProbeInitialDelay }} + periodSeconds: {{ .Values.server.readinessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.readinessProbeTimeout }} + failureThreshold: {{ .Values.server.readinessProbeFailureThreshold }} + successThreshold: {{ .Values.server.readinessProbeSuccessThreshold }} + livenessProbe: + httpGet: + path: {{ .Values.server.prefixURL }}/-/healthy + port: 9090 + initialDelaySeconds: {{ .Values.server.livenessProbeInitialDelay }} + periodSeconds: {{ .Values.server.livenessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.livenessProbeTimeout }} + failureThreshold: {{ .Values.server.livenessProbeFailureThreshold }} + successThreshold: {{ .Values.server.livenessProbeSuccessThreshold }} + resources: +{{ toYaml .Values.server.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: {{ .Values.server.persistentVolume.mountPath }} + subPath: "{{ .Values.server.persistentVolume.subPath }}" + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.server.extraVolumeMounts }} + {{ toYaml .Values.server.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- if .Values.server.sidecarContainers }} + {{- range $name, $spec := .Values.server.sidecarContainers }} + - name: {{ $name }} + {{- if kindIs "string" $spec }} + {{- tpl $spec $ | nindent 10 }} + {{- else }} + {{- toYaml $spec | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + hostNetwork: {{ .Values.server.hostNetwork }} + {{- if .Values.server.dnsPolicy }} + dnsPolicy: {{ .Values.server.dnsPolicy }} + {{- end }} + {{- if (or .Values.global.imagePullSecret .Values.imagePullSecrets) }} + imagePullSecrets: + {{- if .Values.global.imagePullSecrets }} + - name: {{ .Values.global.imagePullSecret }} + {{- end }} + {{- if .Values.imagePullSecrets }} +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: +{{ toYaml .Values.server.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.server.hostAliases }} + hostAliases: +{{ toYaml .Values.server.hostAliases | indent 8 }} + {{- end }} + {{- if .Values.server.dnsConfig }} + dnsConfig: +{{ toYaml .Values.server.dnsConfig | indent 8 }} + {{- end }} + {{- if .Values.server.securityContext }} + securityContext: +{{ toYaml .Values.server.securityContext | indent 8 }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: +{{ toYaml .Values.server.tolerations | indent 8 }} + {{- end }} + {{- if .Values.server.affinity }} + affinity: +{{ toYaml .Values.server.affinity | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} + volumes: + - name: config-volume + configMap: + name: {{ if .Values.server.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.server.configMapOverrideName }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} +{{- if .Values.server.extraVolumes }} +{{ toYaml .Values.server.extraVolumes | indent 8}} +{{- end }} +{{- if .Values.server.persistentVolume.enabled }} + volumeClaimTemplates: + - metadata: + name: storage-volume + {{- if .Values.server.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.server.persistentVolume.annotations | indent 10 }} + {{- end }} + spec: + accessModes: +{{ toYaml .Values.server.persistentVolume.accessModes | indent 10 }} + resources: + requests: + storage: "{{ .Values.server.persistentVolume.size }}" + {{- if .Values.server.persistentVolume.storageClass }} + {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" + {{- end }} + {{- else if .Values.global.persistence.storageClass }} + {{- if (eq "-" .Values.global.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.global.persistence.storageClass }}" + {{- end }} + {{- end }} +{{- else }} + - name: storage-volume + emptyDir: + {{- if .Values.server.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.server.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/vpa.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/vpa.yaml new file mode 100644 index 000000000..981a9b485 --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/templates/server/vpa.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.server.verticalAutoscaler.enabled -}} +apiVersion: autoscaling.k8s.io/v1beta2 +kind: VerticalPodAutoscaler +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }}-vpa +{{ include "prometheus.namespace" . | indent 2 }} +spec: + targetRef: + apiVersion: "apps/v1" +{{- if .Values.server.statefulSet.enabled }} + kind: StatefulSet +{{- else }} + kind: Deployment +{{- end }} + name: {{ template "prometheus.server.fullname" . }} + updatePolicy: + updateMode: {{ .Values.server.verticalAutoscaler.updateMode | default "Off" | quote }} + resourcePolicy: + containerPolicies: {{ .Values.server.verticalAutoscaler.containerPolicies | default list | toYaml | trim | nindent 4 }} +{{- end -}} {{/* if .Values.server.verticalAutoscaler.enabled */}} +{{- end -}} {{/* .Values.server.enabled */}} diff --git a/charts/k10/k10/4.5.1100/charts/prometheus/values.yaml b/charts/k10/k10/4.5.1100/charts/prometheus/values.yaml new file mode 100644 index 000000000..2c33498ec --- /dev/null +++ b/charts/k10/k10/4.5.1100/charts/prometheus/values.yaml @@ -0,0 +1,1737 @@ +k10image: + registry: gcr.io + repository: kasten-images + +rbac: + create: true + +podSecurityPolicy: + enabled: false + +imagePullSecrets: +# - name: "image-pull-secret" + +## Define serviceAccount names for components. Defaults to component's fully qualified name. +## +serviceAccounts: + alertmanager: + create: true + name: + annotations: {} + nodeExporter: + create: true + name: + annotations: {} + pushgateway: + create: true + name: + annotations: {} + server: + create: true + name: + annotations: {} + +alertmanager: + ## If false, alertmanager will not be installed + ## + enabled: true + + ## Use a ClusterRole (and ClusterRoleBinding) + ## - If set to false - we define a Role and RoleBinding in the defined namespaces ONLY + ## This makes alertmanager work - for users who do not have ClusterAdmin privs, but wants alertmanager to operate on their own namespaces, instead of clusterwide. + useClusterRole: true + + ## Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. + useExistingRole: false + + ## alertmanager container name + ## + name: alertmanager + + ## alertmanager container image + ## + image: + repository: quay.io/prometheus/alertmanager + tag: v0.21.0 + pullPolicy: IfNotPresent + + ## alertmanager priorityClassName + ## + priorityClassName: "" + + ## Additional alertmanager container arguments + ## + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug + ## so that the various internal URLs are still able to access as they are in the default case. + ## (Optional) + prefixURL: "" + + ## External URL which can access alertmanager + baseURL: "http://localhost:9093" + + ## Additional alertmanager container environment variable + ## For instance to add a http_proxy + ## + extraEnv: {} + + ## Additional alertmanager Secret mounts + # Defines additional mounts with secrets. Secrets must be manually created in the namespace. + extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # subPath: "" + # secretName: alertmanager-secret-files + # readOnly: true + + ## ConfigMap override where fullname is {{.Release.Name}}-{{.Values.alertmanager.configMapOverrideName}} + ## Defining configMapOverrideName will cause templates/alertmanager-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configMapOverrideName: "" + + ## The name of a secret in the same kubernetes namespace which contains the Alertmanager config + ## Defining configFromSecret will cause templates/alertmanager-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configFromSecret: "" + + ## The configuration file name to be loaded to alertmanager + ## Must match the key within configuration loaded from ConfigMap/Secret + ## + configFileName: alertmanager.yml + + ingress: + ## If true, alertmanager Ingress will be created + ## + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + ## alertmanager Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## alertmanager Ingress additional labels + ## + extraLabels: {} + + ## alertmanager Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - alertmanager.domain.com + # - domain.com/alertmanager + + path: / + + # pathType is only for k8s >= 1.18 + pathType: Prefix + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## alertmanager Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-alerts-tls + # hosts: + # - alertmanager.domain.com + + ## Alertmanager Deployment Strategy type + # strategy: + # type: Recreate + + ## Node tolerations for alertmanager scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for alertmanager pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Pod affinity + ## + affinity: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + persistentVolume: + ## If true, alertmanager will create/use a Persistent Volume Claim + ## If false, use emptyDir + ## + enabled: true + + ## alertmanager data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## alertmanager data Persistent Volume Claim annotations + ## + annotations: {} + + ## alertmanager data Persistent Volume existing claim name + ## Requires alertmanager.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## alertmanager data Persistent Volume mount root path + ## + mountPath: /data + + ## alertmanager data Persistent Volume size + ## + size: 2Gi + + ## alertmanager data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## alertmanager data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of alertmanager data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + + emptyDir: + ## alertmanager emptyDir volume size limit + ## + sizeLimit: "" + + ## Annotations to be added to alertmanager pods + ## + podAnnotations: {} + ## Tell prometheus to use a specific set of alertmanager pods + ## instead of all alertmanager pods found in the same namespace + ## Useful if you deploy multiple releases within the same namespace + ## + ## prometheus.io/probe: alertmanager-teamA + + ## Labels to be added to Prometheus AlertManager pods + ## + podLabels: {} + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + ## Use a StatefulSet if replicaCount needs to be greater than 1 (see below) + ## + replicaCount: 1 + + ## Annotations to be added to deployment + ## + deploymentAnnotations: {} + + statefulSet: + ## If true, use a statefulset instead of a deployment for pod management. + ## This allows to scale replicas to more than 1 pod + ## + enabled: false + + annotations: {} + labels: {} + podManagementPolicy: OrderedReady + + ## Alertmanager headless service to use for the statefulset + ## + headless: + annotations: {} + labels: {} + + ## Enabling peer mesh service end points for enabling the HA alert manager + ## Ref: https://github.com/prometheus/alertmanager/blob/master/README.md + enableMeshPeer: false + + servicePort: 80 + + ## alertmanager resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 10m + # memory: 32Mi + # requests: + # cpu: 10m + # memory: 32Mi + + # Custom DNS configuration to be added to alertmanager pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + + ## Security context to be added to alertmanager pods + ## + securityContext: + runAsUser: 65534 + runAsNonRoot: true + runAsGroup: 65534 + fsGroup: 65534 + + service: + annotations: {} + labels: {} + clusterIP: "" + + ## Enabling peer mesh service end points for enabling the HA alert manager + ## Ref: https://github.com/prometheus/alertmanager/blob/master/README.md + # enableMeshPeer : true + + ## List of IP addresses at which the alertmanager service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + # nodePort: 30000 + sessionAffinity: None + type: ClusterIP + +## Monitors ConfigMap changes and POSTs to a URL +## Ref: https://github.com/jimmidyson/configmap-reload +## +configmapReload: + prometheus: + ## If false, the configmap-reload container will not be deployed + ## + enabled: true + + ## configmap-reload container name + ## + name: configmap-reload + + ## configmap-reload container image + ## + image: + repository: jimmidyson/configmap-reload + tag: v0.5.0 + pullPolicy: IfNotPresent + + ## Additional configmap-reload container arguments + ## + extraArgs: {} + ## Additional configmap-reload volume directories + ## + extraVolumeDirs: [] + + + ## Additional configmap-reload mounts + ## + extraConfigmapMounts: [] + # - name: prometheus-alerts + # mountPath: /etc/alerts.d + # subPath: "" + # configMap: prometheus-alerts + # readOnly: true + + + ## configmap-reload resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + alertmanager: + ## If false, the configmap-reload container will not be deployed + ## + enabled: true + + ## configmap-reload container name + ## + name: configmap-reload + + ## configmap-reload container image + ## + image: + repository: jimmidyson/configmap-reload + tag: v0.5.0 + pullPolicy: IfNotPresent + + ## Additional configmap-reload container arguments + ## + extraArgs: {} + ## Additional configmap-reload volume directories + ## + extraVolumeDirs: [] + + + ## Additional configmap-reload mounts + ## + extraConfigmapMounts: [] + # - name: prometheus-alerts + # mountPath: /etc/alerts.d + # subPath: "" + # configMap: prometheus-alerts + # readOnly: true + + + ## configmap-reload resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + +kubeStateMetrics: + ## If false, kube-state-metrics sub-chart will not be installed + ## + enabled: true + +## kube-state-metrics sub-chart configurable values +## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics +## +# kube-state-metrics: + +nodeExporter: + ## If false, node-exporter will not be installed + ## + enabled: true + + ## If true, node-exporter pods share the host network namespace + ## + hostNetwork: true + + ## If true, node-exporter pods share the host PID namespace + ## + hostPID: true + + ## If true, node-exporter pods mounts host / at /host/root + ## + hostRootfs: true + + ## node-exporter container name + ## + name: node-exporter + + ## node-exporter container image + ## + image: + repository: quay.io/prometheus/node-exporter + tag: v1.1.2 + pullPolicy: IfNotPresent + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + ## node-exporter priorityClassName + ## + priorityClassName: "" + + ## Custom Update Strategy + ## + updateStrategy: + type: RollingUpdate + + ## Additional node-exporter container arguments + ## + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ## Additional node-exporter hostPath mounts + ## + extraHostPathMounts: [] + # - name: textfile-dir + # mountPath: /srv/txt_collector + # hostPath: /var/lib/node-exporter + # readOnly: true + # mountPropagation: HostToContainer + + extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /prometheus + # configMap: certs-configmap + # readOnly: true + + ## Node tolerations for node-exporter scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for node-exporter pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Annotations to be added to node-exporter pods + ## + podAnnotations: {} + + ## Labels to be added to node-exporter pods + ## + pod: + labels: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## node-exporter resource limits & requests + ## Ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 200m + # memory: 50Mi + # requests: + # cpu: 100m + # memory: 30Mi + + # Custom DNS configuration to be added to node-exporter pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + + ## Security context to be added to node-exporter pods + ## + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + + service: + annotations: + prometheus.io/scrape: "true" + labels: {} + + # Exposed as a headless service: + # https://kubernetes.io/docs/concepts/services-networking/service/#headless-services + clusterIP: None + + ## List of IP addresses at which the node-exporter service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + hostPort: 9100 + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 9100 + type: ClusterIP + +server: + ## Prometheus server container name + ## + enabled: true + + ## Use a ClusterRole (and ClusterRoleBinding) + ## - If set to false - we define a RoleBinding in the defined namespaces ONLY + ## + ## NB: because we need a Role with nonResourceURL's ("/metrics") - you must get someone with Cluster-admin privileges to define this role for you, before running with this setting enabled. + ## This makes prometheus work - for users who do not have ClusterAdmin privs, but wants prometheus to operate on their own namespaces, instead of clusterwide. + ## + ## You MUST also set namespaces to the ones you have access to and want monitored by Prometheus. + ## + # useExistingClusterRoleName: nameofclusterrole + + ## namespaces to monitor (instead of monitoring all - clusterwide). Needed if you want to run without Cluster-admin privileges. + # namespaces: + # - yournamespace + + name: server + + # sidecarContainers - add more containers to prometheus server + # Key/Value where Key is the sidecar `- name: ` + # Example: + # sidecarContainers: + # webserver: + # image: nginx + sidecarContainers: {} + + # sidecarTemplateValues - context to be used in template for sidecarContainers + # Example: + # sidecarTemplateValues: *your-custom-globals + # sidecarContainers: + # webserver: |- + # {{ include "webserver-container-template" . }} + # Template for `webserver-container-template` might looks like this: + # image: "{{ .Values.server.sidecarTemplateValues.repository }}:{{ .Values.server.sidecarTemplateValues.tag }}" + # ... + # + sidecarTemplateValues: {} + + ## Prometheus server container image + ## + image: + repository: quay.io/prometheus/prometheus + tag: v2.26.0 + pullPolicy: IfNotPresent + + ## prometheus server priorityClassName + ## + priorityClassName: "" + + ## EnableServiceLinks indicates whether information about services should be injected + ## into pod's environment variables, matching the syntax of Docker links. + ## WARNING: the field is unsupported and will be skipped in K8s prior to v1.13.0. + ## + enableServiceLinks: true + + ## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug + ## so that the various internal URLs are still able to access as they are in the default case. + ## (Optional) + prefixURL: "" + + ## External URL which can access prometheus + ## Maybe same with Ingress host name + baseURL: "" + + ## Additional server container environment variables + ## + ## You specify this manually like you would a raw deployment manifest. + ## This means you can bind in environment variables from secrets. + ## + ## e.g. static environment variable: + ## - name: DEMO_GREETING + ## value: "Hello from the environment" + ## + ## e.g. secret environment variable: + ## - name: USERNAME + ## valueFrom: + ## secretKeyRef: + ## name: mysecret + ## key: username + env: [] + + extraFlags: + - web.enable-lifecycle + ## web.enable-admin-api flag controls access to the administrative HTTP API which includes functionality such as + ## deleting time series. This is disabled by default. + # - web.enable-admin-api + ## + ## storage.tsdb.no-lockfile flag controls BD locking + # - storage.tsdb.no-lockfile + ## + ## storage.tsdb.wal-compression flag enables compression of the write-ahead log (WAL) + # - storage.tsdb.wal-compression + + ## Path to a configuration file on prometheus server container FS + configPath: /etc/config/prometheus.yml + + ### The data directory used by prometheus to set --storage.tsdb.path + ### When empty server.persistentVolume.mountPath is used instead + storagePath: "" + + global: + ## How frequently to scrape targets by default + ## + scrape_interval: 1m + ## How long until a scrape request times out + ## + scrape_timeout: 10s + ## How frequently to evaluate rules + ## + evaluation_interval: 1m + ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write + ## + remoteWrite: [] + ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_read + ## + remoteRead: [] + + ## Additional Prometheus server container arguments + ## + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ## Additional Prometheus server Volume mounts + ## + extraVolumeMounts: [] + + ## Additional Prometheus server Volumes + ## + extraVolumes: [] + + ## Additional Prometheus server hostPath mounts + ## + extraHostPathMounts: [] + # - name: certs-dir + # mountPath: /etc/kubernetes/certs + # subPath: "" + # hostPath: /etc/kubernetes/certs + # readOnly: true + + extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /prometheus + # subPath: "" + # configMap: certs-configmap + # readOnly: true + + ## Additional Prometheus server Secret mounts + # Defines additional mounts with secrets. Secrets must be manually created in the namespace. + extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # subPath: "" + # secretName: prom-secret-files + # readOnly: true + + ## ConfigMap override where fullname is {{.Release.Name}}-{{.Values.server.configMapOverrideName}} + ## Defining configMapOverrideName will cause templates/server-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configMapOverrideName: "" + + ingress: + ## If true, Prometheus server Ingress will be created + ## + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + ## Prometheus server Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## Prometheus server Ingress additional labels + ## + extraLabels: {} + + ## Prometheus server Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - prometheus.domain.com + # - domain.com/prometheus + + path: / + + # pathType is only for k8s >= 1.18 + pathType: Prefix + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## Prometheus server Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-server-tls + # hosts: + # - prometheus.domain.com + + ## Server Deployment Strategy type + # strategy: + # type: Recreate + + ## hostAliases allows adding entries to /etc/hosts inside the containers + hostAliases: [] + # - ip: "127.0.0.1" + # hostnames: + # - "example.com" + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for Prometheus server pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Pod affinity + ## + affinity: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + persistentVolume: + ## If true, Prometheus server will create/use a Persistent Volume Claim + ## If false, use emptyDir + ## + enabled: true + + ## Prometheus server data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## Prometheus server data Persistent Volume annotations + ## + annotations: {} + + ## Prometheus server data Persistent Volume existing claim name + ## Requires server.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## Prometheus server data Persistent Volume mount root path + ## + mountPath: /data + + ## Prometheus server data Persistent Volume size + ## + size: 8Gi + + ## Prometheus server data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## Prometheus server data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of Prometheus server data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + + emptyDir: + ## Prometheus server emptyDir volume size limit + ## + sizeLimit: "" + + ## Annotations to be added to Prometheus server pods + ## + podAnnotations: {} + # iam.amazonaws.com/role: prometheus + + ## Labels to be added to Prometheus server pods + ## + podLabels: {} + + ## Prometheus AlertManager configuration + ## + alertmanagers: [] + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + ## Use a StatefulSet if replicaCount needs to be greater than 1 (see below) + ## + replicaCount: 1 + + ## Annotations to be added to deployment + ## + deploymentAnnotations: {} + + statefulSet: + ## If true, use a statefulset instead of a deployment for pod management. + ## This allows to scale replicas to more than 1 pod + ## + enabled: false + + annotations: {} + labels: {} + podManagementPolicy: OrderedReady + + ## Alertmanager headless service to use for the statefulset + ## + headless: + annotations: {} + labels: {} + servicePort: 80 + ## Enable gRPC port on service to allow auto discovery with thanos-querier + gRPC: + enabled: false + servicePort: 10901 + # nodePort: 10901 + + ## Prometheus server readiness and liveness probe initial delay and timeout + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + ## + readinessProbeInitialDelay: 30 + readinessProbePeriodSeconds: 5 + readinessProbeTimeout: 4 + readinessProbeFailureThreshold: 3 + readinessProbeSuccessThreshold: 1 + livenessProbeInitialDelay: 30 + livenessProbePeriodSeconds: 15 + livenessProbeTimeout: 10 + livenessProbeFailureThreshold: 3 + livenessProbeSuccessThreshold: 1 + + ## Prometheus server resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 500m + # memory: 512Mi + # requests: + # cpu: 500m + # memory: 512Mi + + # Required for use in managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), + # because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + ## + hostNetwork: false + + # When hostNetwork is enabled, you probably want to set this to ClusterFirstWithHostNet + dnsPolicy: ClusterFirst + + ## Vertical Pod Autoscaler config + ## Ref: https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler + verticalAutoscaler: + ## If true a VPA object will be created for the controller (either StatefulSet or Deployemnt, based on above configs) + enabled: false + # updateMode: "Auto" + # containerPolicies: + # - containerName: 'prometheus-server' + + # Custom DNS configuration to be added to prometheus server pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + ## Security context to be added to server pods + ## + securityContext: + runAsUser: 65534 + runAsNonRoot: true + runAsGroup: 65534 + fsGroup: 65534 + + service: + annotations: {} + labels: {} + clusterIP: "" + + ## List of IP addresses at which the Prometheus server service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + sessionAffinity: None + type: ClusterIP + + ## Enable gRPC port on service to allow auto discovery with thanos-querier + gRPC: + enabled: false + servicePort: 10901 + # nodePort: 10901 + + ## If using a statefulSet (statefulSet.enabled=true), configure the + ## service to connect to a specific replica to have a consistent view + ## of the data. + statefulsetReplica: + enabled: false + replica: 0 + + ## Prometheus server pod termination grace period + ## + terminationGracePeriodSeconds: 300 + + ## Prometheus data retention period (default if not specified is 15 days) + ## + retention: "15d" + +pushgateway: + ## If false, pushgateway will not be installed + ## + enabled: true + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## pushgateway container name + ## + name: pushgateway + + ## pushgateway container image + ## + image: + repository: prom/pushgateway + tag: v1.3.1 + pullPolicy: IfNotPresent + + ## pushgateway priorityClassName + ## + priorityClassName: "" + + ## Additional pushgateway container arguments + ## + ## for example: persistence.file: /data/pushgateway.data + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ingress: + ## If true, pushgateway Ingress will be created + ## + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + ## pushgateway Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## pushgateway Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - pushgateway.domain.com + # - domain.com/pushgateway + + path: / + + # pathType is only for k8s >= 1.18 + pathType: Prefix + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## pushgateway Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-alerts-tls + # hosts: + # - pushgateway.domain.com + + ## Node tolerations for pushgateway scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for pushgateway pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Annotations to be added to pushgateway pods + ## + podAnnotations: {} + + ## Labels to be added to pushgateway pods + ## + podLabels: {} + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + replicaCount: 1 + + ## Annotations to be added to deployment + ## + deploymentAnnotations: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## pushgateway resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 10m + # memory: 32Mi + # requests: + # cpu: 10m + # memory: 32Mi + + # Custom DNS configuration to be added to push-gateway pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + + ## Security context to be added to push-gateway pods + ## + securityContext: + runAsUser: 65534 + runAsNonRoot: true + + service: + annotations: + prometheus.io/probe: pushgateway + labels: {} + clusterIP: "" + + ## List of IP addresses at which the pushgateway service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 9091 + type: ClusterIP + + ## pushgateway Deployment Strategy type + # strategy: + # type: Recreate + + persistentVolume: + ## If true, pushgateway will create/use a Persistent Volume Claim + ## + enabled: false + + ## pushgateway data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## pushgateway data Persistent Volume Claim annotations + ## + annotations: {} + + ## pushgateway data Persistent Volume existing claim name + ## Requires pushgateway.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## pushgateway data Persistent Volume mount root path + ## + mountPath: /data + + ## pushgateway data Persistent Volume size + ## + size: 2Gi + + ## pushgateway data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## pushgateway data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of pushgateway data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + + +## alertmanager ConfigMap entries +## +alertmanagerFiles: + alertmanager.yml: + global: {} + # slack_api_url: '' + + receivers: + - name: default-receiver + # slack_configs: + # - channel: '@you' + # send_resolved: true + + route: + group_wait: 10s + group_interval: 5m + receiver: default-receiver + repeat_interval: 3h + +## Prometheus server ConfigMap entries +## +serverFiles: + + ## Alerts configuration + ## Ref: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ + alerting_rules.yml: {} + # groups: + # - name: Instances + # rules: + # - alert: InstanceDown + # expr: up == 0 + # for: 5m + # labels: + # severity: page + # annotations: + # description: '{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes.' + # summary: 'Instance {{ $labels.instance }} down' + ## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use alerting_rules.yml + alerts: {} + + ## Records configuration + ## Ref: https://prometheus.io/docs/prometheus/latest/configuration/recording_rules/ + recording_rules.yml: {} + ## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use recording_rules.yml + rules: {} + + prometheus.yml: + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + ## Below two files are DEPRECATED will be removed from this default values file + - /etc/config/rules + - /etc/config/alerts + + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + + # A scrape configuration for running Prometheus on a Kubernetes cluster. + # This uses separate scrape configs for cluster components (i.e. API server, node) + # and services to allow each to use different authentication configs. + # + # Kubernetes labels will be added as Prometheus labels on metrics via the + # `labelmap` relabeling action. + + # Scrape config for API servers. + # + # Kubernetes exposes API servers as endpoints to the default/kubernetes + # service so this uses `endpoints` role and uses relabelling to only keep + # the endpoints associated with the default/kubernetes service using the + # default named port `https`. This works for single API server deployments as + # well as HA API server deployments. + - job_name: 'kubernetes-apiservers' + + kubernetes_sd_configs: + - role: endpoints + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + # Keep only the default/kubernetes service endpoints for the https port. This + # will add targets for each API server which Kubernetes adds an endpoint to + # the default/kubernetes service. + relabel_configs: + - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: default;kubernetes;https + + - job_name: 'kubernetes-nodes' + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics + + + - job_name: 'kubernetes-nodes-cadvisor' + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + + # This configuration will work only on kubelet 1.7.3+ + # As the scrape endpoints for cAdvisor have changed + # if you are using older version you need to change the replacement to + # replacement: /api/v1/nodes/$1:4194/proxy/metrics + # more info here https://github.com/coreos/prometheus-operator/issues/633 + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + + # Scrape config for service endpoints. + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/scrape`: Only scrape services that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: If the metrics are exposed on a different port to the + # service then set this appropriately. + - job_name: 'kubernetes-service-endpoints' + + kubernetes_sd_configs: + - role: endpoints + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: kubernetes_name + - source_labels: [__meta_kubernetes_pod_node_name] + action: replace + target_label: kubernetes_node + + # Scrape config for slow service endpoints; same as above, but with a larger + # timeout and a larger interval + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/scrape-slow`: Only scrape services that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: If the metrics are exposed on a different port to the + # service then set this appropriately. + - job_name: 'kubernetes-service-endpoints-slow' + + scrape_interval: 5m + scrape_timeout: 30s + + kubernetes_sd_configs: + - role: endpoints + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape_slow] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: kubernetes_name + - source_labels: [__meta_kubernetes_pod_node_name] + action: replace + target_label: kubernetes_node + + - job_name: 'prometheus-pushgateway' + honor_labels: true + + kubernetes_sd_configs: + - role: service + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe] + action: keep + regex: pushgateway + + # Example scrape config for probing services via the Blackbox Exporter. + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/probe`: Only probe services that have a value of `true` + - job_name: 'kubernetes-services' + + metrics_path: /probe + params: + module: [http_2xx] + + kubernetes_sd_configs: + - role: service + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe] + action: keep + regex: true + - source_labels: [__address__] + target_label: __param_target + - target_label: __address__ + replacement: blackbox + - source_labels: [__param_target] + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + target_label: kubernetes_name + + # Example scrape config for pods + # + # The relabeling allows the actual pod scrape endpoint to be configured via the + # following annotations: + # + # * `prometheus.io/scrape`: Only scrape pods that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`. + - job_name: 'kubernetes-pods' + + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: replace + regex: (https?) + target_label: __scheme__ + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: kubernetes_pod_name + - source_labels: [__meta_kubernetes_pod_phase] + regex: Pending|Succeeded|Failed|Completed + action: drop + + # Example Scrape config for pods which should be scraped slower. An useful example + # would be stackriver-exporter which queries an API on every scrape of the pod + # + # The relabeling allows the actual pod scrape endpoint to be configured via the + # following annotations: + # + # * `prometheus.io/scrape-slow`: Only scrape pods that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`. + - job_name: 'kubernetes-pods-slow' + + scrape_interval: 5m + scrape_timeout: 30s + + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: replace + regex: (https?) + target_label: __scheme__ + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: kubernetes_pod_name + - source_labels: [__meta_kubernetes_pod_phase] + regex: Pending|Succeeded|Failed|Completed + action: drop + +# adds additional scrape configs to prometheus.yml +# must be a string so you have to add a | after extraScrapeConfigs: +# example adds prometheus-blackbox-exporter scrape config +extraScrapeConfigs: + # - job_name: 'prometheus-blackbox-exporter' + # metrics_path: /probe + # params: + # module: [http_2xx] + # static_configs: + # - targets: + # - https://example.com + # relabel_configs: + # - source_labels: [__address__] + # target_label: __param_target + # - source_labels: [__param_target] + # target_label: instance + # - target_label: __address__ + # replacement: prometheus-blackbox-exporter:9115 + +# Adds option to add alert_relabel_configs to avoid duplicate alerts in alertmanager +# useful in H/A prometheus with different external labels but the same alerts +alertRelabelConfigs: + # alert_relabel_configs: + # - source_labels: [dc] + # regex: (.+)\d+ + # target_label: dc + +networkPolicy: + ## Enable creation of NetworkPolicy resources. + ## + enabled: false + +# Force namespace of namespaced resources +forceNamespace: null diff --git a/charts/k10/k10/4.5.1100/config.json b/charts/k10/k10/4.5.1100/config.json new file mode 100644 index 000000000..e69de29bb diff --git a/charts/k10/k10/4.5.1100/eula.txt b/charts/k10/k10/4.5.1100/eula.txt new file mode 100644 index 000000000..8eb11346c --- /dev/null +++ b/charts/k10/k10/4.5.1100/eula.txt @@ -0,0 +1,458 @@ +KASTEN END USER LICENSE AGREEMENT + +This End User License Agreement is a binding agreement between Kasten, Inc., a +Delaware Corporation ("Kasten"), and you ("Licensee"), and establishes the terms +under which Licensee may use the Software and Documentation (as defined below), +including without limitation terms and conditions relating to license grant, +intellectual property rights, disclaimers /exclusions / limitations of warranty, +indemnity and liability, governing law and limitation periods. All components +collectively are referred to herein as the "Agreement." + +LICENSEE ACKNOWLEDGES IT HAS HAD THE OPPORTUNITY TO REVIEW THE AGREEMENT, PRIOR +TO ACCEPTANCE OF THIS AGREEMENT. LICENSEE'S ACCEPTANCE OF THIS AGREEMENT IS +EVIDENCED BY LICENSEE'S DOWNLOADING, COPYING, INSTALLING OR USING THE KASTEN +SOFTWARE. IF YOU ARE ACTING ON BEHALF OF A COMPANY, YOU REPRESENT THAT YOU ARE +AUTHORIZED TO BIND THE COMPANY. IF YOU DO NOT AGREE TO ALL TERMS OF THIS +AGREEMENT, DO NOT DOWNLOAD, COPY, INSTALL, OR USE THE SOFTWARE, AND PERMANENTLY +DELETE THE SOFTWARE. + +1. DEFINITIONS + +1.1 "Authorized Persons" means trained technical employees and contractors of +Licensee who are subject to a written agreement with Licensee that includes use +and confidentiality restrictions that are at least as protective as those set +forth in this Agreement. + +1.2 "Authorized Reseller" means a distributor or reseller, including cloud +computing platform providers, authorized by Kasten to resell licenses to the +Software through the channel through or in the territory in which Licensee is +purchasing. + +1.3 "Confidential Information" means all non-public information disclosed in +written, oral or visual form by either party to the other. Confidential +Information may include, but is not limited to, services, pricing information, +computer programs, source code, names and expertise of employees and +consultants, know-how, and other technical, business, financial and product +development information. "Confidential Information" does not include any +information that the receiving party can demonstrate by its written records (1) +was rightfully known to it without obligation of confidentiality prior to its +disclosure hereunder by the disclosing party; (2) is or becomes publicly known +through no wrongful act of the receiving party; (3) has been rightfully received +without obligation of confidentiality from a third party authorized to make such +a disclosure; or (4) is independently developed by the receiving party without +reference to confidential information disclosed hereunder. + +1.4 "Documentation" means any administration guides, installation and user +guides, and release notes that are provided by Kasten to Licensee with the +Software. + +1.5 "Intellectual Property Rights" means patents, design patents, copyrights, +trademarks, Confidential Information, know-how, trade secrets, moral rights, and +any other intellectual property rights recognized in any country or jurisdiction +in the world. + +1.6 "Node" means a single physical or virtual computing machine recognizable by +the Software as a unique device. Nodes must be owned or leased by Licensee or an +entity controlled by, controlling or under common control with Licensee. + +1.7 "Edition" means a unique identifier for each distinct product that is made +available by Kasten and that can be licensed, including summary information +regarding any associated functionality, features, or restrictions specific to +the Edition. + +1.8 "Open Source Software" means software delivered to Licensee hereunder that +is subject to the provisions of any open source license agreement. + +1.9 "Purchase Agreement" means a separate commercial agreement, if applicable, +between Kasten and the Licensee that contains the terms for the licensing of a +specific Edition of the Software. + +1.10 "Software" means any and all software product Editions licensed to Licensee +under this Agreement, all as developed by Kasten and delivered to Licensee +hereunder. Software also includes any Updates provided by Kasten to Licensee. +For the avoidance of doubt, the definition of Software shall exclude any +Third-Party Software and Open Source Software. + +1.11 "Third-Party Software" means certain software Kasten licenses from third +parties and provides to Licensee with the Software, which may include Open +Source Software. + +1.12 "Update" means a revision of the Software that Kasten makes available to +customers at no additional cost. The Update includes, if and when applicable and +available, bug fix patches, maintenance release, minor release, or new major +releases. Updates are limited only to the Software licensed by Licensee, and +specifically exclude new product offerings, features, options or functionality +of the Software that Kasten may choose to license separately, or for an +additional fee. + +1.13 "Use" means to install activate the processing capabilities of the +Software, load, execute, access, employ the Software, or display information +resulting from such capabilities. + + +2. LICENSE GRANT AND RESTRICTIONS + +2.1 Enterprise License. Subject to Licensee"s compliance with the terms and +conditions of this Agreement (including any additional restrictions on +Licensee"s use of the Software set forth in the Purchase Agreement, if one +exists, between Licensee and Kasten), Kasten grants to Licensee a non-exclusive, +non-transferable (except in connection with a permitted assignment of this +Agreement under Section 14.10 (Assignment), non-sublicensable, limited term +license to install and use the Software, in object code form only, solely for +Licensee"s use, unless terminated in accordance with Section 4 (Term and +Termination). + +2.2 Starter License. This section shall only apply when the Licensee licenses +Starter Edition of the Software. The license granted herein is for a maximum of +10 Nodes and for a period of 12 months from the date of the Software release that +embeds the specific license instance. Updating to a newer Software (minor or +major) release will always extend the validity of the license by 12 months. If +the Licensee wishes to upgrade to an Enterprise License instead, the Licensee +will have to enter into a Purchase Agreement with Kasten which will supersede +this Agreement. The Licensee is required to provide accurate email and company +information, if representing a company, when accepting this Agreement. Under no +circumstances will a Starter License be construed to mean that the Licensee is +authorized to distribute the Software to any third party for any reason +whatsoever. + +2.3 Evaluation License. This section shall only apply when the Licensee has +licensed the Software for an initial evaluation period. The license granted +herein is valid only one time 30 days, starting from date of installation, +unless otherwise explicitly designated by Kasten ("Evaluation Period"). Under +this license the Software can only be used for evaluation purposes. Under no +circumstances will an Evaluation License be construed to mean that the Licensee +is authorized to distribute the Software to any third party for any reason +whatsoever. If the Licensee wishes to upgrade to an Enterprise License instead, +the Licensee will have to enter into a Purchase Agreement with Kasten which will +supersede this Agreement.. If the Licensee does not wish to upgrade to an +Enterprise License at the end of the Evaluation Period the Licensee"s rights +under the Agreement shall terminate, and the Licensee shall delete all Kasten +Software. + +2.4 License Restrictions. Except to the extent permitted under this Agreement, +Licensee will not nor will Licensee allow any third party to: (i) copy, modify, +adapt, translate or otherwise create derivative works of the Software or the +Documentation; (ii) reverse engineer, decompile, disassemble or otherwise +attempt to discover the source code of the Software; (iii) rent, lease, sell, +assign or otherwise transfer rights in or to the Software or Documentation; (iv) +remove any proprietary notices or labels from the Software or Documentation; (v) +publicly disseminate performance information or analysis (including, without +limitation, benchmarks) relating to the Software. Licensee will comply with all +applicable laws and regulations in Licensee"s use of and access to the Software +and Documentation. + +2.5 Responsibility for Use. The Software and Documentation may be used only by +Authorized Persons and in conformance with this Agreement. Licensee shall be +responsible for the proper use and protection of the Software and Documentation +and is responsible for: (i) installing, managing, operating, and physically +controlling the Software and the results obtained from using the Software; (ii) +using the Software within the operating environment specified in the +Documentation; and; (iii) establishing and maintaining such recovery and data +protection and security procedures as necessary for Licensee's service and +operation and/or as may be specified by Kasten from time to time. + +2.6 United States Government Users. The Software licensed under this Agreement +is "commercial computer software" as that term is described in DFAR +252.227-7014(a)(1). If acquired by or on behalf of a civilian agency, the U.S. +Government acquires this commercial computer software and/or commercial computer +software documentation subject to the terms and this Agreement as specified in +48 C.F.R. 12.212 (Computer Software) and 12.211 (Technical Data) of the Federal +Acquisition Regulations ("FAR") and its successors. If acquired by or on behalf +of any agency within the Department of Defense ("DOD"), the U.S. Government +acquires this commercial computer software and/or commercial computer software +documentation subject to the terms of this Agreement as specified in 48 C.F.R. +227.7202 of the DOD FAR Supplement and its successors. + + +3. SUPPORT + +During the Term (as defined below) and subject to Licensee"s compliance with the +terms and conditions of this Agreement, Licensee may submit queries and requests +for support using Kasten"s support alias support@kasten.io and a private Slack +channel (except Starter and Evaluation Edition Licensees). Licensee shall be +entitled to the support service-level agreement specified in the Purchase +Agreement (including relevant Order Forms) between the Licensee and Kasten. If +there is no Purchase Agreement in place, support level shall default to Starter +Edition Support as specified below. Licensee shall also be permitted to download +and install all Updates released by Kasten during the Term and made generally +available to users of the Software. Support is provided only for the current +version of the Software (i.e. with all Updates and Upgrades installed) and for +each of the previous three Updates. + +3.1 Starter Edition Support. If the Licensee has licensed Starter Edition of +the Software, they will have access to the Kasten support alias, but Kasten +cannot guarantee a service level of any sort. Should a higher level of support +be needed, Licensee has the option to consider entering into a Purchase +Agreement with Kasten for licensing a different Edition of the Software. + + +4. TERM AND TERMINATION + +4.1 Term. The term of this Agreement, except for Starter and Evaluation +Licenses, shall commence on the Effective Date and shall, unless terminated +earlier in accordance with the provisions of Section 4.2 below, remain in force +for the Subscription Period as set forth in the applicable Order Form(s) (the +"Term"). The parties may extend the Term of this Agreement beyond the +Subscription Period by executing additional Order Form(s) and Licensee"s payment +of additional licensing fees. The term of this Agreement for the Starter and +Evaluation Licenses will coincide with the term for Starter Edition (as stated +in section 2.2) and the term for Evaluation Period (as stated in section 2.3), +respectively + +4.2 Termination. Either party may immediately terminate this +Agreement and the licenses granted hereunder if the other party (1) becomes +insolvent and"becomes unwilling or unable to meet its obligations under this +Agreement, (2) files a petition in bankruptcy, (3) is subject to the filing of +an involuntary petition for bankruptcy which is not rescinded within a period of +forty-five (45) days, (4) fails to cure a material breach of any material term +or condition of this Agreement within thirty (30) days of receipt of written +notice specifying such breach, or (5) materially breaches its obligations of +confidentiality hereunder. + +4.3 Effects of Termination. Upon expiration or +termination of this Agreement for any reason, (i) any amounts owed to Kasten +under this Agreement will be immediately due and payable; (ii) all licensed +rights granted in this Agreement will immediately cease; and (iii) Licensee will +promptly discontinue all use of the Software and Documentation and return to +Kasten any Kasten Confidential Information in Licensee"s possession or control. + +4.4 Survival. The following Sections of this Agreement will remain in effect +following the expiration or termination of these General Terms for any reason: +4.3 (Effects of Termination), 4.4 (Survival), 5 (Third Party Software) 5 +(Confidentiality), 9 (Ownership), 10.2 (Third-Party Software), 10.3 (Warranty +Disclaimer), 11 (Limitations of Liability), 12.2 (Exceptions to Kasten +Obligation), 13 (Export) and 14 (General). + + +5. THIRD PARTY AND OPEN SOURCE SOFTWARE Certain Third-Party Software or Open +Source Software (Kasten can provide a list upon request) that may be provided +with the Software may be subject to various other terms and conditions imposed +by the licensors of such Third-Party Software or Open Source Software. The +terms of Licensee"s use of the Third-Party Software or Open Source Software is +subject to and governed by the respective Third-Party Software and Open Source +licenses, except that this Section 5 (Third-Party Software), Section 10.2 (Third +Party Software), 10.3 (Warranty Disclaimer), Section 11 (Limitations of +Liability), and Section 14 (General) of this Agreement also govern Licensee"s +use of the Third-Party Software. To the extent applicable to Licensee"s use of +such Third-Party Software and Open Source, Licensee agrees to comply with the +terms and conditions contained in all such Third-Party Software and Open Source +licenses. + + +6. CONFIDENTIALITY Neither party will use any Confidential Information of the +other party except as expressly permitted by this Agreement or as expressly +authorized in writing by the disclosing party. The receiving party shall use +the same degree of care to protect the disclosing party"s Confidential +Information as it uses to protect its own Confidential Information of like +nature, but in no circumstances less than a commercially reasonable standard of +care. The receiving party may not disclose the disclosing party"s Confidential +Information to any person or entity other than to (i) (a) Authorized Persons in +the case the receiving party is Licensee, and (b) Kasten"s employees and +contractors in the case the receiving party is Kasten, and (ii) who need access +to such Confidential Information solely for the purpose of fulfilling that +party"s obligations or exercising that party"s rights hereunder. The foregoing +obligations will not restrict the receiving party from disclosing Confidential +Information of the disclosing party: (1) pursuant to the order or requirement of +a court, administrative agency, or other governmental body, provided that the +receiving party required to make such a disclosure gives reasonable notice to +the disclosing party prior to such disclosure; and (2) on a confidential basis +to its legal and financial advisors. Kasten may identify Licensee in its +customer lists in online and print marketing materials. + + +7. FEES Fees for Enterprise License shall be set forth in separate Order Form(s) +attached to a Purchase Agreement, between the Licensee and Kasten. + +If Licensee has obtained the Software through an Authorized Reseller, fees for +licensing shall be invoiced directly by the Authorized Reseller. + +If no Purchase Agreement exists, during the term of this Agreement, Kasten +shall license the Starter Edition only and no other Edition of the Software +"at no charge" to Licensee. + + +8. USAGE DATA Kasten may collect, accumulate, and aggregate certain usage +statistics in order to analyze usage of the Software, make improvements, and +potentially develop new products. Kasten may use aggregated anonymized data for +any purpose that Kasten, at its own discretion, may consider appropriate. + + +9. OWNERSHIP As between Kasten and Licensee, all right, title and interest in +the Software, Documentation and any other Kasten materials furnished or made +available hereunder, all modifications and enhancements thereof, and all +suggestions, ideas and feedback proposed by Licensee regarding the Software and +Documentation, including all copyright rights, patent rights and other +Intellectual Property Rights in each of the foregoing, belong to and are +retained solely by Kasten or Kasten"s licensors and providers, as applicable. +Licensee hereby does and will irrevocably assign to Kasten all evaluations, +ideas, feedback and suggestions made by Licensee to Kasten regarding the +Software and Documentation (collectively, "Feedback") and all Intellectual +Property Rights in and to the Feedback. Except as expressly provided herein, no +licenses of any kind are granted hereunder, whether by implication, estoppel, or +otherwise. + + +10. LIMITED WARRANTY AND DISCLAIMERS + +10.1 Limited Warranty. Kasten warrants for a period of thirty (30) days from +the Effective Date that the Software will materially conform to Kasten"s +then-current Documentation (the "Warranty Period") when properly installed on a +computer for which a license is granted hereunder. Licensee"s exclusive remedy +for a breach of this Section 10.1 is that Kasten shall, at its option, use +commercially reasonable efforts to correct or replace the Software, or refund +all or a portion of the fees paid by Licensee pursuant to the Purchase +Agreement. Kasten, in its sole discretion, may revise this limited warranty from +time to time. + +10.2 Third-Party Software. Except as expressly set forth in this Agreement, +Third-Party Software (including any Open Source Software) are provided on an +"as-is" basis at the sole risk of Licensee. Notwithstanding any language to the +contrary in this Agreement, Kasten makes no express or implied warranties of any +kind with respect to Third-Party Software provided to Licensee and shall not be +liable for any damages regarding the use or operation of the Third-Party +Software furnished under this Agreement. Any and all express or implied +warranties, if any, arising from the license of Third-Party Software shall be +those warranties running from the third party manufacturer or licensor to +Licensee. + +10.3 Warranty Disclaimer. EXCEPT FOR THE LIMITED WARRANTY PROVIDED ABOVE, +KASTEN AND ITS SUPPLIERS MAKE NO WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, +STATUTORY OR OTHERWISE, RELATING TO THE SOFTWARE OR TO KASTEN"S MAINTENANCE, +PROFESSIONAL OR OTHER SERVICES. KASTEN SPECIFICALLY DISCLAIMS ALL IMPLIED +WARRANTIES OF DESIGN, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE +AND NON-INFRINGEMENT. KASTEN AND ITS SUPPLIERS AND LICENSORS DO NOT WARRANT OR +REPRESENT THAT THE SOFTWARE WILL BE FREE FROM BUGS OR THAT ITS USE WILL BE +UNINTERRUPTED OR ERROR-FREE. THIS DISCLAIMER SHALL APPLY NOTWITHSTANDING THE +FAILURE OF THE ESSENTIAL PURPOSE OF ANY LIMITED REMEDY PROVIDED HEREIN. EXCEPT +AS STATED ABOVE, KASTEN AND ITS SUPPLIERS PROVIDE THE SOFTWARE ON AN "AS IS" +BASIS. KASTEN PROVIDES NO WARRANTIES WITH RESPECT TO THIRD PARTY SOFTWARE AND +OPEN SOURCE SOFTWARE. + + +11. LIMITATIONS OF LIABILITY + +11.1 EXCLUSION OF CERTAIN DAMAGES. EXCEPT FOR BREACHES OF SECTION 6 +(CONFIDENTIALITY) OR SECTION 9 (OWNERSHIP), IN NO EVENT WILL EITHER PARTY BE +LIABLE FOR ANY INDIRECT, CONSEQUENTIAL, EXEMPLARY, SPECIAL, INCIDENTAL OR +RELIANCE DAMAGES, INCLUDING ANY LOST DATA, LOSS OF USE AND LOST PROFITS, ARISING +FROM OR RELATING TO THIS AGREEMENT, THE SOFTWARE OR DOCUMENTATION, EVEN IF SUCH +PARTY KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF, OR COULD REASONABLY HAVE +PREVENTED, SUCH DAMAGES. + +11.2 LIMITATION OF DAMAGES. EXCEPT FOR THE BREACHES OF SECTION 6 +(CONFIDENTIALITY) OR SECTION 9 (OWNERSHIP), EACH PARTY"S TOTAL CUMULATIVE +LIABILITY ARISING FROM OR RELATED TO THIS AGREEMENT OR THE SOFTWARE, +DOCUMENTATION, OR SERVICES PROVIDED BY KASTEN, WILL NOT EXCEED THE AMOUNT OF +FEES PAID OR PAYABLE BY LICENSEE FOR THE SOFTWARE, DOCUMENTATION OR SERVICES +GIVING RISE TO THE CLAIM IN THE TWELVE (12) MONTHS FOLLOWING THE EFFECTIVE DATE. +LICENSEE AGREES THAT KASTEN"S SUPPLIERS AND LICENSORS WILL HAVE NO LIABILITY OF +ANY KIND UNDER OR AS A RESULT OF THIS AGREEMENT. IN THE CASE OF KASTEN"S +INDEMNIFICATION OBLIGATIONS, KASTEN"S CUMULATIVE LIABILITY UNDER THIS AGREEMENT +SHALL BE LIMITED TO THE SUM OF THE LICENSE FEES PAID OR PAYABLE BY LICENSEE FOR +THE SOFTWARE, DOCUMENTATION OR SERVICES GIVING RISE TO THE CLAIM IN THE TWELVE +(12) MONTHS FOLLOWING THE EFFECTIVE DATE. + +11.3 THIRD PARTY SOFTWARE. NOTWITHSTANDING ANY LANGUAGE TO THE CONTRARY IN THIS +AGREEMENT, KASTEN SHALL NOT BE LIABLE FOR ANY DAMAGES REGARDING THE USE OR +OPERATION OF ANY THIRD-PARTY SOFTWARE FURNISHED UNDER THIS AGREEMENT. + +11.4 LIMITATION OF ACTIONS. IN NO EVENT MAY LICENSEE BRING ANY CAUSE OF ACTION +RELATED TO THIS AGREEMENT MORE THAN ONE (1) YEAR AFTER THE OCCURRENCE OF THE +EVENT GIVING RISE TO THE LIABILITY. + + +12. EXPORT +The Software, Documentation and related technical data may be subject +to U.S. export control laws, including without limitation the U.S. Export +Administration Act and its associated regulations, and may be subject to export +or import regulations in other countries. Licensee shall comply with all such +regulations and agrees to obtain all necessary licenses to export, re-export, or +import the Software, Documentation and related technical data. + + +13. GENERAL + +13.1 No Agency. Kasten and Licensee each acknowledge and agree that the +relationship established by this Agreement is that of independent contractors, +and nothing contained in this Agreement shall be construed to: (1) give either +party the power to direct or control the daytoday activities of the other; (2) +deem the parties to be acting as partners, joint venturers, coowners or +otherwise as participants in a joint undertaking; or (3) permit either party or +any of either party"s officers, directors, employees, agents or representatives +to create or assume any obligation on behalf of or for the account of the other +party for any purpose whatsoever. + +13.2 Compliance with Laws. Each party agrees to comply with all applicable +laws, regulations, and ordinances relating to their performance hereunder. +Without limiting the foregoing, Licensee warrants and covenants that it will +comply with all then current laws and regulations of the United States and other +jurisdictions relating or applicable to Licensee"s use of the Software and +Documentation including, without limitation, those concerning Intellectual +Property Rights, invasion of privacy, defamation, and the import and export of +Software and Documentation. + +13.3 Force Majeure. Except for the duty to pay money, neither party shall be +liable hereunder by reason of any failure or delay in the performance of its +obligations hereunder on account of strikes, riots, fires, flood, storm, +explosions, acts of God, war, governmental action, earthquakes, or any other +cause which is beyond the reasonable control of such party. + +13.4 Governing Law; Venue and Jurisdiction. This Agreement shall be interpreted +according to the laws of the State of California without regard to or +application of choiceoflaw rules or principles. The parties expressly agree +that the United Nations Convention on Contracts for the International Sale of +Goods and the Uniform Computer Information Transactions Act will not apply. Any +legal action or proceeding arising under this Agreement will be brought +exclusively in the federal or state courts located in Santa Clara County, +California and the parties hereby consent to the personal jurisdiction and venue +therein. + +13.5 Injunctive Relief. The parties agree that monetary damages would not be an +adequate remedy for the breach of certain provisions of this Agreement, +including, without limitation, all provisions concerning infringement, +confidentiality and nondisclosure, or limitation on permitted use of the +Software or Documentation. The parties further agree that, in the event of such +breach, injunctive relief would be necessary to prevent irreparable injury. +Accordingly, either party shall have the right to seek injunctive relief or +similar equitable remedies to enforce such party's rights under the pertinent +provisions of this Agreement, without limiting its right to pursue any other +legal remedies available to it. + +13.6 Entire Agreement and Waiver. This Agreement and any exhibits hereto shall +constitute the entire agreement and contains all terms and conditions between +Kasten and Licensee with respect to the subject matter hereof and all prior +agreements, representations, and statement with respect to such subject matter +are superseded hereby. This Agreement may be changed only by written agreement +signed by both Kasten and Licensee. No failure of either party to exercise or +enforce any of its rights under this Agreement shall act as a waiver of +subsequent breaches; and the waiver of any breach shall not act as a waiver of +subsequent breaches. + +13.7 Severability. In the event any provision of this Agreement is held by a +court or other tribunal of competent jurisdiction to be unenforceable, that +provision will be enforced to the maximum extent permissible under applicable +law and the other provisions of this Agreement will remain in full force and +effect. The parties further agree that in the event such provision is an +essential part of this Agreement, they will begin negotiations for a suitable +replacement provision. + +13.8 Counterparts. This Agreement may be executed in any number of +counterparts, each of which, when so executed and delivered (including by +facsimile), shall be deemed an original, and all of which shall constitute one +and the same agreement. + +13.9 Binding Effect. This Agreement shall be binding upon and shall inure to +the benefit of the respective parties hereto, their respective successors and +permitted assigns. + +13.10 Assignment. Neither party may, without the prior written consent of the +other party (which shall not be unreasonably withheld), assign this Agreement, +in whole or in part, either voluntarily or by operation of law, and any attempt +to do so shall be a material default of this Agreement and shall be void. +Notwithstanding the foregoing, Kasten may assign its rights and benefits and +delegate its duties and obligations under this Agreement without the consent of +Licensee in connection with a merger, reorganization or sale of all or +substantially all relevant assets of the assigning party; in each case provided +that such successor assumes the assigning party"s obligations under this +Agreement. + diff --git a/charts/k10/k10/4.5.1100/files/favicon.png b/charts/k10/k10/4.5.1100/files/favicon.png new file mode 100644 index 0000000000000000000000000000000000000000..fb617ce12c6949ed2dd1bec208c179644bcec0d4 GIT binary patch literal 1802 zcmY*adt8!d8-9^Q;U~4MX*yHXJYWfUAO(S@qG@7bGxIP_4N#l{pHRT^D`su#Je8*P z)jUsR^SG>~RHnI>c|c94qVrIzB^}VzOi6TLef53s^LwBBdhYvruIstqKb|*(x_>Vm zW(orU0PgQcKB$Qp?W+&b%!hTB(=-9ZJ-F8ksFRr~Gz%&{)SnR;2smi4KA;0K1i)H~ zW&mkSV8c2F09#E20B|YjW3^Q0LlsjB{)n~2`_H@#H6mfm;80#@AO(MvorH>^v192d zK@vwx00;uS1}4#YF$h6YB8!U`5Uti3cn#L3(N>6c3hyhTRcIg;;muB_Bd{n}6vm1K zLm&`@WEum1knH<@yJkhSis$h-cr=>N=cD*8D0Xrj+6jllp)t;AXJD;5qOb(C9W+Ak?F|q7pJffAA*673Y?wmX(E=lC6DR@JYxrwGA?Yh`eb0}ft~q6 zS-@*H1iGV44=Z|xFY0HMKAkSj8vYM_RRZ#kFlhRKW%GYVP4jgFbD><&8I zv^XWN3}J45EHCNcSEWmiz#JQ&b_X2DY7W>@rOIn$xI_AF1rucFE!8<*l-JhgP|zUu z+v2>;RYq7)Qz|9=2ic-oiBNT`YySLfGuu*-{BD{G zZ`#7`+d>_8F5q}{&U~MZ3}zw|pk|7l4gHa4YjiMY7q8V@-1>riyq$4w9JQ$$Ns6tq zxd-``i1XUF(Zhxs5>eTjYk5i4=>QP3)TGI-P};Tjlnsrg>Ob|`j%;5zFDWN%Z%y}> zY-2O{QzLFqHcH_=D4@)S!_(U(fBl~u1%3WwFcSoL%=~ti|K!Gg=!?<&BiS1cWo-Ue zp`<5vcckA#0?*<~V+R9zV$)}H3(GPURF7yqh^aJg<5$e=A_Gg=tKXdR^>+X-8i@05 z-W|YKG@-|>d@Rl0EXk!sWgcb=S=69-eXoeAWmDQo`1zqnC%X~N=Q=;%4Jswh+Z*A5 z_QLU|!F?nmyQ=b@PNZ>RYn00lH7DvV?U|jj4cUb+==2H!O$R1Yl8wWsOWOscs1$Bw zfc<=a`~uD1BPLFG({Y3AcZa2KGL47TpB~`fk?V@~uPwJt!HuqMf)rtIAKWE$l-m4I z-8}Vmw4&_^O#!OXE6P{?)(Ar|cJ$gmhpaFSa!;`8Pg<|Un<-(>JS+8#5^g`R6}5@= zzOv3hZ|;|;hDWxNbDT~90D zl9pZ@$4O0bmu6AVD3Q&bJ}tfmgsRiZViC;Sy?NhWUV}}+6_;d(vWq`)XZE-`>^laO zJaBz=d5^@Wk`L}45!R+%ABk{HD(>Tmhm)Y6qZt&F7+WRS-7>Rl^~aR?HcHXO0`D7- z|2?nnC98m0i_>!5t;H_a{jzpHtzcD`KaNE9%mjUU_f3WQ!tf#S@TpG-m{oq%DKX5c z`Ra+*XdEGM1-sL%7~UOCaiTAM7Ylh*66f)}w|=c*El=@R!izK=A4n%&O>e+nGDg0% tn7HN~o~pnSpxO)Prh(w&4OH~a8i>le=(TeuS4aD2@%PzJuJejc{Re;E|Hl9T literal 0 HcmV?d00001 diff --git a/charts/k10/k10/4.5.1100/files/kasten-logo.svg b/charts/k10/k10/4.5.1100/files/kasten-logo.svg new file mode 100644 index 000000000..0d0ef14ee --- /dev/null +++ b/charts/k10/k10/4.5.1100/files/kasten-logo.svg @@ -0,0 +1,24 @@ + + + + + + diff --git a/charts/k10/k10/4.5.1100/files/styles.css b/charts/k10/k10/4.5.1100/files/styles.css new file mode 100644 index 000000000..2d9205711 --- /dev/null +++ b/charts/k10/k10/4.5.1100/files/styles.css @@ -0,0 +1,113 @@ +.theme-body { + background-color: #efefef; + color: #333; + font-family: 'Source Sans Pro', Helvetica, sans-serif; +} + +.theme-navbar { + background-color: #fff; + box-shadow: 0 2px 2px rgba(0, 0, 0, 0.2); + color: #333; + font-size: 13px; + font-weight: 100; + height: 46px; + overflow: hidden; + padding: 0 10px; +} + +.theme-navbar__logo-wrap { + display: inline-block; + height: 100%; + overflow: hidden; + padding: 10px 15px; + width: 300px; +} + +.theme-navbar__logo { + height: 100%; + max-height: 25px; +} + +.theme-heading { + font-size: 20px; + font-weight: 500; + margin-bottom: 10px; + margin-top: 0; +} + +.theme-panel { + background-color: #fff; + box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5); + padding: 30px; +} + +.theme-btn-provider { + background-color: #fff; + color: #333; + min-width: 250px; +} + +.theme-btn-provider:hover { + color: #999; +} + +.theme-btn--primary { + background-color: #333; + border: none; + color: #fff; + min-width: 200px; + padding: 6px 12px; +} + +.theme-btn--primary:hover { + background-color: #666; + color: #fff; +} + +.theme-btn--success { + background-color: #2FC98E; + color: #fff; + width: 250px; +} + +.theme-btn--success:hover { + background-color: #49E3A8; +} + +.theme-form-row { + display: block; + margin: 20px auto; +} + +.theme-form-input { + border-radius: 4px; + border: 1px solid #CCC; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); + color: #666; + display: block; + font-size: 14px; + height: 36px; + line-height: 1.42857143; + margin: auto; + padding: 6px 12px; + width: 250px; +} + +.theme-form-input:focus, +.theme-form-input:active { + border-color: #66AFE9; + outline: none; +} + +.theme-form-label { + font-size: 13px; + font-weight: 600; + margin: 4px auto; + position: relative; + text-align: left; + width: 250px; +} + +.theme-link-back { + margin-top: 4px; +} diff --git a/charts/k10/k10/4.5.1100/license b/charts/k10/k10/4.5.1100/license new file mode 100644 index 000000000..fb23dbb82 --- /dev/null +++ b/charts/k10/k10/4.5.1100/license @@ -0,0 +1 @@ +Y3VzdG9tZXJOYW1lOiBzdGFydGVyLWxpY2Vuc2UKZGF0ZUVuZDogJzIxMDAtMDEtMDFUMDA6MDA6MDAuMDAwWicKZGF0ZVN0YXJ0OiAnMjAyMC0wMS0wMVQwMDowMDowMC4wMDBaJwpmZWF0dXJlczogbnVsbAppZDogc3RhcnRlci00ZjE4NDJjMC0wNzQ1LTQxYTUtYWFhNy1hMDFkNzQ4YjFjMzAKcHJvZHVjdDogSzEwCnJlc3RyaWN0aW9uczoKICBub2RlczogJzEwJwpzZXJ2aWNlQWNjb3VudEtleTogbnVsbAp2ZXJzaW9uOiB2MS4wLjAKc2lnbmF0dXJlOiBqT1N5NDNQZG5ZMFVCZitValhOdU1oUEFSb1J2ZkpzWElQWnhBWFNCaGpKbUwxNlNodi8vVzgyV2NMeGZJM25NZTA0TThtRU03eThPcnArQks1ekxpeFd3clpncmZSbTBEaWlELyttRjR5U3l1Rko0QW1neHV6NDhQTmdnU1VyWUM3S1FVcFYxSEJZV1ZaNm9udEJDeE1rVWtkaDVqdzZJdWMzN3lDaktIYy92bWZaenBzTVhybmxUdGhha2RjVVk0azNyVHJDa3VDcnFUMkpjM1o1amFGalZSZW1Zd1NBVXpkRldNazdQdkp3eHVFdE5rNitPV0pCVERQbnNYdldKdjdNc3NneDBJTmdtNUlJWDRVeEVhQWI4QXpTNkMyQ21XQzlhWURFTDg1aEFpeWhONXUwU0tQczA3ZXB0R1VHYmc3cWtPUVN0d0NhcDFKUURvbDVDT0E9PQo= diff --git a/charts/k10/k10/4.5.1100/questions.yaml b/charts/k10/k10/4.5.1100/questions.yaml new file mode 100644 index 000000000..713fcb116 --- /dev/null +++ b/charts/k10/k10/4.5.1100/questions.yaml @@ -0,0 +1,295 @@ +questions: +# ======================== +# SECRETS And Configuration +# ======================== + +### AWS Configuration + +- variable: secrets.awsAccessKeyId + description: "AWS access key ID (required for AWS deployment)" + type: password + label: AWS Access Key ID + required: false + group: "AWS Configuration" + +- variable: secrets.awsSecretAccessKey + description: "AWS access key secret (required for AWS deployment)" + type: password + label: AWS Secret Access Key + required: false + group: "AWS Configuration" + +- variable: secrets.awsIamRole + description: "ARN of the AWS IAM role assumed by K10 to perform any AWS operation." + type: string + label: ARN of the AWS IAM role + required: false + group: "AWS Configuration" + +- variable: awsConfig.assumeRoleDuration + description: "Duration of a session token generated by AWS for an IAM role" + type: string + label: Role Duration + required: false + default: "" + group: "AWS Configuration" + +- variable: awsConfig.efsBackupVaultName + description: "Specifies the AWS EFS backup vault name" + type: string + label: EFS Backup Vault Name + required: false + default: "k10vault" + group: "AWS Configuration" + +### Google Cloud Configuration + +- variable: secrets.googleApiKey + description: "Required If cluster is deployed on Google Cloud" + type: multiline + label: Non-default base64 encoded GCP Service Account key file + required: false + group: "GoogleApi Configuration" + +### Azure Configuration + +- variable: secrets.azureTenantId + description: "Azure tenant ID (required for Azure deployment)" + type: string + label: Tenant ID + required: false + group: "Azure Configuration" + +- variable: secrets.azureClientId + description: "Azure Service App ID" + type: password + label: Service App ID + required: false + group: "Azure Configuration" + +- variable: secrets.azureClientSecret + description: "Azure Service App secret" + type: password + label: Service App secret + required: false + group: "Azure Configuration" + +- variable: secrets.azureResourceGroup + description: "Resource Group name that was created for the Kubernetes cluster" + type: string + label: Resource Group + required: false + group: "Azure Configuration" + +- variable: secrets.azureSubscriptionID + description: "Subscription ID in your Azure tenant" + type: string + label: Subscription ID + required: false + group: "Azure Configuration" + +- variable: secrets.azureResourceMgrEndpoint + description: "Resource management endpoint for the Azure Stack instance" + type: string + label: Resource management endpoint + required: false + group: "Azure Configuration" + +- variable: secrets.azureADEndpoint + description: "Azure Active Directory login endpoint" + type: string + label: Active Directory login endpoint + required: false + group: "Azure Configuration" + +- variable: secrets.azureADResourceID + description: "Azure Active Directory resource ID to obtain AD tokens" + type: string + label: Active Directory resource ID + required: false + group: "Azure Configuration" + +# ======================== +# Authentication +# ======================== + +- variable: auth.basicAuth.enabled + description: "Configures basic authentication for the K10 dashboard" + type: boolean + label: Enable Basic Authentication + required: false + group: "Authentication" + show_subquestion_if: true + subquestions: + - variable: auth.basicAuth.htpasswd + description: "A username and password pair separated by a colon character" + type: password + label: Authentication Details (htpasswd) + - variable: auth.basicAuth.secretName + description: "Name of an existing Secret that contains a file generated with htpasswd" + type: string + label: Secret Name + +- variable: auth.tokenAuth.enabled + description: "Configures token based authentication for the K10 dashboard" + type: boolean + label: Enable Token Based Authentication + required: false + group: "Authentication" + +- variable: auth.oidcAuth.enabled + description: "Configures Open ID Connect based authentication for the K10 dashboard" + type: boolean + label: Enable OpenID Connect Based Authentication + required: false + group: "Authentication" + show_subquestion_if: true + subquestions: + - variable: auth.oidcAuth.providerURL + description: "URL for the OIDC Provider" + type: string + label: OIDC Provider URL + - variable: auth.oidcAuth.redirectURL + description: "URL for the K10 gateway Provider" + type: string + label: OIDC Redirect URL + - variable: auth.oidcAuth.scopes + description: "Space separated OIDC scopes required for userinfo. Example: `profile email`" + type: string + label: OIDC scopes + - variable: auth.oidcAuth.prompt + description: "The type of prompt to be used during authentication (none, consent, login, or select_account)" + type: enum + options: + - none + - consent + - login + - select_account + default: none + label: The type of prompt to be used during authentication (none, consent, login, or select_account) + - variable: auth.oidcAuth.clientID + description: "Client ID given by the OIDC provider for K10" + type: password + label: OIDC Client ID + - variable: auth.oidcAuth.clientSecret + description: "Client secret given by the OIDC provider for K10" + type: password + label: OIDC Client Secret + - variable: auth.oidcAuth.usernameClaim + description: "The claim to be used as the username" + type: string + label: OIDC UserName Claim + - variable: auth.oidcAuth.usernamePrefix + description: "Prefix that has to be used with the username obtained from the username claim" + type: string + label: OIDC UserName Prefix + - variable: auth.oidcAuth.groupClaim + description: "Name of a custom OpenID Connect claim for specifying user groups" + type: string + label: OIDC group Claim + - variable: auth.oidcAuth.groupPrefix + description: "All groups will be prefixed with this value to prevent conflicts" + type: string + label: OIDC group Prefix + +# ======================== +# External Gateway +# ======================== + +- variable: externalGateway.create + description: "Configures an external gateway for K10 API services" + type: boolean + label: Create External Gateway + required: false + group: "External Gateway" + show_subquestion_if: true + subquestions: + - variable: externalGateway.annotations + description: "Standard annotations for the services" + type: multiline + default: "" + label: Annotation + - variable: externalGateway.fqdn.name + description: "Domain name for the K10 API services" + type: string + label: Domain Name + - variable: externalGateway.fqdn.type + description: "Supported gateway type: `route53-mapper` or `external-dns`" + type: string + label: Gateway Type route53-mapper or external-dns + - variable: externalGateway.awsSSLCertARN + description: "ARN for the AWS ACM SSL certificate used in the K10 API server" + type: multiline + label: ARN for the AWS ACM SSL certificate + +# ======================== +# Storage Management +# ======================== + +- variable: global.persistence.storageClass + label: StorageClass Name + description: "Specifies StorageClass Name to be used for PVCs" + type: string + required: false + default: "" + group: "Storage Management" + +- variable: prometheus.server.persistentVolume.storageClass + type: string + label: StorageClass Name for Prometheus PVC + description: "StorageClassName used to create Prometheus PVC. Setting this option overwrites global StorageClass value" + default: "" + required: false + group: "Storage Management" + +- variable: prometheus.server.persistentVolume.enabled + type: boolean + label: Enable PVC for Prometheus server + description: "If true, K10 Prometheus server will create a Persistent Volume Claim" + default: true + required: false + group: "Storage Management" + +- variable: global.persistence.enabled + type: boolean + label: Storage Enabled + description: "If true, K10 will use Persistent Volume Claim" + default: true + required: false + group: "Storage Management" + +# ======================== +# Service Account +# ======================== + +- variable: serviceAccount.name + description: "Name of a service account in the target namespace that has cluster-admin permissions. This is needed for the K10 to be able to protect cluster resources." + type: string + label: Service Account Name + required: false + group: "Service Account" + +# ======================== +# License +# ======================== + +- variable: license + description: "License string obtained from Kasten" + type: multiline + label: License String + group: "License" +- variable: eula.accept + description: "Whether to enable accept EULA before installation" + type: boolean + label: Enable accept EULA before installation + group: "License" + show_subquestion_if: true + subquestions: + - variable: eula.company + description: "Company name. Required field if EULA is accepted" + type: string + label: Company Name + - variable: eula.email + description: "Contact email. Required field if EULA is accepted" + type: string + label: Contact Email diff --git a/charts/k10/k10/4.5.1100/templates/NOTES.txt b/charts/k10/k10/4.5.1100/templates/NOTES.txt new file mode 100644 index 000000000..240f3062d --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/NOTES.txt @@ -0,0 +1,47 @@ +Thank you for installing Kasten’s K10 Data Management Platform! + +Documentation can be found at https://docs.kasten.io/. + +How to access the K10 Dashboard: + +{{ if .Values.ingress.create }} +You are using the system's default ingress controller. Please ask your +administrator for instructions on how to access the cluster. + +WebUI location: https://{{ default "Your ingress endpoint" .Values.ingress.host }}/{{ default .Release.Name .Values.ingress.urlPath }} +{{ end }} + +The K10 dashboard is not exposed externally. To establish a connection to it use the following `kubectl` command: + +`kubectl --namespace {{ .Release.Namespace }} port-forward service/gateway 8080:{{ .Values.service.externalPort }}` + +The Kasten dashboard will be available at: `http{{ if or (and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey) .Values.externalGateway.awsSSLCertARN }}s{{ end }}://127.0.0.1:8080/{{ .Release.Name }}/#/` + +{{ if.Values.externalGateway.create }} +{{ if .Values.externalGateway.fqdn.name }} + +The K10 Dashboard is accessible via {{ if or (and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey) .Values.externalGateway.awsSSLCertARN }}https{{ else }}http{{ end }}://{{ .Values.externalGateway.fqdn.name }}/{{ .Release.Name }}/#/ + +{{ else }} + +The K10 Dashboard is accessible via a LoadBalancer. Find the service's EXTERNAL IP using: + `kubectl get svc gateway-ext --namespace {{ .Release.Namespace }} -o wide` +And use it in following URL + `http://SERVICE_EXTERNAL_IP/{{ .Release.Name }}/#/` +{{ end }} +{{ end }} + +{{ if and ( .Values.metering.awsManagedLicense ) ( not .Values.metering.licenseConfigSecretName ) }} + +IAM Role created during installation need to have permissions that allow K10 to +perform operations on EBS and, if needed, EFS and S3. Please create a policy +with required permissions, and use the commands below to attach the policy to +the service account. + +`ROLE_NAME=$(kubectl get serviceaccount {{ .Values.serviceAccount.name }} -n {{ .Release.Namespace }} -ojsonpath="{.metadata.annotations['eks\.amazonaws\.com/role-arn']}" | awk -F '/' '{ print $(NF) }')` +`aws iam attach-role-policy --role-name "${ROLE_NAME}" --policy-arn ` + +Refer to `https://docs.kasten.io/latest/install/aws-containers-anywhere/aws-containers-anywhere.html#attaching-permissions-for-eks-installations` +for more information. + +{{ end }} \ No newline at end of file diff --git a/charts/k10/k10/4.5.1100/templates/_definitions.tpl b/charts/k10/k10/4.5.1100/templates/_definitions.tpl new file mode 100644 index 000000000..fb2ee6a59 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/_definitions.tpl @@ -0,0 +1,184 @@ +{{/* Autogenerated, do NOT modify */}} +{{- define "k10.additionalServices" -}}frontend kanister {{- end -}} +{{- define "k10.restServices" -}}admin auth bloblifecyclemanager catalog crypto dashboardbff events executor jobs logging metering state vbrintegrationapi {{- end -}} +{{- define "k10.services" -}}aggregatedapis config {{- end -}} +{{- define "k10.exposedServices" -}}auth dashboardbff vbrintegrationapi {{- end -}} +{{- define "k10.statelessServices" -}}admin aggregatedapis auth bloblifecyclemanager crypto dashboardbff events executor state vbrintegrationapi {{- end -}} +{{- define "k10.colocatedServices" -}}admin: + isExposed: false + port: 8001 + primary: state +bloblifecyclemanager: + isExposed: true + port: 8001 + primary: crypto +events: + isExposed: true + port: 8002 + primary: crypto +vbrintegrationapi: + isExposed: true + port: 8001 + primary: dashboardbff +{{- end -}} +{{- define "k10.colocatedServiceLookup" -}}crypto: +- bloblifecyclemanager +- events +dashboardbff: +- vbrintegrationapi +state: +- admin +{{- end -}} +{{- define "k10.aggregatedAPIs" -}}actions apps vault {{- end -}} +{{- define "k10.configAPIs" -}}config{{- end -}} +{{- define "k10.profiles" -}}profiles{{- end -}} +{{- define "k10.policies" -}}policies{{- end -}} +{{- define "k10.reportingAPIs" -}}reporting{{- end -}} +{{- define "k10.distAPIs" -}}dist{{- end -}} +{{- define "k10.actionsAPIs" -}}actions{{- end -}} +{{- define "k10.backupActions" -}}backupactions{{- end -}} +{{- define "k10.backupActionsDetails" -}}backupactions/details{{- end -}} +{{- define "k10.reportActions" -}}reportactions{{- end -}} +{{- define "k10.reportActionsDetails" -}}reportactions/details{{- end -}} +{{- define "k10.restoreActions" -}}restoreactions{{- end -}} +{{- define "k10.restoreActionsDetails" -}}restoreactions/details{{- end -}} +{{- define "k10.importActions" -}}importactions{{- end -}} +{{- define "k10.exportActions" -}}exportactions{{- end -}} +{{- define "k10.exportActionsDetails" -}}exportactions/details{{- end -}} +{{- define "k10.retireActions" -}}retireactions{{- end -}} +{{- define "k10.runActions" -}}runactions{{- end -}} +{{- define "k10.backupClusterActions" -}}backupclusteractions{{- end -}} +{{- define "k10.backupClusterActionsDetails" -}}backupclusteractions/details{{- end -}} +{{- define "k10.restoreClusterActions" -}}restoreclusteractions{{- end -}} +{{- define "k10.restoreClusterActionsDetails" -}}restoreclusteractions/details{{- end -}} +{{- define "k10.cancelActions" -}}cancelactions{{- end -}} +{{- define "k10.appsAPIs" -}}apps{{- end -}} +{{- define "k10.restorePoints" -}}restorepoints{{- end -}} +{{- define "k10.restorePointsDetails" -}}restorepoints/details{{- end -}} +{{- define "k10.clusterRestorePoints" -}}clusterrestorepoints{{- end -}} +{{- define "k10.clusterRestorePointsDetails" -}}clusterrestorepoints/details{{- end -}} +{{- define "k10.applications" -}}applications{{- end -}} +{{- define "k10.applicationsDetails" -}}applications/details{{- end -}} +{{- define "k10.vaultAPIs" -}}vault{{- end -}} +{{- define "k10.passkey" -}}passkeys{{- end -}} +{{- define "k10.authAPIs" -}}auth{{- end -}} +{{- define "k10.defaultConcurrentSnapshotConversions" -}}3{{- end -}} +{{- define "k10.defaultConcurrentWorkloadSnapshots" -}}5{{- end -}} +{{- define "k10.defaultK10DataStoreParallelUpload" -}}8{{- end -}} +{{- define "k10.defaultK10DataStoreGeneralContentCacheSizeMB" -}}0{{- end -}} +{{- define "k10.defaultK10DataStoreGeneralMetadataCacheSizeMB" -}}500{{- end -}} +{{- define "k10.defaultK10DataStoreRestoreContentCacheSizeMB" -}}500{{- end -}} +{{- define "k10.defaultK10DataStoreRestoreMetadataCacheSizeMB" -}}500{{- end -}} +{{- define "k10.defaultK10BackupBufferFileHeadroomFactor" -}}1.1{{- end -}} +{{- define "k10.defaultK10LimiterGenericVolumeSnapshots" -}}10{{- end -}} +{{- define "k10.defaultK10LimiterGenericVolumeCopies" -}}10{{- end -}} +{{- define "k10.defaultK10LimiterGenericVolumeRestores" -}}10{{- end -}} +{{- define "k10.defaultK10LimiterCsiSnapshots" -}}10{{- end -}} +{{- define "k10.defaultK10LimiterProviderSnapshots" -}}10{{- end -}} +{{- define "k10.defaultAssumeRoleDuration" -}}60m{{- end -}} +{{- define "k10.defaultKanisterBackupTimeout" -}}45{{- end -}} +{{- define "k10.defaultKanisterRestoreTimeout" -}}600{{- end -}} +{{- define "k10.defaultKanisterDeleteTimeout" -}}45{{- end -}} +{{- define "k10.defaultKanisterHookTimeout" -}}20{{- end -}} +{{- define "k10.defaultKanisterCheckRepoTimeout" -}}20{{- end -}} +{{- define "k10.defaultKanisterStatsTimeout" -}}20{{- end -}} +{{- define "k10.defaultKanisterEFSPostRestoreTimeout" -}}45{{- end -}} +{{- define "k10.cloudProviders" -}} aws google azure {{- end -}} +{{- define "k10.serviceResources" -}} +admin-svc: + admin-svc: + requests: + cpu: 2m + memory: 160Mi +aggregatedapis-svc: + aggregatedapis-svc: + requests: + cpu: 90m + memory: 180Mi +auth-svc: + auth-svc: + requests: + cpu: 2m + memory: 30Mi +bloblifecyclemanager-svc: + bloblifecyclemanager-svc: + requests: + cpu: 10m + memory: 40Mi +catalog-svc: + catalog-svc: + requests: + cpu: 200m + memory: 780Mi + kanister-sidecar: + limits: + cpu: 1200m + memory: 800Mi + requests: + cpu: 100m + memory: 800Mi +config-svc: + config-svc: + requests: + cpu: 5m + memory: 30Mi +crypto-svc: + crypto-svc: + requests: + cpu: 1m + memory: 30Mi +dashboardbff-svc: + dashboardbff-svc: + requests: + cpu: 8m + memory: 40Mi +events-svc: + events-svc: + requests: + cpu: 3m + memory: 500Mi +executor-svc: + executor-svc: + requests: + cpu: 3m + memory: 50Mi + tools: + requests: + cpu: 1m + memory: 2Mi +frontend-svc: + frontend-svc: + requests: + cpu: 1m + memory: 40Mi +jobs-svc: + jobs-svc: + requests: + cpu: 30m + memory: 380Mi +kanister-svc: + kanister-svc: + requests: + cpu: 1m + memory: 30Mi +logging-svc: + logging-svc: + requests: + cpu: 2m + memory: 40Mi +metering-svc: + metering-svc: + requests: + cpu: 2m + memory: 30Mi +state-svc: + state-svc: + requests: + cpu: 2m + memory: 30Mi +{{- end -}} +{{- define "k10.multiClusterVersion" -}}2{{- end -}} +{{- define "k10.ambassadorImageTag" -}}1.14.3{{- end -}} +{{- define "k10.kanisterToolsImageTag" -}}0.74.0{{- end -}} +{{- define "k10.dexImageTag" -}}v2.24.0{{- end -}} +{{- define "k10.rhAmbassadorImageTag" -}}1.13.8{{- end -}} diff --git a/charts/k10/k10/4.5.1100/templates/_helpers.tpl b/charts/k10/k10/4.5.1100/templates/_helpers.tpl new file mode 100644 index 000000000..2eb922814 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/_helpers.tpl @@ -0,0 +1,647 @@ +{{/* Check if basic auth is needed */}} +{{- define "basicauth.check" -}} + {{- if .Values.auth.basicAuth.enabled }} + {{- print true }} + {{- end -}} {{/* End of check for auth.basicAuth.enabled */}} +{{- end -}} + +{{/* +Check if trusted root CA certificate related configmap settings +have been configured +*/}} +{{- define "check.cacertconfigmap" -}} +{{- if .Values.cacertconfigmap.name -}} +{{- print true -}} +{{- else -}} +{{- print false -}} +{{- end -}} +{{- end -}} + +{{/* +Check if the auth options are implemented using Dex +*/}} +{{- define "check.dexAuth" -}} +{{- if or .Values.auth.openshift.enabled .Values.auth.ldap.enabled -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* Check the only 1 auth is specified */}} +{{- define "singleAuth.check" -}} +{{- $count := dict "count" (int 0) -}} +{{- $authList := list .Values.auth.basicAuth.enabled .Values.auth.tokenAuth.enabled .Values.auth.oidcAuth.enabled .Values.auth.openshift.enabled .Values.auth.ldap.enabled -}} +{{- range $i, $val := $authList }} +{{ if $val }} +{{ $c := add1 $count.count | set $count "count" }} +{{ if gt $count.count 1 }} +{{- fail "Multiple auth types were selected. Only one type can be enabled." }} +{{ end }} +{{ end }} +{{- end }} +{{- end -}}{{/* Check the only 1 auth is specified */}} + +{{/* Check if Auth is enabled */}} +{{- define "authEnabled.check" -}} +{{- $count := dict "count" (int 0) -}} +{{- $authList := list .Values.auth.basicAuth.enabled .Values.auth.tokenAuth.enabled .Values.auth.oidcAuth.enabled .Values.auth.openshift.enabled .Values.auth.ldap.enabled -}} +{{- range $i, $val := $authList }} +{{ if $val }} +{{ $c := add1 $count.count | set $count "count" }} +{{ end }} +{{- end }} +{{- if eq $count.count 0}} + {{- fail "Auth is required to expose access to K10." }} +{{- end }} +{{- end -}}{{/*end of check */}} + +{{/* Return ingress class name annotation */}} +{{- define "ingressClassAnnotation" -}} +{{- if .Values.ingress.class -}} +kubernetes.io/ingress.class: {{ .Values.ingress.class | quote }} +{{- end -}} +{{- end -}} + +{{/* Helm required labels */}} +{{- define "helm.labels" -}} +heritage: {{ .Release.Service }} +helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +app.kubernetes.io/name: {{ .Chart.Name }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{ include "k10.common.matchLabels" . }} +{{- end -}} + +{{- define "k10.common.matchLabels" -}} +app: {{ .Chart.Name }} +release: {{ .Release.Name }} +{{- end -}} + +{{- define "k10.defaultRBACLabels" -}} +k10.kasten.io/default-rbac-object: "true" +{{- end -}} + +{{/* Expand the name of the chart. */}} +{{- define "name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "serviceAccountName" -}} +{{- if and .Values.metering.awsMarketplace ( not .Values.serviceAccount.name ) -}} + {{ print "k10-metering" }} +{{- else if .Values.serviceAccount.create -}} + {{ default (include "fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the metering service account to use +*/}} +{{- define "meteringServiceAccountName" -}} +{{- if and .Values.metering.awsManagedLicense ( not .Values.serviceAccount.name ) ( not .Values.metering.serviceAccount.name ) ( not .Values.metering.licenseConfigSecretName ) -}} + {{ print "k10-metering" }} +{{- else -}} + {{ default (include "serviceAccountName" .) .Values.metering.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Prints annotations based on .Values.fqdn.type +*/}} +{{- define "dnsAnnotations" -}} +{{- if .Values.externalGateway.fqdn.name -}} +{{- if eq "route53-mapper" ( default "" .Values.externalGateway.fqdn.type) }} +domainName: {{ .Values.externalGateway.fqdn.name | quote }} +{{- end }} +{{- if eq "external-dns" (default "" .Values.externalGateway.fqdn.type) }} +external-dns.alpha.kubernetes.io/hostname: {{ .Values.externalGateway.fqdn.name | quote }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Prometheus scrape config template for k10 services +*/}} +{{- define "k10.prometheusScrape" -}} +{{- $admin_port := default 8877 .main.Values.service.gatewayAdminPort -}} +- job_name: {{ .k10service }} + metrics_path: /metrics + {{- if eq "aggregatedapis" .k10service }} + scheme: https + tls_config: + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + {{- else }} + scheme: http + {{- end }} + static_configs: + - targets: + {{- if eq "gateway" .k10service }} + - {{ .k10service }}-admin.{{ .main.Release.Namespace }}.svc.{{ .main.Values.cluster.domainName }}:{{ $admin_port }} + {{- else if eq "aggregatedapis" .k10service }} + - {{ .k10service }}-svc.{{ .main.Release.Namespace }}.svc.{{ .main.Values.cluster.domainName }}:443 + {{- else }} + {{- $service := default .k10service (index (include "k10.colocatedServices" . | fromYaml) .k10service).primary }} + {{- $port := default .main.Values.service.externalPort (index (include "k10.colocatedServices" . | fromYaml) .k10service).port }} + - {{ $service }}-svc.{{ .main.Release.Namespace }}.svc.{{ .main.Values.cluster.domainName }}:{{ $port }} + {{- end }} + labels: + application: {{ .main.Release.Name }} + service: {{ .k10service }} +{{- end -}} + +{{/* +Expands the name of the Prometheus chart. It is equivalent to what the +"prometheus.name" template does. It is needed because the referenced values in a +template are relative to where/when the template is called from, and not where +the template is defined at. This means that the value of .Chart.Name and +.Values.nameOverride are different depending on whether the template is called +from within the Prometheus chart or the K10 chart. +*/}} +{{- define "k10.prometheus.name" -}} +{{- default "prometheus" .Values.prometheus.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expands the name of the Prometheus service created to expose the prometheus server. +*/}} +{{- define "k10.prometheus.service.name" -}} +{{- default (printf "%s-%s-%s" .Release.Name "prometheus" .Values.prometheus.server.name) .Values.prometheus.server.fullnameOverride }} +{{- end -}} + +{{/* +Checks if EULA is accepted via cmd +Enforces eula.company and eula.email as required fields +returns configMap fields +*/}} +{{- define "k10.eula.fields" -}} +{{- if .Values.eula.accept -}} +accepted: "true" +company: {{ required "eula.company is required field if eula is accepted" .Values.eula.company }} +email: {{ required "eula.email is required field if eula is accepted" .Values.eula.email }} +{{- else -}} +accepted: "" +company: "" +email: "" +{{- end }} +{{- end -}} + +{{/* +Helper to determine the API Domain +*/}} +{{- define "apiDomain" -}} +{{- if .Values.useNamespacedAPI -}} +kio.{{- replace "-" "." .Release.Namespace -}} +{{- else -}} +kio.kasten.io +{{- end -}} +{{- end -}} + +{{/* +Get dex image, if user wants to +install certified version of upstream +images or not +*/}} +{{- define "k10.dexImage" -}} +{{- if not .Values.rhMarketPlace }} +{{- printf "%s:%s" ( include "k10.dexImageRepo" . ) (include "k10.dexTag" .) }} +{{- else }} +{{- printf "%s" (get .Values.images "dex") }} +{{- end -}} +{{- end -}} + +{{/* +Get dex image repo based on conditions +if its airgapped and red hat images are +required +*/}} +{{- define "k10.dexImageRepo" -}} +{{- if .Values.global.upstreamCertifiedImages }} +{{- if .Values.global.airgapped.repository }} +{{- printf "%s/dex" .Values.global.airgapped.repository }} +{{- else }} +{{- printf "%s/%s/dex" .Values.image.registry .Values.image.repository }} +{{- end}} +{{- else }} +{{- if .Values.global.airgapped.repository }} +{{- printf "%s/dex" .Values.global.airgapped.repository }} +{{- else }} +{{- printf "%s/%s/%s" .Values.dexImage.registry .Values.dexImage.repository .Values.dexImage.image }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* +Get dex image tag based on conditions +if its airgapped and red hat images are +required +*/}} +{{- define "k10.dexTag" -}} +{{- if .Values.global.upstreamCertifiedImages }} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s-rh-ubi" (include "k10.dexImageTag" .) }} +{{- else }} +{{- printf "%s-rh-ubi" (include "k10.dexImageTag" .) }} +{{- end}} +{{- else }} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s" (include "k10.dexImageTag" .) }} +{{- else }} +{{- printf "%s" (include "k10.dexImageTag" .) }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* +Get ambassador image base on whether +we or not we are installing k10 on openshift +*/}} +{{- define "k10.ambImage" -}} +{{- if not .Values.global.rhMarketPlace }} +{{- printf "%s:%s" ( include "k10.ambImageRepo" .) (include "k10.ambImageTag" .) }} +{{- else }} +{{- printf "%s" (get .Values.global.images "ambassador") }} +{{- end -}} +{{- end -}} + +{{- define "k10.ambImageRepo" -}} +{{- if .Values.global.upstreamCertifiedImages }} +{{- if .Values.global.airgapped.repository }} +{{- printf "%s/ambassador" .Values.global.airgapped.repository }} +{{- else }} +{{- printf "%s/%s/ambassador" .Values.image.registry .Values.image.repository }} +{{- end }} +{{- else }} +{{- if .Values.global.airgapped.repository }} +{{- printf "%s/ambassador" .Values.global.airgapped.repository }} +{{- else }} +{{- printf "%s/%s/%s" .Values.ambassadorImage.registry .Values.ambassadorImage.repository .Values.ambassadorImage.image }} +{{- end }} +{{- end }} +{{- end -}} + +{{- define "k10.ambImageTag" -}} +{{- if .Values.global.upstreamCertifiedImages }} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s-rh-ubi" (include "k10.rhAmbassadorImageTag" .) }} +{{- else }} +{{- printf "%s-rh-ubi" (include "k10.rhAmbassadorImageTag" .) }} +{{- end }} +{{- else }} +{{- if .Values.global.airgapped.repository }} +{{- printf "k10-%s" (include "k10.ambassadorImageTag" .) }} +{{- else }} +{{- printf "%s" (include "k10.ambassadorImageTag" .) }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* +Check if AWS creds are specified +*/}} +{{- define "check.awscreds" -}} +{{- if or .Values.secrets.awsAccessKeyId .Values.secrets.awsSecretAccessKey -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if kanister-tools image has k10- in name +this means we need to overwrite kanister image in the system +*/}} +{{- define "overwite.kanisterToolsImage" -}} +{{- if .Values.global.airgapped.repository -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Figure out the kanisterToolsImage.image based on +the value of airgapped.repository value +The details on how these image are being generated +is in below issue +https://kasten.atlassian.net/browse/K10-4036 +Using substr to remove repo from kanisterToolsImage +*/}} +{{- define "get.kanisterToolsImage" }} +{{- if not .Values.global.rhMarketPlace }} +{{- if .Values.global.airgapped.repository }} +{{- printf "%s/%s:k10-%s" (.Values.global.airgapped.repository) (.Values.kanisterToolsImage.image) (include "k10.kanisterToolsImageTag" .) -}} +{{- else }} +{{- printf "%s/%s/%s:%s" (.Values.kanisterToolsImage.registry) (.Values.kanisterToolsImage.repository) (.Values.kanisterToolsImage.image) (include "k10.kanisterToolsImageTag" .) -}} +{{- end }} +{{- else }} +{{- printf "%s" (get .Values.global.images "kanister-tools") -}} +{{- end }} +{{- end }} + +{{/* +Check if Google creds are specified +*/}} +{{- define "check.googlecreds" -}} +{{- if .Values.secrets.googleApiKey -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if IBM SL api key is specified +*/}} +{{- define "check.ibmslcreds" -}} +{{- if or .Values.secrets.ibmSoftLayerApiKey .Values.secrets.ibmSoftLayerApiUsername -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if Azure creds are specified +*/}} +{{- define "check.azurecreds" -}} +{{- if or (or .Values.secrets.azureTenantId .Values.secrets.azureClientId) .Values.secrets.azureClientSecret -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if Vsphere creds are specified +*/}} +{{- define "check.vspherecreds" -}} +{{- if or (or .Values.secrets.vsphereEndpoint .Values.secrets.vsphereUsername) .Values.secrets.vspherePassword -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if Vault creds are specified +*/}} +{{- define "check.vaultcreds" -}} +{{- if .Values.vault.secretName -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Checks and enforces only 1 set of cloud creds is specified +*/}} +{{- define "enforce.singlecloudcreds" -}} +{{- $count := dict "count" (int 0) -}} +{{- $main := . -}} +{{- range $ind, $cloud_provider := include "k10.cloudProviders" . | splitList " " }} +{{ if eq (include (printf "check.%screds" $cloud_provider) $main) "true" }} +{{ $c := add1 $count.count | set $count "count" }} +{{ if gt $count.count 1 }} +{{- fail "Credentials for different cloud providers were provided but only one is allowed. Please verify your .secrets.* values." }} +{{ end }} +{{ end }} +{{- end }} +{{- end -}} + +{{/* +Converts .Values.features into k10-features: map[string]: "value" +*/}} +{{- define "k10.features" -}} +{{ range $n, $v := .Values.features }} +{{ $n }}: {{ $v | quote -}} +{{ end }} +{{- end -}} + +{{/* +Returns a license base64 either from file or from values +or prints it for awsmarketplace or awsManagedLicense +*/}} +{{- define "k10.getlicense" -}} +{{- if .Values.metering.awsMarketplace -}} +{{- print "Y3VzdG9tZXJOYW1lOiBhd3MtbWFya2V0cGxhY2UKZGF0ZUVuZDogJzIxMDAtMDEtMDFUMDA6MDA6MDAuMDAwWicKZGF0ZVN0YXJ0OiAnMjAxOC0wOC0wMVQwMDowMDowMC4wMDBaJwpmZWF0dXJlczoKICBjbG91ZE1ldGVyaW5nOiBhd3MKaWQ6IGF3cy1ta3QtNWMxMDlmZDUtYWI0Yy00YTE0LWJiY2QtNTg3MGU2Yzk0MzRiCnByb2R1Y3Q6IEsxMApyZXN0cmljdGlvbnM6IG51bGwKdmVyc2lvbjogdjEuMC4wCnNpZ25hdHVyZTogY3ZEdTNTWHljaTJoSmFpazR3THMwTk9mcTNFekYxQ1pqLzRJMUZVZlBXS0JETHpuZmh2eXFFOGUvMDZxNG9PNkRoVHFSQlY3VFNJMzVkQzJ4alllaGp3cWwxNHNKT3ZyVERKZXNFWVdyMVFxZGVGVjVDd21HczhHR0VzNGNTVk5JQXVseGNTUG9oZ2x2UlRJRm0wVWpUOEtKTzlSTHVyUGxyRjlGMnpnK0RvM2UyTmVnamZ6eTVuMUZtd24xWUNlbUd4anhFaks0djB3L2lqSGlwTGQzWVBVZUh5Vm9mZHRodGV0YmhSUGJBVnVTalkrQllnRklnSW9wUlhpYnpTaEMvbCs0eTFEYzcyTDZXNWM0eUxMWFB1SVFQU3FjUWRiYnlwQ1dYYjFOT3B3aWtKMkpsR0thMldScFE4ZUFJNU9WQktqZXpuZ3FPa0lRUC91RFBtSXFBPT0K" -}} +{{- else if or ( .Values.metering.awsManagedLicense ) ( .Values.metering.licenseConfigSecretName ) -}} +{{- print "Y3VzdG9tZXJOYW1lOiBhd3MtdG90ZW0KZGF0ZUVuZDogJzIxMDAtMDEtMDFUMDA6MDA6MDAuMDAwWicKZGF0ZVN0YXJ0OiAnMjAyMS0wOS0wMVQwMDowMDowMC4wMDBaJwpmZWF0dXJlczoKICBleHRlcm5hbExpY2Vuc2U6IGF3cwogIHByb2R1Y3RTS1U6IGI4YzgyMWQ5LWJmNDAtNDE4ZC1iYTBiLTgxMjBiZjc3ZThmOQogIGtleUZpbmdlcnByaW50OiBhd3M6Mjk0NDA2ODkxMzExOkFXUy9NYXJrZXRwbGFjZTppc3N1ZXItZmluZ2VycHJpbnQKaWQ6IGF3cy1leHQtMWUxMTVlZjMtM2YyMC00MTJlLTgzODItMmE1NWUxMTc1OTFlCnByb2R1Y3Q6IEsxMApyZXN0cmljdGlvbnM6CiAgbm9kZXM6ICczJwp2ZXJzaW9uOiB2MS4wLjAKc2lnbmF0dXJlOiBkeEtLN3pPUXdzZFBOY2I1NExzV2hvUXNWeWZSVDNHVHZ0VkRuR1Vvb2VxSGlwYStTY25HTjZSNmdmdmtWdTRQNHh4RmV1TFZQU3k2VnJYeExOTE1RZmh2NFpBSHVrYmFNd3E5UXhGNkpGSmVXbTdzQmdtTUVpWVJ2SnFZVFcyMlNoakZEU1RWejY5c2JBTXNFMUd0VTdXKytITGk0dnhybjVhYkd6RkRHZW5iRE5tcXJQT3dSa3JIdTlHTFQ1WmZTNDFUL0hBMjNZZnlsTU54MGFlK2t5TGZvZXNuK3FKQzdld2NPWjh4eE94bFRJR3RuWDZ4UU5DTk5iYjhSMm5XbmljNVd0OElEc2VDR3lLMEVVRW9YL09jNFhsWVVra3FGQ0xPdVhuWDMxeFZNZ1NFQnVEWExFd3Y3K2RlSmcvb0pMaW9EVHEvWUNuM0lnem9VR2NTMGc9PQo=" -}} +{{- else -}} +{{- print (default (.Files.Get "license") .Values.license) -}} +{{- end -}} +{{- end -}} + +{{/* +Returns resource usage given a pod name and container name +*/}} +{{- define "k10.resource.request" -}} +{{- $resourceDefaultList := (include "k10.serviceResources" .main | fromYaml) }} +{{- $podName := .k10_service_pod_name }} +{{- $containerName := .k10_service_container_name }} +{{- $resourceValue := "" }} +{{- if (hasKey $resourceDefaultList $podName) }} + {{- $resourceValue = index (index $resourceDefaultList $podName) $containerName }} +{{- end }} +{{- if (hasKey .main.Values.resources $podName) }} + {{- if (hasKey (index .main.Values.resources $podName) $containerName) }} + {{- $resourceValue = index (index .main.Values.resources $podName) $containerName }} + {{- end }} +{{- end }} +{{- /* If no resource usage value was provided, do not include the resources section */}} +{{- /* This allows users to set unlimited resources by providing a service key that is empty (e.g. `--set resources.=`) */}} +{{- if $resourceValue }} +resources: +{{- $resourceValue | toYaml | trim | nindent 2 }} +{{- else if eq .main.Release.Namespace "default" }} +resources: + requests: + cpu: "0.01" +{{- end }} +{{- end -}} + +{{- define "kanisterToolsResources" }} +{{- if .Values.genericVolumeSnapshot.resources.requests.memory }} +KanisterToolsMemoryRequests: {{ .Values.genericVolumeSnapshot.resources.requests.memory | quote }} +{{- end }} +{{- if .Values.genericVolumeSnapshot.resources.requests.cpu }} +KanisterToolsCPURequests: {{ .Values.genericVolumeSnapshot.resources.requests.cpu | quote }} +{{- end }} +{{- if .Values.genericVolumeSnapshot.resources.limits.memory }} +KanisterToolsMemoryLimits: {{ .Values.genericVolumeSnapshot.resources.limits.memory | quote }} +{{- end }} +{{- if .Values.genericVolumeSnapshot.resources.limits.cpu }} +KanisterToolsCPULimits: {{ .Values.genericVolumeSnapshot.resources.limits.cpu | quote }} +{{- end }} +{{- end }} + +{{- define "get.kanisterPodCustomLabels" -}} +{{- if .Values.kanisterPodCustomLabels }} +KanisterPodCustomLabels: {{ .Values.kanisterPodCustomLabels | quote }} +{{- end }} +{{- end }} + +{{- define "get.kanisterPodCustomAnnotations" -}} +{{- if .Values.kanisterPodCustomAnnotations }} +KanisterPodCustomAnnotations: {{ .Values.kanisterPodCustomAnnotations | quote }} +{{- end }} +{{- end }} + +{{/* +Lookup and return only enabled colocated services +*/}} +{{- define "get.enabledColocatedSvcList" -}} +{{- $enabledColocatedSvcList := dict }} +{{- $colocatedList := include "k10.colocatedServiceLookup" . | fromYaml }} +{{- range $primary, $secondaryList := $colocatedList }} + {{- $enabledSecondarySvcList := list }} + {{- range $skip, $secondary := $secondaryList }} + {{- if or (not (hasKey $.Values.optionalColocatedServices $secondary)) ((index $.Values.optionalColocatedServices $secondary).enabled) }} + {{- $enabledSecondarySvcList = append $enabledSecondarySvcList $secondary }} + {{- end }} + {{- end }} + {{- if gt (len $enabledSecondarySvcList) 0 }} + {{- $enabledColocatedSvcList = set $enabledColocatedSvcList $primary $enabledSecondarySvcList }} + {{- end }} +{{- end }} +{{- $enabledColocatedSvcList | toYaml | trim | nindent 0}} +{{- end -}} + +{{- define "get.serviceContainersInPod" -}} +{{- $podService := .k10_service_pod }} +{{- $colocatedList := include "k10.colocatedServices" . | fromYaml }} +{{- $colocatedLookupByPod := include "get.enabledColocatedSvcList" .main | fromYaml }} +{{- $containerList := list $podService }} +{{- if hasKey $colocatedLookupByPod $podService }} + {{- $containerList = concat $containerList (index $colocatedLookupByPod $podService)}} +{{- end }} +{{- $containerList | join " " }} +{{- end -}} + +{{- define "get.statefulRestServicesInPod" -}} +{{- $statefulRestSvcsInPod := list }} +{{- $podService := .k10_service_pod }} +{{- $containerList := (dict "main" .main "k10_service_pod" $podService | include "get.serviceContainersInPod" | splitList " ") }} +{{- if .main.Values.global.persistence.enabled }} + {{- range $skip, $containerInPod := $containerList }} + {{- $isRestService := has $containerInPod (include "k10.restServices" . | splitList " ") }} + {{- $isStatelessService := has $containerInPod (include "k10.statelessServices" . | splitList " ") }} + {{- if and $isRestService (not $isStatelessService) }} + {{- $statefulRestSvcsInPod = append $statefulRestSvcsInPod $containerInPod }} + {{- end }} + {{- end }} +{{- end }} +{{- $statefulRestSvcsInPod | join " " }} +{{- end -}} + +{{- define "k10.ingressPath" -}} + {{- if and .Values.global.ingress.create .Values.global.route.enabled -}} + {{ fail "Either enable ingress or route"}} + {{- end -}} + {{- if .Values.global.ingress.create -}} + {{ if .Values.global.ingress.urlPath }} + {{- print .Values.global.ingress.urlPath -}} + {{ else }} + {{- print .Release.Name -}} + {{- end -}} + {{- else if .Values.global.route.enabled -}} + {{ if .Values.global.route.path }} + {{- print .Values.global.route.path -}} + {{ else }} + {{- print .Release.Name -}} + {{- end -}} + {{ else }} + {{- print .Release.Name -}} + {{- end -}} +{{- end -}} + + +{{/* +Check if encryption keys are specified +*/}} +{{- define "check.primaryKey" -}} +{{- if (or .Values.encryption.primaryKey.awsCmkKeyId .Values.encryption.primaryKey.vaultTransitKeyName) -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{- define "check.validateMonitoringProperties" -}} +{{- include "check.monitoringPrefix" . -}} +{{- include "check.monitoringFullNameOverride" . -}} +{{- end -}} + +{{- define "check.monitoringPrefix" -}} +{{- if eq .Values.prometheus.server.enabled .Values.grafana.enabled -}} +{{- if not (eq .Values.prometheus.server.prefixURL .Values.grafana.prometheusPrefixURL) -}} +{{ fail "Prometheus and Grafana prefixURL should match. Please check values of prometheus.server.prefixURL and grafana.prometheusPrefixURL" }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "check.monitoringFullNameOverride" -}} +{{- if eq .Values.prometheus.server.enabled .Values.grafana.enabled -}} +{{- if not (eq .Values.prometheus.server.fullnameOverride .Values.grafana.prometheusName) -}} +{{ fail "The Prometheus name overrides must match. Please check values of prometheus.server.fullnameOverride and grafana.prometheusName" }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "check.validateImagePullSecrets" -}} + {{/* Validate image pull secrets if a custom Docker config is provided */}} + {{- if (or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath ) -}} + {{- if (and .Values.grafana.enabled (not .Values.global.imagePullSecret) (not .Values.grafana.image.pullSecrets)) -}} + {{ fail "A custom Docker config was provided, but Grafana is not configured to use it. Please check that global.imagePullSecret is set correctly." }} + {{- end -}} + {{- if (and .Values.prometheus.server.enabled (not .Values.global.imagePullSecret) (not .Values.prometheus.imagePullSecrets)) -}} + {{ fail "A custom Docker config was provided, but Prometheus is not configured to use it. Please check that global.imagePullSecret is set correctly." }} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "k10.imagePullSecrets" }} +{{- $imagePullSecrets := list .Values.global.imagePullSecret }}{{/* May be empty, but the compact below will handle that */}} +{{- if (or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath) }} + {{- $imagePullSecrets = concat $imagePullSecrets (list "k10-ecr") }} +{{- end }} +{{- $imagePullSecrets = $imagePullSecrets | compact | uniq }} + +{{- if $imagePullSecrets }} +imagePullSecrets: + {{- range $imagePullSecrets }} + {{/* Check if the name is not empty string */}} + - name: {{ . }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Below helper template functions are referred from chart +https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus/templates/_helpers.tpl +*/}} + +{{/* +Return kubernetes version +*/}} +{{- define "k10.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+" .Capabilities.KubeVersion.Version) -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19.x" (include "k10.kubeVersion" .)) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "extensions/v1beta1" -}} + {{- print "extensions/v1beta1" -}} + {{- else -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Is ingress part of stable APIVersion. +*/}} +{{- define "ingress.isStable" -}} + {{- eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/templates/_k10_container.tpl b/charts/k10/k10/4.5.1100/templates/_k10_container.tpl new file mode 100644 index 000000000..6d23797e3 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/_k10_container.tpl @@ -0,0 +1,659 @@ +{{- define "k10-containers" }} +{{- $pod := .k10_pod }} +{{- with .main }} +{{- $main_context := . }} +{{- $colocatedList := include "k10.colocatedServices" . | fromYaml }} +{{- $containerList := (dict "main" $main_context "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }} + containers: +{{- range $skip, $container := $containerList }} + {{- $port := default $main_context.Values.service.externalPort (index $colocatedList $container).port }} + {{- $serviceStateful := has $container (dict "main" $main_context "k10_service_pod" $pod | include "get.statefulRestServicesInPod" | splitList " ") }} + {{- dict "main" $main_context "k10_pod" $pod "k10_container" $container "externalPort" $port "stateful" $serviceStateful | include "k10-container" }} +{{- end }} +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-containers" */}} + +{{- define "k10-container" }} +{{- $pod := .k10_pod }} +{{- $service := .k10_container }} +{{- $externalPort := .externalPort }} +{{- with .main }} + - name: {{ $service }}-svc + {{- dict "main" . "k10_service" $service | include "serviceImage" | indent 8 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} +{{- if eq $service "aggregatedapis" }} + args: + - "--secure-port={{ .Values.service.aggregatedApiPort }}" + - "--cert-dir=/tmp/apiserver.local.config/certificates/" +{{- if .Values.useNamespacedAPI }} + - "--k10-api-domain={{ template "apiDomain" . }}" +{{- end }}{{/* .Values.useNamespacedAPI */}} +{{/* +We need this explicit conversion because installation using operator hub was failing +stating that types are not same for the equality check +*/}} +{{- else if not (eq (int .Values.service.externalPort) (int $externalPort) ) }} + args: + - "--port={{ $externalPort }}" + - "--host=0.0.0.0" +{{- end }}{{/* eq $service "aggregatedapis" */}} +{{- $podName := (printf "%s-svc" $service) }} +{{- $containerName := (printf "%s-svc" $service) }} +{{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" $containerName | include "k10.resource.request" | indent 8}} + ports: +{{- if eq $service "aggregatedapis" }} + - containerPort: {{ .Values.service.aggregatedApiPort }} +{{- else }} + - containerPort: {{ $externalPort }} +{{- end }} +{{- if eq $service "logging" }} + - containerPort: 24224 + protocol: TCP + - containerPort: 24225 + protocol: TCP +{{- end }} + livenessProbe: +{{- if eq $service "aggregatedapis" }} + tcpSocket: + port: {{ .Values.service.aggregatedApiPort }} + timeoutSeconds: 5 +{{- else }} + httpGet: + path: /v0/healthz + port: {{ $externalPort }} + timeoutSeconds: 1 +{{- end }} + initialDelaySeconds: 300 +{{- if ne $service "aggregatedapis" }} + readinessProbe: + httpGet: + path: /v0/healthz + port: {{ $externalPort }} + initialDelaySeconds: 3 +{{- end }} + env: +{{- if eq (include "check.googlecreds" .) "true" }} + - name: GOOGLE_APPLICATION_CREDENTIALS + value: "/var/run/secrets/kasten.io/kasten-gke-sa.json" +{{- end }} +{{- if eq (include "check.ibmslcreds" .) "true" }} + - name: IBM_SL_API_KEY + valueFrom: + secretKeyRef: + name: ibmsl-secret + key: ibm_sl_key + - name: IBM_SL_API_USERNAME + valueFrom: + secretKeyRef: + name: ibmsl-secret + key: ibm_sl_username +{{- end }} +{{- if eq (include "check.azurecreds" .) "true" }} + - name: AZURE_TENANT_ID + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_tenant_id + - name: AZURE_CLIENT_ID + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_client_id + - name: AZURE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_client_secret +{{- if .Values.secrets.azureResourceGroup }} + - name: AZURE_RESOURCE_GROUP + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_resource_group +{{- end }} +{{- if .Values.secrets.azureSubscriptionID }} + - name: AZURE_SUBSCRIPTION_ID + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_subscription_id +{{- end }} +{{- if .Values.secrets.azureResourceMgrEndpoint }} + - name: AZURE_RESOURCE_MANAGER_ENDPOINT + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_resource_manager_endpoint +{{- end }} +{{- if .Values.secrets.azureADEndpoint }} + - name: AZURE_AD_ENDPOINT + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_ad_endpoint +{{- end }} +{{- if .Values.secrets.azureADResourceID }} + - name: AZURE_AD_RESOURCE + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_ad_resource_id +{{- end }} +{{- if .Values.secrets.azureCloudEnvID }} + - name: AZURE_CLOUD_ENV_ID + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_cloud_env_id +{{- end }} +{{- end }} +{{- if eq (include "check.awscreds" .) "true" }} + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: aws-creds + key: aws_access_key_id + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: aws-creds + key: aws_secret_access_key +{{- if .Values.secrets.awsIamRole }} + - name: K10_AWS_IAM_ROLE + valueFrom: + secretKeyRef: + name: aws-creds + key: role +{{- end }} +{{- end }} +{{- if eq (include "check.vaultcreds" .) "true" }} + - name: VAULT_ADDR + value: {{ .Values.vault.address }} + - name: VAULT_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.vault.secretName }} + key: vault_token +{{- end }} +{{- if eq (include "check.vspherecreds" .) "true" }} + - name: VSPHERE_ENDPOINT + valueFrom: + secretKeyRef: + name: vsphere-creds + key: vsphere_endpoint + - name: VSPHERE_USERNAME + valueFrom: + secretKeyRef: + name: vsphere-creds + key: vsphere_username + - name: VSPHERE_PASSWORD + valueFrom: + secretKeyRef: + name: vsphere-creds + key: vsphere_password +{{- end }} + - name: VERSION + valueFrom: + configMapKeyRef: + name: k10-config + key: version +{{- if .Values.clusterName }} + - name: CLUSTER_NAME + valueFrom: + configMapKeyRef: + name: k10-config + key: clustername +{{- end }} +{{- if eq $service "config" }} + - name: K10_STATEFUL + value: "{{ .Values.global.persistence.enabled }}" +{{- end }} + - name: MODEL_STORE_DIR +{{- if or (eq $service "state") (not .Values.global.persistence.enabled) }} + value: "/tmp/k10store" +{{- else }} + valueFrom: + configMapKeyRef: + name: k10-config + key: modelstoredirname +{{- end }} +{{- if or (eq $service "kanister") (eq $service "executor")}} + - name: DATA_MOVER_IMAGE + value: {{ default .Chart.AppVersion .Values.image.tag | print .Values.image.registry "/" .Values.image.repository "/datamover:" }} + - name: KANISTER_POD_READY_WAIT_TIMEOUT + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterPodReadyWaitTimeout +{{- end }} + - name: LOG_LEVEL + valueFrom: + configMapKeyRef: + name: k10-config + key: loglevel +{{- if .Values.kanisterPodCustomLabels }} + - name: KANISTER_POD_CUSTOM_LABELS + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterPodCustomLabels +{{- end }} +{{- if .Values.kanisterPodCustomAnnotations }} + - name: KANISTER_POD_CUSTOM_ANNOTATIONS + valueFrom: + configMapKeyRef: + name: k10-config + key: kanisterPodCustomAnnotations +{{- end }} + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONCURRENT_SNAP_CONVERSIONS + valueFrom: + configMapKeyRef: + name: k10-config + key: concurrentSnapConversions + - name: CONCURRENT_WORKLOAD_SNAPSHOTS + valueFrom: + configMapKeyRef: + name: k10-config + key: concurrentWorkloadSnapshots + - name: K10_DATA_STORE_PARALLEL_UPLOAD + valueFrom: + configMapKeyRef: + name: k10-config + key: k10DataStoreParallelUpload + - name: K10_DATA_STORE_GENERAL_CONTENT_CACHE_SIZE_MB + valueFrom: + configMapKeyRef: + name: k10-config + key: k10DataStoreGeneralContentCacheSizeMB + - name: K10_DATA_STORE_GENERAL_METADATA_CACHE_SIZE_MB + valueFrom: + configMapKeyRef: + name: k10-config + key: k10DataStoreGeneralMetadataCacheSizeMB + - name: K10_DATA_STORE_RESTORE_CONTENT_CACHE_SIZE_MB + valueFrom: + configMapKeyRef: + name: k10-config + key: k10DataStoreRestoreContentCacheSizeMB + - name: K10_DATA_STORE_RESTORE_METADATA_CACHE_SIZE_MB + valueFrom: + configMapKeyRef: + name: k10-config + key: k10DataStoreRestoreMetadataCacheSizeMB + - name: K10_LIMITER_GENERIC_VOLUME_SNAPSHOTS + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterGenericVolumeSnapshots + - name: K10_LIMITER_GENERIC_VOLUME_COPIES + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterGenericVolumeCopies + - name: K10_LIMITER_GENERIC_VOLUME_RESTORES + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterGenericVolumeRestores + - name: K10_LIMITER_CSI_SNAPSHOTS + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterCsiSnapshots + - name: K10_LIMITER_PROVIDER_SNAPSHOTS + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterProviderSnapshots + - name: AWS_ASSUME_ROLE_DURATION + valueFrom: + configMapKeyRef: + name: k10-config + key: AWSAssumeRoleDuration +{{- if (eq $service "executor") }} + - name: KANISTER_BACKUP_TIMEOUT + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterBackupTimeout + - name: KANISTER_RESTORE_TIMEOUT + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterRestoreTimeout + - name: KANISTER_DELETE_TIMEOUT + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterDeleteTimeout + - name: KANISTER_HOOK_TIMEOUT + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterHookTimeout + - name: KANISTER_CHECKREPO_TIMEOUT + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterCheckRepoTimeout + - name: KANISTER_STATS_TIMEOUT + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterStatsTimeout + - name: KANISTER_EFSPOSTRESTORE_TIMEOUT + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterEFSPostRestoreTimeout +{{- end }} +{{- if and (eq $service "executor") (.Values.awsConfig.efsBackupVaultName) }} + - name: EFS_BACKUP_VAULT_NAME + valueFrom: + configMapKeyRef: + name: k10-config + key: efsBackupVaultName +{{- end }} +{{- if and (eq $service "executor") (.Values.vmWare.taskTimeoutMin) }} + - name: VMWARE_GOM_TIMEOUT_MIN + valueFrom: + configMapKeyRef: + name: k10-config + key: vmWareTaskTimeoutMin +{{- end }} +{{- if .Values.useNamespacedAPI }} + - name: K10_API_DOMAIN + valueFrom: + configMapKeyRef: + name: k10-config + key: apiDomain +{{- end }} +{{- if .Values.jaeger.enabled }} + - name: JAEGER_AGENT_HOST + value: {{ .Values.jaeger.agentDNS }} +{{- end }} +{{- if .Values.auth.tokenAuth.enabled }} + - name: TOKEN_AUTH + valueFrom: + secretKeyRef: + name: k10-token-auth + key: auth +{{- end }} +{{- if eq "true" (include "overwite.kanisterToolsImage" .) }} + - name: KANISTER_TOOLS + valueFrom: + configMapKeyRef: + name: k10-config + key: overwriteKanisterTools +{{- end }} +{{- if eq (include "check.cacertconfigmap" .) "true" }} + - name: CACERT_CONFIGMAP_NAME + value: {{ .Values.cacertconfigmap.name }} +{{- end }} + - name: K10_RELEASE_NAME + value: {{ .Release.Name }} + - name: KANISTER_FUNCTION_VERSION + valueFrom: + configMapKeyRef: + name: k10-config + key: kanisterFunctionVersion +{{- if and (eq $service "config") (.Values.injectKanisterSidecar.enabled) }} + - name: K10_MUTATING_WEBHOOK_ENABLED + value: "true" + - name: K10_MUTATING_WEBHOOK_TLS_CERT_DIR + valueFrom: + configMapKeyRef: + name: k10-config + key: K10MutatingWebhookTLSCertDir + - name: K10_MUTATING_WEBHOOK_PORT + value: {{ .Values.injectKanisterSidecar.webhookServer.port | quote }} +{{- end }} +{{- if or (eq $service "config") (eq $service "kanister") }} +{{- if .Values.genericVolumeSnapshot.resources.requests.memory }} + - name: KANISTER_TOOLS_MEMORY_REQUESTS + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterToolsMemoryRequests +{{- end }} +{{- if .Values.genericVolumeSnapshot.resources.requests.cpu }} + - name: KANISTER_TOOLS_CPU_REQUESTS + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterToolsCPURequests +{{- end }} +{{- if .Values.genericVolumeSnapshot.resources.limits.memory }} + - name: KANISTER_TOOLS_MEMORY_LIMITS + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterToolsMemoryLimits +{{- end }} +{{- if .Values.genericVolumeSnapshot.resources.limits.cpu }} + - name: KANISTER_TOOLS_CPU_LIMITS + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterToolsCPULimits +{{- end }} +{{- end }} +{{- if (list "dashboardbff" "config" "executor" | has $service) }} + {{- if .Values.prometheus.server.enabled }} + - name: K10_PROMETHEUS_HOST + value: {{ include "k10.prometheus.service.name" . }}-exp + - name: K10_PROMETHEUS_PORT + value: {{ .Values.prometheus.server.service.servicePort | quote }} + - name: K10_PROMETHEUS_BASE_URL + value: {{ .Values.prometheus.server.baseURL }} + {{- end }} + - name: K10_GRAFANA_ENABLED + value: {{ .Values.grafana.enabled | quote }} +{{- end }} +{{- if or $.stateful (or (eq (include "check.googlecreds" .) "true") (eq $service "auth" "logging")) }} + volumeMounts: +{{- else if or (or (eq (include "basicauth.check" .) "true") (or .Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" .) "true"))) .Values.features }} + volumeMounts: +{{- else if and (eq $service "config") (.Values.injectKanisterSidecar.enabled) }} + volumeMounts: +{{- else if eq (include "check.cacertconfigmap" .) "true" }} + volumeMounts: +{{- end }} +{{- if $.stateful }} + - name: {{ $service }}-persistent-storage + mountPath: {{ .Values.global.persistence.mountPath | quote }} +{{- end }} +{{- if .Values.features }} + - name: k10-features + mountPath: "/mnt/k10-features" +{{- end }} +{{- if eq $service "logging" }} + - name: logging-configmap-storage + mountPath: "/mnt/conf" +{{- end }} +{{- if and (eq $service "config") (.Values.injectKanisterSidecar.enabled) }} + - name: mutating-webhook-certs + mountPath: /etc/ssl/certs/webhook + readOnly: true +{{- end }} +{{- if eq (include "basicauth.check" .) "true" }} + - name: k10-basic-auth + mountPath: "/var/run/secrets/kasten.io/k10-basic-auth" + readOnly: true +{{- end }} +{{- if (or .Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" .) "true")) }} + - name: k10-oidc-auth + mountPath: "/var/run/secrets/kasten.io/k10-oidc-auth" + readOnly: true +{{- end }} +{{- if eq (include "check.googlecreds" .) "true" }} + - name: service-account + mountPath: "/var/run/secrets/kasten.io" +{{- end }} +{{- if eq (include "check.cacertconfigmap" .) "true" }} + - name: {{ .Values.cacertconfigmap.name }} + mountPath: "/etc/ssl/certs/custom-ca-bundle.pem" + subPath: custom-ca-bundle.pem +{{- end }} +{{- if .Values.toolsImage.enabled }} +{{- if eq $service "executor" }} + - name: tools + {{- dict "main" . "k10_service" "cephtool" | include "serviceImage" | indent 8 }} + imagePullPolicy: {{ .Values.toolsImage.pullPolicy }} +{{- $podName := (printf "%s-svc" $service) }} +{{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" "tools" | include "k10.resource.request" | indent 8}} +{{- end }} +{{- end }} {{/* .Values.toolsImage.enabled */}} +{{- if and (eq $service "catalog") $.stateful }} + - name: kanister-sidecar + image: {{ include "get.kanisterToolsImage" .}} + imagePullPolicy: {{ .Values.kanisterToolsImage.pullPolicy }} +{{- $podName := (printf "%s-svc" $service) }} +{{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" "kanister-sidecar" | include "k10.resource.request" | indent 8}} + volumeMounts: + - name: {{ $service }}-persistent-storage + mountPath: {{ .Values.global.persistence.mountPath | quote }} +{{- if eq (include "check.cacertconfigmap" .) "true" }} + - name: {{ .Values.cacertconfigmap.name }} + mountPath: "/etc/ssl/certs/custom-ca-bundle.pem" + subPath: custom-ca-bundle.pem +{{- end }} +{{- end }} {{/* and (eq $service "catalog") $.stateful */}} +{{- if and ( eq $service "auth" ) ( or .Values.auth.dex.enabled (eq (include "check.dexAuth" .) "true")) }} + - name: dex + image: {{ include "k10.dexImage" . }} +{{- if .Values.auth.ldap.enabled }} + command: ["/usr/local/bin/dex", "serve", "/dex-config/config.yaml"] +{{- else }} + command: ["/usr/local/bin/dex", "serve", "/etc/dex/cfg/config.yaml"] +{{- end }} + ports: + - name: http + containerPort: 8080 + volumeMounts: +{{- if .Values.auth.ldap.enabled }} + - name: dex-config + mountPath: /dex-config + - name: k10-logos-dex + mountPath: /web/themes/custom/ +{{- else }} + - name: config + mountPath: /etc/dex/cfg +{{- end }} +{{- if eq (include "check.cacertconfigmap" .) "true" }} + - name: {{ .Values.cacertconfigmap.name }} + mountPath: "/etc/ssl/certs/custom-ca-bundle.pem" + subPath: custom-ca-bundle.pem +{{- end }} +{{- end }} {{/* end of dex check */}} +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-container" */}} + +{{- define "k10-init-container-header" }} +{{- $pod := .k10_pod }} +{{- with .main }} +{{- $main_context := . }} +{{- $containerList := (dict "main" $main_context "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }} +{{- $needsInitContainersHeader := false }} +{{- range $skip, $service := $containerList }} +{{- $serviceStateful := has $service (dict "main" $main_context "k10_service_pod" $pod | include "get.statefulRestServicesInPod" | splitList " ") }} + {{- if and ( eq $service "auth" ) $main_context.Values.auth.ldap.enabled }} + {{- $needsInitContainersHeader = true }} + {{- else if $serviceStateful }} + {{- $needsInitContainersHeader = true }} + {{- end }}{{/* initContainers header needed check */}} +{{- end }}{{/* range $skip, $service := $containerList */}} +{{- if $needsInitContainersHeader }} + initContainers: +{{- end }} +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-init-container-header" */}} + +{{- define "k10-init-container" }} +{{- $pod := .k10_pod }} +{{- with .main }} +{{- $main_context := . }} +{{- $containerList := (dict "main" $main_context "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }} +{{- range $skip, $service := $containerList }} +{{- $serviceStateful := has $service (dict "main" $main_context "k10_service_pod" $pod | include "get.statefulRestServicesInPod" | splitList " ") }} +{{- if and ( eq $service "auth" ) $main_context.Values.auth.ldap.enabled }} + - name: dex-init + command: + - /dex/dexconfigmerge + args: + - --config-path=/etc/dex/cfg/config.yaml + - --secret-path=/var/run/secrets/kasten.io/bind-secret/bindPW + - --new-config-path=/dex-config/config.yaml + - --secret-field=bindPW + {{- dict "main" $main_context "k10_service" $service | include "serviceImage" | indent 8 }} + volumeMounts: + - mountPath: /etc/dex/cfg + name: config + - mountPath: /dex-config + name: dex-config + - name: bind-secret + mountPath: "/var/run/secrets/kasten.io/bind-secret" + readOnly: true +{{- else if $serviceStateful }} + - name: upgrade-init + securityContext: + runAsUser: 0 + allowPrivilegeEscalation: true + {{- dict "main" $main_context "k10_service" "upgrade" | include "serviceImage" | indent 8 }} + imagePullPolicy: {{ $main_context.Values.image.pullPolicy }} + env: + - name: MODEL_STORE_DIR + valueFrom: + configMapKeyRef: + name: k10-config + key: modelstoredirname + volumeMounts: + - name: {{ $service }}-persistent-storage + mountPath: {{ $main_context.Values.global.persistence.mountPath | quote }} +{{- if eq $service "catalog" }} + - name: schema-upgrade-check + {{- dict "main" $main_context "k10_service" $service | include "serviceImage" | indent 8 }} + imagePullPolicy: {{ $main_context.Values.image.pullPolicy }} + env: +{{- if $main_context.Values.clusterName }} + - name: CLUSTER_NAME + valueFrom: + configMapKeyRef: + name: k10-config + key: clustername +{{- end }} + - name: INIT_CONTAINER + value: "true" + - name: K10_RELEASE_NAME + value: {{ $main_context.Release.Name }} + - name: LOG_LEVEL + valueFrom: + configMapKeyRef: + name: k10-config + key: loglevel + - name: MODEL_STORE_DIR + valueFrom: + configMapKeyRef: + name: k10-config + key: modelstoredirname + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: VERSION + valueFrom: + configMapKeyRef: + name: k10-config + key: version + volumeMounts: + - name: {{ $service }}-persistent-storage + mountPath: {{ $main_context.Values.global.persistence.mountPath | quote }} +{{- end }}{{/* eq $service "catalog" */}} +{{- end }}{{/* initContainers definitions */}} +{{- end }}{{/* range $skip, $service := $containerList */}} +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-init-container" */}} diff --git a/charts/k10/k10/4.5.1100/templates/_k10_metering.tpl b/charts/k10/k10/4.5.1100/templates/_k10_metering.tpl new file mode 100644 index 000000000..5f3ecc1f3 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/_k10_metering.tpl @@ -0,0 +1,261 @@ +{{/* Generate service spec */}} +{{/* because of https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/issues/165 +we have to start using .Values.reportingSecret instead +of correct version .Values.metering.reportingSecret */}} +{{- define "k10-metering" }} +{{ $service := .k10_service }} +{{- with .main }} +{{- if $.stateful }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + namespace: {{ .Release.Namespace }} + name: {{ $service }}-pv-claim + labels: +{{ include "helm.labels" . | indent 4 }} + component: {{ $service }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ default .Values.global.persistence.size (index .Values.global.persistence $service "size") }} +{{- if .Values.global.persistence.storageClass }} + {{- if (eq "-" .Values.global.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.global.persistence.storageClass }}" + {{- end }} +{{- end }} +--- +{{- end }}{{/* if $.stateful */}} +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: {{ include "fullname" . }}-metering-config +data: + config: | +{{- if .Values.metering.reportingKey }} + identities: + - name: gcp + gcp: + encodedServiceAccountKey: {{ .Values.metering.reportingKey }} +{{- end }} + metrics: + - name: node_time + type: int + passthrough: {} + endpoints: + - name: on_disk +{{- if .Values.metering.reportingKey }} + - name: servicecontrol +{{- end }} + endpoints: + - name: on_disk + disk: +{{- if .Values.global.persistence.enabled }} + reportDir: /var/reports/ubbagent/reports +{{- else }} + reportDir: /tmp/reports/ubbagent/reports +{{- end }} + expireSeconds: 3600 +{{- if .Values.metering.reportingKey }} + - name: servicecontrol + servicecontrol: + identity: gcp + serviceName: kasten-k10.mp-kasten-public.appspot.com + consumerId: {{ .Values.metering.consumerId }} +{{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: {{ .Release.Namespace }} + name: {{ $service }}-svc + labels: +{{ include "helm.labels" . | indent 4 }} + component: {{ $service }} +spec: + replicas: {{ $.replicas }} + strategy: + type: Recreate + selector: + matchLabels: +{{ include "k10.common.matchLabels" . | indent 6 }} + component: {{ $service }} + run: {{ $service }}-svc + template: + metadata: + annotations: + checksum/config: {{ include (print .Template.BasePath "/k10-config.yaml") . | sha256sum }} + checksum/secret: {{ include (print .Template.BasePath "/secrets.yaml") . | sha256sum }} + labels: +{{ include "helm.labels" . | indent 8 }} + component: {{ $service }} + run: {{ $service }}-svc + spec: + securityContext: +{{ toYaml .Values.services.securityContext | indent 8 }} + serviceAccountName: {{ template "meteringServiceAccountName" . }} + {{- include "k10.imagePullSecrets" . | indent 6 }} +{{- if $.stateful }} + initContainers: + - name: upgrade-init + securityContext: + runAsUser: 0 + allowPrivilegeEscalation: true + {{- dict "main" . "k10_service" "upgrade" | include "serviceImage" | indent 8 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: MODEL_STORE_DIR + value: /var/reports/ + volumeMounts: + - name: {{ $service }}-persistent-storage + mountPath: /var/reports/ +{{- end }} + containers: + - name: {{ $service }}-svc + {{- dict "main" . "k10_service" $service | include "serviceImage" | indent 8 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} +{{- if eq .Release.Namespace "default" }} +{{- $podName := (printf "%s-svc" $service) }} +{{- $containerName := (printf "%s-svc" $service) }} +{{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" $containerName | include "k10.resource.request" | indent 8}} +{{- end }} + ports: + - containerPort: {{ .Values.service.externalPort }} + livenessProbe: + httpGet: + path: /v0/healthz + port: {{ .Values.service.externalPort }} + initialDelaySeconds: 90 + timeoutSeconds: 1 + env: + - name: VERSION + valueFrom: + configMapKeyRef: + name: k10-config + key: version +{{- if .Values.clusterName }} + - name: CLUSTER_NAME + valueFrom: + configMapKeyRef: + name: k10-config + key: clustername +{{- end }} + - name: LOG_LEVEL + valueFrom: + configMapKeyRef: + name: k10-config + key: loglevel + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace +{{- if .Values.useNamespacedAPI }} + - name: K10_API_DOMAIN + valueFrom: + configMapKeyRef: + name: k10-config + key: apiDomain +{{- end }} + - name: AGENT_CONFIG_FILE + value: /var/ubbagent/config.yaml + - name: AGENT_STATE_DIR +{{- if .Values.global.persistence.enabled }} + value: "/var/reports/ubbagent" +{{- else }} + value: "/tmp/reports/ubbagent" + - name: K10_REPORTING_DIR + value: "/tmp/reports/k10/syncV2" + - name: K10SYNCSTATUSDIR + value: "/tmp/reports/k10" + - name: GRACE_PERIOD_STORE + value: /tmp/reports/clustergraceperiod + - name: NODE_USAGE_STORE + value: /tmp/reports/node_usage_history +{{- end }} +{{- if eq "true" (include "overwite.kanisterToolsImage" .) }} + - name: KANISTER_TOOLS + valueFrom: + configMapKeyRef: + name: k10-config + key: overwriteKanisterTools +{{- end }} +{{- if .Values.metering.awsRegion }} + - name: AWS_REGION + value: {{ .Values.metering.awsRegion }} +{{- end }} +{{- if .Values.metering.mode }} + - name: K10REPORTMODE + value: {{ .Values.metering.mode }} +{{- end }} +{{- if .Values.metering.reportCollectionPeriod }} + - name: K10_REPORT_COLLECTION_PERIOD + value: {{ .Values.metering.reportCollectionPeriod | quote }} +{{- end }} +{{- if .Values.metering.reportPushPeriod }} + - name: K10_REPORT_PUSH_PERIOD + value: {{ .Values.metering.reportPushPeriod | quote }} +{{- end }} +{{- if .Values.metering.promoID }} + - name: K10_PROMOTION_ID + value: {{ .Values.metering.promoID }} +{{- end }} +{{- if .Values.reportingSecret }} + - name: AGENT_CONSUMER_ID + valueFrom: + secretKeyRef: + name: {{ .Values.reportingSecret }} + key: consumer-id + - name: AGENT_REPORTING_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.reportingSecret }} + key: reporting-key + - name: K10_RELEASE_NAME + value: {{ .Release.Name }} +{{- end }} +{{- if .Values.metering.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.metering.licenseConfigSecretName }} + key: iam_role +{{- end }} + volumeMounts: + - name: meter-config + mountPath: /var/ubbagent +{{- if $.stateful }} + - name: {{ $service }}-persistent-storage + mountPath: /var/reports/ +{{- end }} +{{- if .Values.metering.licenseConfigSecretName }} + - name: awsmp-product-license + mountPath: "/var/run/secrets/product-license" +{{- end }} + volumes: + - name: meter-config + configMap: + name: {{ include "fullname" . }}-metering-config + items: + - key: config + path: config.yaml +{{- if $.stateful }} + - name: {{ $service }}-persistent-storage + persistentVolumeClaim: + claimName: {{ $service }}-pv-claim +{{- end }} +{{- if .Values.metering.licenseConfigSecretName }} + - name: awsmp-product-license + secret: + secretName: {{ .Values.metering.licenseConfigSecretName }} +{{- end }} +--- +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-metering" */}} diff --git a/charts/k10/k10/4.5.1100/templates/_k10_serviceimage.tpl b/charts/k10/k10/4.5.1100/templates/_k10_serviceimage.tpl new file mode 100644 index 000000000..d9e69a8a4 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/_k10_serviceimage.tpl @@ -0,0 +1,51 @@ +{{/* +Helper to get k10 service image +The details on how these image are being generated +is in below issue +https://kasten.atlassian.net/browse/K10-4036 +Using substr to remove repo from ambassadorImage +*/}} +{{- define "serviceImage" -}} +{{/* +we are maintaining the field .Values.images to override it when +we install the chart for red hat marketplace. If we dont +have the value specified use earlier flow, if it is, use the +value that is specified. +*/}} +{{- if not .main.Values.global.rhMarketPlace }} +{{- $serviceImage := "" -}} +{{- $tagFromDefs := "" -}} +{{- if .main.Values.global.airgapped.repository }} +{{- $serviceImage = default .main.Chart.AppVersion .main.Values.image.tag | print .main.Values.global.airgapped.repository "/" .k10_service ":" }} +{{- else if contains .main.Values.image.registry .main.Values.image.repository }} +{{- $serviceImage = default .main.Chart.AppVersion .main.Values.image.tag | print .main.Values.image.repository "/" .k10_service ":" }} +{{- else }} +{{- $serviceImage = default .main.Chart.AppVersion .main.Values.image.tag | print .main.Values.image.registry "/" .main.Values.image.repository "/" .k10_service ":" }} +{{- end }}{{/* if .main.Values.global.airgapped.repository */}} +{{- $serviceImageKey := print (replace "-" "" .k10_service) "Image" }} +{{- if eq $serviceImageKey "ambassadorImage" }} +{{- $tagFromDefs = (include "k10.ambassadorImageTag" .) }} +{{- else if eq $serviceImageKey "dexImage" }} +{{- $tagFromDefs = (include "k10.dexImageTag" .) }} +{{- end }}{{/* if eq $serviceImageKey "ambassadorImage" */}} +{{- if index .main.Values $serviceImageKey }} +{{- $service_values := index .main.Values $serviceImageKey }} +{{- if .main.Values.global.airgapped.repository }} +{{ $valuesImage := (splitList "/" (index $service_values "image")) }} +{{- if $tagFromDefs }} +image: {{ printf "%s/%s:k10-%s" .main.Values.global.airgapped.repository (index $valuesImage (sub (len $valuesImage) 1) ) $tagFromDefs -}} +{{- end }} +{{- else }}{{/* .main.Values.global.airgapped.repository */}} +{{- if $tagFromDefs }} +image: {{ printf "%s:%s" (index $service_values "image") $tagFromDefs }} +{{- else }} +image: {{ index $service_values "image" }} +{{- end }} +{{- end }}{{/* .main.Values.global.airgapped.repository */}} +{{- else }} +image: {{ $serviceImage }} +{{- end -}}{{/* index .main.Values $serviceImageKey */}} +{{- else }} +image: {{ printf "%s" (get .main.Values.global.images .k10_service) }} +{{- end }}{{/* if not .main.Values.images.executor */}} +{{- end -}}{{/* define "serviceImage" */}} diff --git a/charts/k10/k10/4.5.1100/templates/_k10_template.tpl b/charts/k10/k10/4.5.1100/templates/_k10_template.tpl new file mode 100644 index 000000000..30a0ac977 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/_k10_template.tpl @@ -0,0 +1,190 @@ +{{/* Generate service spec */}} +{{- define "k10-default" }} +{{- $service := .k10_service }} +{{- with .main }} +{{- $main_context := . }} +{{- range $skip, $statefulContainer := compact (dict "main" $main_context "k10_service_pod" $service | include "get.statefulRestServicesInPod" | splitList " ") }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + namespace: {{ $main_context.Release.Namespace }} + name: {{ $statefulContainer }}-pv-claim + labels: +{{ include "helm.labels" $main_context | indent 4 }} + component: {{ $statefulContainer }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ default $main_context.Values.global.persistence.size (index $main_context.Values.global.persistence $statefulContainer "size") }} +{{- if $main_context.Values.global.persistence.storageClass }} + {{- if (eq "-" $main_context.Values.global.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $main_context.Values.global.persistence.storageClass }}" + {{- end }} +{{- end }} +--- +{{- end }}{{/* if $.stateful */}} +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: {{ .Release.Namespace }} + name: {{ $service }}-svc + labels: +{{ include "helm.labels" . | indent 4 }} + component: {{ $service }} +spec: + replicas: {{ $.replicas }} + strategy: + type: Recreate + selector: + matchLabels: +{{ include "k10.common.matchLabels" . | indent 6 }} + component: {{ $service }} + run: {{ $service }}-svc + template: + metadata: + annotations: + checksum/config: {{ include (print .Template.BasePath "/k10-config.yaml") . | sha256sum }} + checksum/secret: {{ include (print .Template.BasePath "/secrets.yaml") . | sha256sum }} +{{- if .Values.auth.ldap.restartPod }} + rollme: {{ randAlphaNum 5 | quote }} +{{- end}} + labels: +{{ include "helm.labels" . | indent 8 }} + component: {{ $service }} + run: {{ $service }}-svc + spec: +{{- if eq $service "executor" }} +{{- if .Values.services.executor.hostNetwork }} + hostNetwork: true +{{- end }}{{/* .Values.services.executor.hostNetwork */}} +{{- end }}{{/* eq $service "executor" */}} +{{- if eq $service "aggregatedapis" }} +{{- if .Values.services.aggregatedapis.hostNetwork }} + hostNetwork: true +{{- end }}{{/* .Values.services.aggregatedapis.hostNetwork */}} +{{- end }}{{/* eq $service "aggregatedapis" */}} +{{- if eq $service "dashboardbff" }} +{{- if .Values.services.dashboardbff.hostNetwork }} + hostNetwork: true +{{- end }}{{/* .Values.services.dashboardbff.hostNetwork */}} +{{- end }}{{/* eq $service "dashboardbff" */}} + securityContext: +{{ toYaml .Values.services.securityContext | indent 8 }} + serviceAccountName: {{ template "serviceAccountName" . }} + {{- include "k10.imagePullSecrets" . | indent 6 }} +{{- /* initContainers: */}} +{{- (dict "main" . "k10_pod" $service | include "k10-init-container-header") }} +{{- (dict "main" . "k10_pod" $service | include "k10-init-container") }} +{{- /* containers: */}} +{{- (dict "main" . "k10_pod" $service | include "k10-containers") }} +{{- /* volumes: */}} +{{- (dict "main" . "k10_pod" $service | include "k10-deployment-volumes-header") }} +{{- (dict "main" . "k10_pod" $service | include "k10-deployment-volumes") }} +--- +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-default" */}} + +{{- define "k10-deployment-volumes-header" }} +{{- $pod := .k10_pod }} +{{- with .main }} +{{- $main_context := . }} +{{- $containerList := (dict "main" $main_context "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }} +{{- $needsVolumesHeader := false }} +{{- range $skip, $service := $containerList }} + {{- $serviceStateful := has $service (dict "main" $main_context "k10_service_pod" $pod | include "get.statefulRestServicesInPod" | splitList " ") }} + {{- if or $serviceStateful (or (eq (include "check.googlecreds" $main_context) "true") (eq $service "auth" "logging")) }} + {{- $needsVolumesHeader = true }} + {{- else if or (or (eq (include "basicauth.check" $main_context) "true") (or $main_context.Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" $main_context) "true"))) $main_context.Values.features }} + {{- $needsVolumesHeader = true }} + {{- else if and (eq $service "config") ($main_context.Values.injectKanisterSidecar.enabled) }} + {{- $needsVolumesHeader = true }} + {{- else if eq (include "check.cacertconfigmap" $main_context) "true" }} + {{- $needsVolumesHeader = true }} + {{- else if and ( eq $service "auth" ) ( or $main_context.Values.auth.dex.enabled (eq (include "check.dexAuth" $main_context) "true")) }} + {{- $needsVolumesHeader = true }} + {{- end }}{{/* volumes header needed check */}} +{{- end }}{{/* range $skip, $service := $containerList */}} +{{- if $needsVolumesHeader }} + volumes: +{{- end }} +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-init-container-header" */}} + +{{- define "k10-deployment-volumes" }} +{{- $pod := .k10_pod }} +{{- with .main }} +{{- if .Values.features }} + - name: k10-features + configMap: + name: k10-features +{{- end }} +{{- if eq (include "basicauth.check" .) "true" }} + - name: k10-basic-auth + secret: + secretName: {{ default "k10-basic-auth" .Values.auth.basicAuth.secretName }} +{{- end }} +{{- if .Values.auth.oidcAuth.enabled }} + - name: k10-oidc-auth + secret: + secretName: {{ default "k10-oidc-auth" .Values.auth.oidcAuth.secretName }} +{{- end }} +{{- if .Values.auth.openshift.enabled }} + - name: k10-oidc-auth + secret: + secretName: {{ default "k10-oidc-auth" .Values.auth.openshift.secretName }} +{{- end }} +{{- if .Values.auth.ldap.enabled }} + - name: k10-oidc-auth + secret: + secretName: {{ default "k10-oidc-auth" .Values.auth.ldap.secretName }} + - name: k10-logos-dex + configMap: + name: k10-logos-dex +{{- end }} +{{- range $skip, $statefulContainer := compact (dict "main" . "k10_service_pod" $pod | include "get.statefulRestServicesInPod" | splitList " ") }} + - name: {{ $statefulContainer }}-persistent-storage + persistentVolumeClaim: + claimName: {{ $statefulContainer }}-pv-claim +{{- end }} +{{- if eq (include "check.googlecreds" .) "true" }} + - name: service-account + secret: + secretName: google-secret +{{- end }} +{{- if eq (include "check.cacertconfigmap" .) "true" }} + - name: {{ .Values.cacertconfigmap.name }} + configMap: + name: {{ .Values.cacertconfigmap.name }} +{{- end }} +{{- $containersInThisPod := (dict "main" . "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }} +{{- if has "logging" $containersInThisPod }} + - name: logging-configmap-storage + configMap: + name: fluentbit-configmap +{{- end }} +{{- if and (has "config" $containersInThisPod) (.Values.injectKanisterSidecar.enabled) }} + - name: mutating-webhook-certs + secret: + secretName: {{ include "k10.configAPIs" . }}-certs +{{- end }} +{{- if and ( has "auth" $containersInThisPod) (or .Values.auth.dex.enabled (eq (include "check.dexAuth" .) "true")) }} + - name: config + configMap: + name: k10-dex + items: + - key: config.yaml + path: config.yaml +{{- if .Values.auth.ldap.enabled }} + - name: dex-config + emptyDir: {} + - name: bind-secret + secret: + secretName: {{ default "k10-dex" .Values.auth.ldap.bindPWSecretName }} +{{- end }} +{{- end }} +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-init-container-header" */}} diff --git a/charts/k10/k10/4.5.1100/templates/api-tls-secrets.yaml b/charts/k10/k10/4.5.1100/templates/api-tls-secrets.yaml new file mode 100644 index 000000000..6c863f7c6 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/api-tls-secrets.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey }} +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: ambassador-certs +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.secrets.apiTlsCrt }} + tls.key: {{ .Values.secrets.apiTlsKey }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/templates/apiservice.yaml b/charts/k10/k10/4.5.1100/templates/apiservice.yaml new file mode 100644 index 000000000..1811df48a --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/apiservice.yaml @@ -0,0 +1,25 @@ +{{/* Template to generate the aggregated APIService/Service objects */}} +{{- if .Values.apiservices.deployed -}} +{{- $main := . -}} +{{- $container_port := .Values.service.internalPort -}} +{{- $namespace := .Release.Namespace -}} +{{- range include "k10.aggregatedAPIs" . | splitList " " -}} +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.{{ . }}.{{ template "apiDomain" $main }} + labels: + apiserver: "true" +{{ include "helm.labels" $ | indent 4 }} +spec: + version: v1alpha1 + group: {{ . }}.{{ template "apiDomain" $main }} + groupPriorityMinimum: 2000 + service: + namespace: {{$namespace}} + name: aggregatedapis-svc + versionPriority: 10 + insecureSkipTLSVerify: true +{{ end }} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/templates/daemonsets.yaml b/charts/k10/k10/4.5.1100/templates/daemonsets.yaml new file mode 100644 index 000000000..e48c658b9 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/daemonsets.yaml @@ -0,0 +1,26 @@ +{{- if .Values.metering.redhatMarketplacePayg }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + namespace: {{ .Release.Namespace }} + name: k10-rhmp-paygo + labels: +{{ include "helm.labels" . | indent 4 }} + component: paygo +spec: + selector: + matchLabels: +{{ include "k10.common.matchLabels" . | indent 6 }} + component: paygo + template: + metadata: + labels: +{{ include "helm.labels" . | indent 8 }} + component: paygo + spec: + containers: + - name: paygo + image: registry.access.redhat.com/ubi8/ubi-minimal:8.5-230.1645809059 + command: [ "sleep" ] + args: [ "36500d" ] +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/templates/deployments.yaml b/charts/k10/k10/4.5.1100/templates/deployments.yaml new file mode 100644 index 000000000..53ac1c8b0 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/deployments.yaml @@ -0,0 +1,30 @@ +{{/* +Generates deployment specs for K10 services and other services such as +"frontend" and "kanister". +*/}} +{{- include "singleAuth.check" . -}} +{{- $main_context := . -}} +{{- $stateless_services := include "k10.statelessServices" . | splitList " " -}} +{{- $colocated_services := include "k10.colocatedServices" . | fromYaml -}} +{{- range $skip, $k10_service := include "k10.restServices" . | splitList " " }} + {{ if not (hasKey $colocated_services $k10_service ) }} + {{/* Set $stateful for stateful services when .Values.global.persistence.enabled is true */}} + {{- $stateful := and $.Values.global.persistence.enabled (not (has $k10_service $stateless_services)) -}} + {{/* Set $replicas to .Values.executorReplicas for the exectutor service */}} + {{- $replicas := or (and (eq $k10_service "executor") $.Values.executorReplicas) 1 -}} + {{ $tmp_contx := dict "main" $main_context "k10_service" $k10_service "stateful" $stateful "replicas" $replicas }} + {{ if eq $k10_service "metering" }} + {{- include "k10-metering" $tmp_contx -}} + {{ else }} + {{- include "k10-default" $tmp_contx -}} + {{ end }} + {{ end }}{{/* if not (hasKey $colocated_services $k10_service ) */}} +{{- end }} +{{/* +Generate deployment specs for additional services. These are stateless and have +1 replica. +*/}} +{{- range $skip, $k10_service := concat (include "k10.services" . | splitList " ") (include "k10.additionalServices" . | splitList " ") }} + {{ $tmp_contx := dict "main" $main_context "k10_service" $k10_service "stateful" false "replicas" 1 }} + {{- include "k10-default" $tmp_contx -}} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/templates/fluentbit-configmap.yaml b/charts/k10/k10/4.5.1100/templates/fluentbit-configmap.yaml new file mode 100644 index 000000000..71cecb966 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/fluentbit-configmap.yaml @@ -0,0 +1,34 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: fluentbit-configmap +data: + fluentbit.conf: | + [SERVICE] + HTTP_Server On + HTTP_Listen 0.0.0.0 + HTTP_PORT 24225 + + [INPUT] + Name tcp + Listen 0.0.0.0 + Port 24224 + + [OUTPUT] + Name stdout + Match * + + [OUTPUT] + Name file + Match * + File {{ .Values.global.persistence.mountPath }}/k10.log + logrotate.conf: | + {{ .Values.global.persistence.mountPath }}/k10.log { + create + missingok + rotate 6 + size 1G + } diff --git a/charts/k10/k10/4.5.1100/templates/gateway-ext.yaml b/charts/k10/k10/4.5.1100/templates/gateway-ext.yaml new file mode 100644 index 000000000..1e21d3dba --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/gateway-ext.yaml @@ -0,0 +1,33 @@ +{{/* Externally exposed service for gateway endpoint. */}} +{{- $container_port := .Values.service.internalPort -}} +{{- if .Values.externalGateway.create -}} +{{- include "authEnabled.check" . -}} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ $.Release.Namespace }} + name: gateway-ext + labels: + service: gateway + {{- if eq "route53-mapper" (default " " .Values.externalGateway.fqdn.type) }} + dns: route53 + {{- end }} +{{ include "helm.labels" . | indent 4 }} + annotations: + {{- if .Values.externalGateway.annotations }} +{{ toYaml .Values.externalGateway.annotations | indent 4 }} + {{- end }} +{{ include "dnsAnnotations" . | indent 4 }} + {{- if .Values.externalGateway.awsSSLCertARN }} + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.externalGateway.awsSSLCertARN }} + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https + {{- end }} +spec: + type: LoadBalancer + ports: + - name: https + port: {{ if or (and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey) .Values.externalGateway.awsSSLCertARN }}443{{ else }}80{{ end }} + targetPort: {{ $container_port }} + selector: + service: gateway +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/templates/gateway.yaml b/charts/k10/k10/4.5.1100/templates/gateway.yaml new file mode 100644 index 000000000..4a1844981 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/gateway.yaml @@ -0,0 +1,134 @@ +{{- $container_port := .Values.service.internalPort -}} +{{- $service_port := .Values.service.externalPort -}} +{{- $admin_port := default 8877 .Values.service.gatewayAdminPort -}} +--- +apiVersion: v1 +kind: Service +metadata: + namespace: {{ $.Release.Namespace }} + labels: + service: gateway +{{ include "helm.labels" . | indent 4 }} + name: gateway + annotations: + getambassador.io/config: | + --- + apiVersion: ambassador/v1 + kind: AuthService + name: authentication + auth_service: "auth-svc:8000" + path_prefix: "/v0/authz" + allowed_request_headers: + - "x-forwarded-access-token" + --- +{{- if (eq "endpoint" .Values.apigateway.serviceResolver) }} + apiVersion: getambassador.io/v1 + kind: KubernetesEndpointResolver + name: endpoint + --- +{{- end }} + apiVersion: ambassador/v1 + kind: Module + name: ambassador + config: + service_port: {{ $container_port }} +{{- if (eq "endpoint" .Values.apigateway.serviceResolver) }} + resolver: endpoint + load_balancer: + policy: round_robin +{{- end }} +{{- if and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey }} + --- + apiVersion: ambassador/v1 + kind: Module + name: tls + config: + server: + enabled: True + secret: ambassador-certs +{{- end }} +spec: + ports: + - name: http + port: {{ $service_port }} + targetPort: {{ $container_port }} + selector: + service: gateway +--- +{{- if .Values.gateway.exposeAdminPort }} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ $.Release.Namespace }} + name: gateway-admin + labels: + service: gateway +{{ include "helm.labels" . | indent 4 }} +spec: + ports: + - name: metrics + port: {{ $admin_port }} + targetPort: {{ $admin_port }} + selector: + service: gateway +--- +{{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: {{ $.Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} + component: gateway + name: gateway +spec: + replicas: 1 + selector: + matchLabels: + service: gateway + template: + metadata: + annotations: + checksum/config: {{ include (print .Template.BasePath "/k10-config.yaml") . | sha256sum }} + checksum/secret: {{ include (print .Template.BasePath "/secrets.yaml") . | sha256sum }} + labels: + service: gateway + component: gateway +{{ include "helm.labels" . | indent 8 }} + spec: + serviceAccountName: {{ template "serviceAccountName" . }} + {{- include "k10.imagePullSecrets" . | indent 6 }} + containers: + - name: ambassador + image: {{ include "k10.ambImage" . }} + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 200m + memory: 300Mi + env: + - name: AMBASSADOR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: AMBASSADOR_SINGLE_NAMESPACE + value: "true" + - name: AMBASSADOR_LEGACY_MODE + value: "true" + - name: "AMBASSADOR_VERIFY_SSL_FALSE" + value: {{ .Values.gateway.insecureDisableSSLVerify | quote }} + livenessProbe: + httpGet: + path: /ambassador/v0/check_alive + port: {{ $admin_port }} + initialDelaySeconds: 30 + periodSeconds: 3 + readinessProbe: + httpGet: + path: /ambassador/v0/check_ready + port: {{ $admin_port }} + initialDelaySeconds: 30 + periodSeconds: 3 + restartPolicy: Always diff --git a/charts/k10/k10/4.5.1100/templates/grafana-scc.yaml b/charts/k10/k10/4.5.1100/templates/grafana-scc.yaml new file mode 100644 index 000000000..f634498a4 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/grafana-scc.yaml @@ -0,0 +1,44 @@ +{{- if .Values.scc.create }} +{{- if .Values.grafana.enabled }} +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ .Release.Name }}-grafana +allowPrivilegedContainer: false +allowHostNetwork: false +allowHostDirVolumePlugin: true +priority: null +allowedCapabilities: null +allowHostPorts: true +allowHostPID: false +allowHostIPC: false +readOnlyRootFilesystem: false +requiredDropCapabilities: + - KILL + - MKNOD + - SETUID + - SETGID +defaultAddCapabilities: [] +allowedCapabilities: [] +priority: 0 +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +volumes: + - configMap + - downwardAPI + - emptyDir + - persistentVolumeClaim + - projected + - secret +users: + - system:serviceaccount:{{.Release.Namespace}}:{{.Release.Name}}-grafana +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/templates/ingress.yaml b/charts/k10/k10/4.5.1100/templates/ingress.yaml new file mode 100644 index 000000000..48efc0530 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/ingress.yaml @@ -0,0 +1,46 @@ +{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} +{{- $service_port := .Values.service.externalPort -}} +{{ if .Values.ingress.create }} +{{ include "authEnabled.check" . }} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: {{ .Release.Name }}-ingress + annotations: +{{ include "ingressClassAnnotation" . | indent 4 }} + {{- if and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey }} + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + {{- end }} + {{- if .Values.ingress.annotations }} +{{ toYaml .Values.ingress.annotations | indent 4 }} + {{- end }} +spec: +{{- if .Values.ingress.tls.enabled }} + tls: + - hosts: + - {{ required "ingress.host value is required for TLS configuration" .Values.ingress.host }} + secretName: {{ required "ingress.tls.secretName is required for TLS configuration" .Values.ingress.tls.secretName }} +{{- end }} + rules: + - http: + paths: + - path: /{{ default .Release.Name .Values.ingress.urlPath | trimPrefix "/" | trimSuffix "/" }}/ + pathType: {{ default "ImplementationSpecific" .Values.ingress.pathType }} + backend: + {{- if $ingressApiIsStable }} + service: + name: gateway + port: + number: {{ $service_port }} + {{- else }} + serviceName: gateway + servicePort: {{ $service_port }} + {{- end }} + {{- if .Values.ingress.host }} + host: {{ .Values.ingress.host }} + {{- end }} +{{ end }} diff --git a/charts/k10/k10/4.5.1100/templates/k10-config.yaml b/charts/k10/k10/4.5.1100/templates/k10-config.yaml new file mode 100644 index 000000000..2c82274f0 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/k10-config.yaml @@ -0,0 +1,228 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-config +data: + loglevel: {{ .Values.logLevel | quote }} + {{- if .Values.clusterName }} + clustername: {{ quote .Values.clusterName }} + {{- end }} + version: {{ .Chart.AppVersion }} + multiClusterVersion: {{ include "k10.multiClusterVersion" . | quote }} + modelstoredirname: "//mnt/k10state/kasten-io/" + apiDomain: {{ include "apiDomain" . }} + concurrentSnapConversions: {{ include "k10.defaultConcurrentSnapshotConversions" . | quote }} + concurrentWorkloadSnapshots: {{ include "k10.defaultConcurrentWorkloadSnapshots" . | quote }} + k10DataStoreParallelUpload: {{ include "k10.defaultK10DataStoreParallelUpload" . | quote }} + k10DataStoreGeneralContentCacheSizeMB: {{ include "k10.defaultK10DataStoreGeneralContentCacheSizeMB" . | quote }} + k10DataStoreGeneralMetadataCacheSizeMB: {{ include "k10.defaultK10DataStoreGeneralMetadataCacheSizeMB" . | quote }} + k10DataStoreRestoreContentCacheSizeMB: {{ include "k10.defaultK10DataStoreRestoreContentCacheSizeMB" . | quote }} + k10DataStoreRestoreMetadataCacheSizeMB: {{ include "k10.defaultK10DataStoreRestoreMetadataCacheSizeMB" . | quote }} + K10BackupBufferFileHeadroomFactor: {{ include "k10.defaultK10BackupBufferFileHeadroomFactor" . | quote }} + AWSAssumeRoleDuration: {{ default (include "k10.defaultAssumeRoleDuration" .) .Values.awsConfig.assumeRoleDuration | quote }} + KanisterBackupTimeout: {{ default (include "k10.defaultKanisterBackupTimeout" .) .Values.kanister.backupTimeout | quote }} + KanisterRestoreTimeout: {{ default (include "k10.defaultKanisterRestoreTimeout" .) .Values.kanister.restoreTimeout | quote }} + KanisterDeleteTimeout: {{ default (include "k10.defaultKanisterDeleteTimeout" .) .Values.kanister.deleteTimeout | quote }} + KanisterHookTimeout: {{ default (include "k10.defaultKanisterHookTimeout" .) .Values.kanister.hookTimeout | quote }} + KanisterCheckRepoTimeout: {{ default (include "k10.defaultKanisterCheckRepoTimeout" .) .Values.kanister.checkRepoTimeout | quote }} + KanisterStatsTimeout: {{ default (include "k10.defaultKanisterStatsTimeout" .) .Values.kanister.statsTimeout | quote }} + KanisterEFSPostRestoreTimeout: {{ default (include "k10.defaultKanisterEFSPostRestoreTimeout" .) .Values.kanister.efsPostRestoreTimeout | quote }} + KanisterPodReadyWaitTimeout: {{ .Values.kanister.podReadyWaitTimeout | quote }} + K10MutatingWebhookTLSCertDir: "/etc/ssl/certs/webhook" + + K10LimiterGenericVolumeSnapshots: {{ default (include "k10.defaultK10LimiterGenericVolumeSnapshots" .) .Values.limiter.genericVolumeSnapshots | quote }} + K10LimiterGenericVolumeCopies: {{ default (include "k10.defaultK10LimiterGenericVolumeCopies" .) .Values.limiter.genericVolumeCopies | quote }} + K10LimiterGenericVolumeRestores: {{ default (include "k10.defaultK10LimiterGenericVolumeRestores" .) .Values.limiter.genericVolumeRestores | quote }} + K10LimiterCsiSnapshots: {{ default (include "k10.defaultK10LimiterCsiSnapshots" .) .Values.limiter.csiSnapshots | quote }} + K10LimiterProviderSnapshots: {{ default (include "k10.defaultK10LimiterProviderSnapshots" .) .Values.limiter.providerSnapshots | quote }} + + {{- if .Values.awsConfig.efsBackupVaultName }} + efsBackupVaultName: {{ quote .Values.awsConfig.efsBackupVaultName }} + {{- end }} + + {{- if .Values.vmWare.taskTimeoutMin }} + vmWareTaskTimeoutMin: {{ quote .Values.vmWare.taskTimeoutMin }} + {{- end }} + +{{- include "get.kanisterPodCustomLabels" . | indent 2}} +{{- include "get.kanisterPodCustomAnnotations" . | indent 2}} + + {{- if .Values.kanisterFunctionVersion }} + kanisterFunctionVersion: {{ .Values.kanisterFunctionVersion | quote }} + {{- else }} + kanisterFunctionVersion: {{ quote "v1.0.0-alpha" }} + {{- end }} + {{- if eq "true" (include "overwite.kanisterToolsImage" .) }} + overwriteKanisterTools: {{ include "get.kanisterToolsImage" .}} + {{- end }} +{{- include "kanisterToolsResources" . | indent 2 }} + +{{ if .Values.features }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-features +data: +{{ include "k10.features" . | indent 2}} +{{ end }} +{{ if .Values.auth.dex.enabled }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-dex + namespace: {{ .Release.Namespace }} +data: + config.yaml: | + issuer: {{ .Values.auth.oidcAuth.providerURL }} + storage: + type: memory + web: + http: 0.0.0.0:8080 + logger: + level: info + format: text + connectors: + - type: oidc + id: google + name: Google + config: + issuer: {{ .Values.auth.dex.providerURL }} + clientID: {{ .Values.auth.oidcAuth.clientID }} + clientSecret: {{ .Values.auth.oidcAuth.clientSecret }} + redirectURI: {{ .Values.auth.dex.redirectURL }} + scopes: + - openid + - profile + - email + oauth2: + skipApprovalScreen: true + staticClients: + - name: 'K10' + id: {{ .Values.auth.oidcAuth.clientID }} + secret: {{ .Values.auth.oidcAuth.clientSecret }} + redirectURIs: + - {{ printf "%s/k10/auth-svc/v0/oidc/redirect" .Values.auth.oidcAuth.redirectURL }} + enablePasswordDB: true + staticPasswords: +{{ end }} +{{ if .Values.auth.openshift.enabled }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-dex + namespace: {{ .Release.Namespace }} +data: + config.yaml: | + issuer: {{ printf "%s/dex" (trimSuffix "/" .Values.auth.openshift.dashboardURL) }} + storage: + type: memory + web: + http: 0.0.0.0:8080 + logger: + level: info + format: text + connectors: + - type: openshift + id: openshift + name: OpenShift + config: + issuer: {{ .Values.auth.openshift.openshiftURL }} + clientID: {{printf "system:serviceaccount:%s:%s" .Release.Namespace .Values.auth.openshift.serviceAccount }} + clientSecret: {{ .Values.auth.openshift.clientSecret }} + redirectURI: {{ printf "%s/dex/callback" (trimSuffix "/" .Values.auth.openshift.dashboardURL) }} + insecureCA: {{ .Values.auth.openshift.insecureCA }} +{{- if and (eq (include "check.cacertconfigmap" .) "false") .Values.auth.openshift.useServiceAccountCA }} + rootCA: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt +{{- end }} + oauth2: + skipApprovalScreen: true + staticClients: + - name: 'K10' + id: kasten + secret: kastensecret + redirectURIs: + - {{ printf "%s/auth-svc/v0/oidc/redirect" (trimSuffix "/" .Values.auth.openshift.dashboardURL) }} +{{ end }} +{{ if .Values.auth.ldap.enabled }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-dex + namespace: {{ .Release.Namespace }} +data: + config.yaml: | + issuer: {{ printf "%s/dex" (trimSuffix "/" .Values.auth.ldap.dashboardURL) }} + storage: + type: memory + web: + http: 0.0.0.0:8080 + frontend: + theme: custom + logoURL: theme/kasten-logo.svg + logger: + level: info + format: text + connectors: + - type: ldap + id: ldap + name: LDAP + config: + host: {{ .Values.auth.ldap.host }} + insecureNoSSL: {{ .Values.auth.ldap.insecureNoSSL }} + insecureSkipVerify: {{ .Values.auth.ldap.insecureSkipVerifySSL }} + startTLS: {{ .Values.auth.ldap.startTLS }} + bindDN: {{ .Values.auth.ldap.bindDN }} + bindPW: BIND_PASSWORD_PLACEHOLDER + userSearch: + baseDN: {{ .Values.auth.ldap.userSearch.baseDN }} + filter: {{ .Values.auth.ldap.userSearch.filter }} + username: {{ .Values.auth.ldap.userSearch.username }} + idAttr: {{ .Values.auth.ldap.userSearch.idAttr }} + emailAttr: {{ .Values.auth.ldap.userSearch.emailAttr }} + nameAttr: {{ .Values.auth.ldap.userSearch.nameAttr }} + preferredUsernameAttr: {{ .Values.auth.ldap.userSearch.preferredUsernameAttr }} + groupSearch: + baseDN: {{ .Values.auth.ldap.groupSearch.baseDN }} + filter: {{ .Values.auth.ldap.groupSearch.filter }} + nameAttr: {{ .Values.auth.ldap.groupSearch.nameAttr }} +{{- with .Values.auth.ldap.groupSearch.userMatchers }} + userMatchers: +{{ toYaml . | indent 10 }} +{{- end }} + oauth2: + skipApprovalScreen: true + staticClients: + - name: 'K10' + id: kasten + secret: kastensecret + redirectURIs: + - {{ printf "%s/auth-svc/v0/oidc/redirect" (trimSuffix "/" .Values.auth.ldap.dashboardURL) }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: k10-logos-dex + namespace: {{ .Release.Namespace }} +binaryData: + {{- $files := .Files }} + {{- range tuple "files/favicon.png" "files/kasten-logo.svg" "files/styles.css" }} + {{ trimPrefix "files/" . }}: |- + {{ $files.Get . | b64enc }} + {{- end }} +{{ end }} diff --git a/charts/k10/k10/4.5.1100/templates/k10-eula.yaml b/charts/k10/k10/4.5.1100/templates/k10-eula.yaml new file mode 100644 index 000000000..21e251d6c --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/k10-eula.yaml @@ -0,0 +1,21 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-eula +data: + text: {{ .Files.Get "eula.txt" | quote }} +--- +{{ if .Values.eula.accept }} +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-eula-info +data: +{{ include "k10.eula.fields" . | indent 2 }} +{{ end }} diff --git a/charts/k10/k10/4.5.1100/templates/kopia-tls-certs.yaml b/charts/k10/k10/4.5.1100/templates/kopia-tls-certs.yaml new file mode 100644 index 000000000..ac0635f51 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/kopia-tls-certs.yaml @@ -0,0 +1,33 @@ +# alternate names of the services. This renders to: [ component-svc.namespace, component-svc.namespace.svc ] +{{- $altNamesKopia := list ( printf "%s-svc.%s" "data-mover" .Release.Namespace ) ( printf "%s-svc.%s.svc" "data-mover" .Release.Namespace ) }} +# generate ca cert with 365 days of validity +{{- $caKopia := genCA ( printf "%s-svc-ca" "data-mover" ) 365 }} +# generate cert with CN="component-svc", SAN=$altNames and with 365 days of validity +{{- $certKopia := genSignedCert ( printf "%s-svc" "data-mover" ) nil $altNamesKopia 365 $caKopia }} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: kopia-tls-cert + labels: +{{ include "helm.labels" . | indent 4 }} +{{- if .Values.global.rhMarketPlace }} + annotations: + "helm.sh/hook": "pre-install" +{{- end }} +data: + tls.crt: {{ $certKopia.Cert | b64enc }} +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: kopia-tls-key + labels: +{{ include "helm.labels" . | indent 4 }} +{{- if .Values.global.rhMarketPlace }} + annotations: + "helm.sh/hook": "pre-install" +{{- end }} +data: + tls.key: {{ $certKopia.Key | b64enc }} diff --git a/charts/k10/k10/4.5.1100/templates/license.yaml b/charts/k10/k10/4.5.1100/templates/license.yaml new file mode 100644 index 000000000..f409fb7e5 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/license.yaml @@ -0,0 +1,25 @@ +{{- if not ( or ( .Values.license ) ( .Values.metering.awsMarketplace ) ( .Values.metering.awsManagedLicense ) ( .Values.metering.licenseConfigSecretName ) ) }} +{{- if .Files.Get "triallicense" }} +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-trial-license +type: Opaque +data: + license: {{ print (.Files.Get "triallicense") }} +{{- end }} +{{- end }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-license +type: Opaque +data: + license: {{ include "k10.getlicense" . }} diff --git a/charts/k10/k10/4.5.1100/templates/mutatingwebhook.yaml b/charts/k10/k10/4.5.1100/templates/mutatingwebhook.yaml new file mode 100644 index 000000000..36d7da875 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/mutatingwebhook.yaml @@ -0,0 +1,51 @@ +{{- if .Values.injectKanisterSidecar.enabled -}} +# alternate names of the services. This renders to: [ component-svc.namespace, component-svc.namespace.svc ] +{{- $altNames := list ( printf "%s-svc.%s" (include "k10.configAPIs" .) .Release.Namespace ) ( printf "%s-svc.%s.svc" (include "k10.configAPIs" .) .Release.Namespace ) }} +# generate ca cert with 365 days of validity +{{- $ca := genCA ( printf "%s-svc-ca" (include "k10.configAPIs" .) ) 365 }} +# generate cert with CN="component-svc", SAN=$altNames and with 365 days of validity +{{- $cert := genSignedCert ( printf "%s-svc" (include "k10.configAPIs" .) ) nil $altNames 365 $ca }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "k10.configAPIs" . }}-certs + labels: +{{ include "helm.labels" . | indent 4 }} +data: + tls.crt: {{ $cert.Cert | b64enc }} + tls.key: {{ $cert.Key | b64enc }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-sidecar-injector +webhooks: +- name: k10-sidecar-injector.kasten.io + admissionReviewVersions: ["v1", "v1beta1"] + failurePolicy: Ignore + sideEffects: None + clientConfig: + service: + name: config-svc + namespace: {{ .Release.Namespace }} + path: "/k10/mutate" + port: 443 + caBundle: {{ b64enc $ca.Cert }} + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["*"] + apiVersions: ["v1"] + resources: ["deployments", "statefulsets", "deploymentconfigs"] +{{- if .Values.injectKanisterSidecar.namespaceSelector }} + namespaceSelector: +{{ toYaml .Values.injectKanisterSidecar.namespaceSelector | indent 4 }} +{{- end }} +{{- if .Values.injectKanisterSidecar.objectSelector }} + objectSelector: +{{ toYaml .Values.injectKanisterSidecar.objectSelector | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/templates/networkpolicy.yaml b/charts/k10/k10/4.5.1100/templates/networkpolicy.yaml new file mode 100644 index 000000000..2cd4dae9f --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/networkpolicy.yaml @@ -0,0 +1,192 @@ +{{- $admin_port := default 8877 .Values.service.gatewayAdminPort -}} +{{- $mutating_webhook_port := default 8080 .Values.injectKanisterSidecar.webhookServer.port -}} +{{- if .Values.networkPolicy.create }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: {} + policyTypes: + - Ingress +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: cross-services-allow + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + ingress: + - from: + - podSelector: + matchLabels: + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: {{ .Values.service.externalPort }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: logging-allow-internal + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + run: logging-svc + ingress: + - from: + - podSelector: + matchLabels: + release: {{ .Release.Name }} + ports: + # Logging input port + - protocol: TCP + port: 24224 + - protocol: TCP + port: 24225 +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-external + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + service: gateway + release: {{ .Release.Name }} + ingress: + - from: [] + ports: + - protocol: TCP + port: 8000 +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-all-api + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + run: aggregatedapis-svc + release: {{ .Release.Name }} + ingress: + - from: + ports: + - protocol: TCP + port: {{ .Values.service.aggregatedApiPort }} +{{- if .Values.gateway.exposeAdminPort }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-gateway-admin + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + service: gateway + ingress: + - from: + - podSelector: + matchLabels: + app: prometheus + component: server + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: {{ $admin_port }} +{{- end -}} +{{- if .Values.injectKanisterSidecar.enabled }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-mutating-webhook + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + run: config-svc + ingress: + - from: + ports: + - protocol: TCP + port: {{ $mutating_webhook_port }} +{{- end -}} +{{- if or .Values.auth.dex.enabled (eq (include "check.dexAuth" .) "true") }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: gateway-dex-allow + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + run: auth-svc + ingress: + - from: + - podSelector: + matchLabels: + service: gateway + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: 8080 +{{- end -}} +{{- $mainCtx := . }} +{{- $colocatedList := include "get.enabledColocatedSvcList" . | fromYaml }} +{{- range $primary, $secondaryList := $colocatedList }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ $primary }}-svc-allow-secondary-services + namespace: {{ $mainCtx.Release.Namespace }} + labels: +{{ include "helm.labels" $mainCtx | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ $mainCtx.Release.Name }} + run: {{ $primary }}-svc + ingress: + - from: + - podSelector: + matchLabels: + release: {{ $mainCtx.Release.Name }} + ports: + {{- range $skip, $secondary := $secondaryList }} + {{- $colocConfig := index (include "k10.colocatedServices" . | fromYaml) $secondary }} + - protocol: TCP + port: {{ $colocConfig.port }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/templates/prometheus-configmap.yaml b/charts/k10/k10/4.5.1100/templates/prometheus-configmap.yaml new file mode 100644 index 000000000..55c44c96d --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/prometheus-configmap.yaml @@ -0,0 +1,70 @@ +{{ $scrape_services := (include "k10.restServices" . | splitList " " ) }} +{{- if .Values.gateway.exposeAdminPort -}} + {{- $scrape_services = append (include "k10.restServices" . | splitList " " ) "gateway" -}} +{{- end -}} + +{{- include "check.validateMonitoringProperties" .}} +{{- if .Values.prometheus.server.enabled -}} +{{- $rbac := .Values.prometheus.rbac.create -}} +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: {{ .Release.Name }}-{{ .Values.prometheus.server.configMapOverrideName }} +data: + prometheus.yml: | + global: + scrape_interval: 1m + scrape_timeout: 10s + evaluation_interval: 1m + scrape_configs: +{{- range $scrape_services -}} +{{- if or (not (hasKey $.Values.optionalColocatedServices .)) (index $.Values.optionalColocatedServices .).enabled }} +{{ $tmpcontx := dict "main" $ "k10service" . -}} +{{ include "k10.prometheusScrape" $tmpcontx | indent 6 -}} +{{- end }} +{{- end }} +{{- range include "k10.services" . | splitList " " }} +{{- if (or (ne . "aggregatedapis") ($rbac)) }} +{{ $tmpcontx := dict "main" $ "k10service" . -}} +{{ include "k10.prometheusScrape" $tmpcontx | indent 6 -}} +{{- end }} +{{- end }} +{{- range include "k10.additionalServices" . | splitList " " }} +{{- if not (eq . "frontend") }} +{{ $tmpcontx := dict "main" $ "k10service" . -}} +{{ include "k10.prometheusScrape" $tmpcontx | indent 6 -}} +{{- end }} +{{- end }} +{{- if .Values.prometheus.extraScrapeConfigs }} +{{ .Values.prometheus.extraScrapeConfigs | indent 6 }} +{{- end -}} +{{- if .Values.prometheus.scrapeCAdvisor }} + - job_name: 'kubernetes-cadvisor' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor +{{- end}} + - job_name: prometheus + metrics_path: {{ .Values.prometheus.server.baseURL }}metrics + static_configs: + - targets: + - "localhost:9090" + labels: + app: prometheus + component: server +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/templates/prometheus-service.yaml b/charts/k10/k10/4.5.1100/templates/prometheus-service.yaml new file mode 100644 index 000000000..846ecbbd7 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/prometheus-service.yaml @@ -0,0 +1,44 @@ +{{/* Template to generate service spec for v0 rest services */}} +{{- if .Values.prometheus.server.enabled -}} +{{- $postfix := default .Release.Name .Values.ingress.urlPath -}} +{{- $os_postfix := default .Release.Name .Values.route.path -}} +{{- $service_port := .Values.prometheus.server.service.servicePort -}} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ .Release.Namespace }} + name: {{ include "k10.prometheus.service.name" . }}-exp + labels: +{{ include "helm.labels" $ | indent 4 }} + component: {{ include "k10.prometheus.service.name" . }} + run: {{ include "k10.prometheus.service.name" . }} + annotations: + getambassador.io/config: | + --- + apiVersion: ambassador/v1 + kind: Mapping + name: {{ include "k10.prometheus.service.name" . }}-mapping + {{- if .Values.prometheus.server.baseURL }} + rewrite: /{{ .Values.prometheus.server.baseURL | trimPrefix "/" | trimSuffix "/" }}/ + {{- else }} + rewrite: / + {{- end }} + {{- if .Values.route.enabled }} + prefix: /{{ $os_postfix | trimPrefix "/" | trimSuffix "/" }}/prometheus/ + {{- else }} + prefix: /{{ $postfix | trimPrefix "/" | trimSuffix "/" }}/prometheus/ + {{- end }} + service: {{ include "k10.prometheus.service.name" . }}:{{ $service_port }} + timeout_ms: 15000 + +spec: + ports: + - name: http + protocol: TCP + port: {{ $service_port }} + targetPort: 9090 + selector: + app: {{ include "k10.prometheus.name" . }} + component: {{ .Values.prometheus.server.name }} + release: {{ .Release.Name }} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/templates/rbac.yaml b/charts/k10/k10/4.5.1100/templates/rbac.yaml new file mode 100644 index 000000000..2b510067d --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/rbac.yaml @@ -0,0 +1,239 @@ +{{- $main := . -}} +{{- $apiDomain := include "apiDomain" . -}} + +{{- $actionsAPIs := splitList " " (include "k10.actionsAPIs" .) -}} +{{- $aggregatedAPIs := splitList " " (include "k10.aggregatedAPIs" .) -}} +{{- $appsAPIs := splitList " " (include "k10.appsAPIs" .) -}} +{{- $authAPIs := splitList " " (include "k10.authAPIs" .) -}} +{{- $configAPIs := splitList " " (include "k10.configAPIs" .) -}} +{{- $distAPIs := splitList " " (include "k10.distAPIs" .) -}} +{{- $reportingAPIs := splitList " " (include "k10.reportingAPIs" .) -}} + +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: {{ template "serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- if not ( eq (include "meteringServiceAccountName" .) (include "serviceAccountName" .) )}} +- kind: ServiceAccount + name: {{ template "meteringServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} +{{ include "k10.defaultRBACLabels" . | indent 4 }} + name: {{ .Release.Name }}-admin +rules: +- apiGroups: +{{- range sortAlpha (concat $aggregatedAPIs $configAPIs $reportingAPIs) }} + - {{ . }}.{{ $apiDomain }} +{{- end }} + resources: + - "*" + verbs: + - "*" +- apiGroups: + - cr.kanister.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - "" + resources: + - namespaces + verbs: + - create + - get + - list +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} +{{ include "k10.defaultRBACLabels" . | indent 4 }} + name: {{ .Release.Name }}-ns-admin + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + - "apps" + resources: + - deployments + - pods + verbs: + - get + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - update +- apiGroups: + - "batch" + resources: + - jobs + verbs: + - get +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} +{{ include "k10.defaultRBACLabels" . | indent 4 }} + name: {{ .Release.Name }}-mc-admin +rules: +- apiGroups: +{{- range sortAlpha (concat $authAPIs $configAPIs $distAPIs) }} + - {{ . }}.{{ $apiDomain }} +{{- end }} + resources: + - "*" + verbs: + - "*" +- apiGroups: + - "" + resources: + - secrets + verbs: + - "*" +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} +{{ include "k10.defaultRBACLabels" . | indent 4 }} + name: {{ .Release.Name }}-basic +rules: +- apiGroups: +{{- range sortAlpha $actionsAPIs }} + - {{ . }}.{{ $apiDomain }} +{{- end }} + resources: + - {{ include "k10.backupActions" $main}} + - {{ include "k10.backupActionsDetails" $main}} + - {{ include "k10.restoreActions" $main}} + - {{ include "k10.restoreActionsDetails" $main}} + - {{ include "k10.exportActions" $main}} + - {{ include "k10.exportActionsDetails" $main}} + - {{ include "k10.cancelActions" $main}} + verbs: + - "*" +- apiGroups: +{{- range sortAlpha $appsAPIs }} + - {{ . }}.{{ $apiDomain }} +{{- end }} + resources: + - {{ include "k10.restorePoints" $main}} + - {{ include "k10.restorePointsDetails" $main}} + - {{ include "k10.applications" $main}} + - {{ include "k10.applicationsDetails" $main}} + verbs: + - "*" +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: +{{- range sortAlpha $configAPIs }} + - {{ . }}.{{ $apiDomain }} +{{- end }} + resources: + - {{ include "k10.policies" $main}} + verbs: + - "*" +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} +{{ include "k10.defaultRBACLabels" . | indent 4 }} + name: {{ .Release.Name }}-config-view +rules: +- apiGroups: +{{- range sortAlpha $configAPIs }} + - {{ . }}.{{ $apiDomain }} +{{- end }} + resources: + - {{ include "k10.profiles" $main}} + - {{ include "k10.policies" $main}} + verbs: + - get + - list +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Release.Name }}-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: k10:admins +{{- range .Values.auth.k10AdminUsers }} +- apiGroup: rbac.authorization.k8s.io + kind: User + name: {{ . }} +{{- end }} +{{- range default .Values.auth.groupAllowList .Values.auth.k10AdminGroups }} +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: {{ . }} +{{- end }} +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-ns-admin + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-ns-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: k10:admins +{{- range .Values.auth.k10AdminUsers }} +- apiGroup: rbac.authorization.k8s.io + kind: User + name: {{ . }} +{{- end }} +{{- range default .Values.auth.groupAllowList .Values.auth.k10AdminGroups }} +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: {{ . }} +{{- end }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/templates/route.yaml b/charts/k10/k10/4.5.1100/templates/route.yaml new file mode 100644 index 000000000..1ecd244be --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/route.yaml @@ -0,0 +1,36 @@ +{{- $route := .Values.route -}} +{{- if $route.enabled -}} +{{ include "authEnabled.check" . }} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ .Release.Name }}-route + {{- with $route.annotations }} + namespace: {{ .Release.Namespace }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: +{{ include "helm.labels" . | indent 4 }} + {{- with $route.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + host: {{ $route.host }} + path: /{{ default .Release.Name $route.path | trimPrefix "/" | trimSuffix "/" }}/ + port: + targetPort: http + to: + kind: Service + name: gateway + weight: 100 + {{- if $route.tls.enabled }} + tls: + {{- if $route.tls.insecureEdgeTerminationPolicy }} + insecureEdgeTerminationPolicy: {{ $route.tls.insecureEdgeTerminationPolicy }} + {{- end }} + {{- if $route.tls.termination }} + termination: {{ $route.tls.termination }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/charts/k10/k10/4.5.1100/templates/scc.yaml b/charts/k10/k10/4.5.1100/templates/scc.yaml new file mode 100644 index 000000000..df12af4e3 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/scc.yaml @@ -0,0 +1,43 @@ +{{- if .Values.scc.create }} +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ .Release.Name }}-prometheus-server +allowPrivilegedContainer: false +allowHostNetwork: false +allowHostDirVolumePlugin: true +priority: null +allowedCapabilities: null +allowHostPorts: true +allowHostPID: false +allowHostIPC: false +readOnlyRootFilesystem: false +requiredDropCapabilities: +- CHOWN +- KILL +- MKNOD +- SETUID +- SETGID +defaultAddCapabilities: [] +allowedCapabilities: [] +priority: 0 +runAsUser: + type: MustRunAsNonRoot +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +users: + - system:serviceaccount:{{.Release.Namespace}}:prometheus-server +{{- end }} diff --git a/charts/k10/k10/4.5.1100/templates/secrets.yaml b/charts/k10/k10/4.5.1100/templates/secrets.yaml new file mode 100644 index 000000000..ac309e717 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/secrets.yaml @@ -0,0 +1,242 @@ +{{- include "enforce.singlecloudcreds" . -}} +{{- include "check.validateImagePullSecrets" . -}} +{{- if eq (include "check.awscreds" . ) "true" }} +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: aws-creds +type: Opaque +data: + aws_access_key_id: {{ required "secrets.awsAccessKeyId field is required!" .Values.secrets.awsAccessKeyId | b64enc | quote }} + aws_secret_access_key: {{ required "secrets.awsSecretAccessKey field is required!" .Values.secrets.awsSecretAccessKey | b64enc | quote }} +{{- if .Values.secrets.awsIamRole }} + role: {{ .Values.secrets.awsIamRole | trim | b64enc | quote }} +{{- end }} +{{- end }} +{{- if or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-ecr +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ or .Values.secrets.dockerConfig ( .Values.secrets.dockerConfigPath | b64enc ) }} +{{- end }} +{{- if eq (include "check.googlecreds" .) "true" }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: google-secret +type: Opaque +data: + kasten-gke-sa.json: {{ .Values.secrets.googleApiKey }} +{{- end }} +{{- if eq (include "check.ibmslcreds" .) "true" }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: ibmsl-secret +type: Opaque +data: + ibm_sl_key: {{ required "secrets.ibmSoftLayerApiKey field is required!" .Values.secrets.ibmSoftLayerApiKey | b64enc | quote }} + ibm_sl_username: {{ required "secrets.ibmSoftLayerApiUsername field is required!" .Values.secrets.ibmSoftLayerApiUsername | b64enc | quote }} +{{- end }} +{{- if eq (include "check.azurecreds" .) "true" }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: azure-creds +type: Opaque +data: + azure_tenant_id: {{ required "secrets.azureTenantId field is required!" .Values.secrets.azureTenantId | b64enc | quote }} + azure_client_id: {{ required "secrets.azureClientId field is required!" .Values.secrets.azureClientId | b64enc | quote }} + azure_client_secret: {{ required "secrets.azureClientSecret field is required!" .Values.secrets.azureClientSecret | b64enc | quote }} + azure_resource_group: {{ default "" .Values.secrets.azureResourceGroup | b64enc | quote }} + azure_subscription_id: {{ default "" .Values.secrets.azureSubscriptionID | b64enc | quote }} + azure_resource_manager_endpoint: {{ default "" .Values.secrets.azureResourceMgrEndpoint | b64enc | quote }} + azure_ad_endpoint: {{ default "" .Values.secrets.azureADEndpoint | b64enc | quote }} + azure_ad_resource_id: {{ default "" .Values.secrets.azureADResourceID | b64enc | quote }} + azure_cloud_env_id: {{ default "" .Values.secrets.azureCloudEnvID | b64enc | quote }} +{{- end }} +{{- if eq (include "check.vspherecreds" .) "true" }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: vsphere-creds +type: Opaque +data: + vsphere_endpoint: {{ required "secrets.vsphereEndpoint field is required!" .Values.secrets.vsphereEndpoint | b64enc | quote }} + vsphere_username: {{ required "secrets.vsphereUsername field is required!" .Values.secrets.vsphereUsername | b64enc | quote }} + vsphere_password: {{ required "secrets.vspherePassword field is required!" .Values.secrets.vspherePassword | b64enc | quote }} +{{- end }} +{{- if and (eq (include "basicauth.check" .) "true") (not .Values.auth.basicAuth.secretName) }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-basic-auth + namespace: {{ .Release.Namespace }} +data: + auth: {{ required "auth.basicAuth.htpasswd field is required!" .Values.auth.basicAuth.htpasswd | b64enc | quote}} +type: Opaque +{{- end }} +{{- if .Values.auth.tokenAuth.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-token-auth + namespace: {{ .Release.Namespace }} +data: + auth: {{ "true" | b64enc | quote}} +type: Opaque +{{- end }} +{{- if and .Values.auth.oidcAuth.enabled (not .Values.auth.oidcAuth.secretName) }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-oidc-auth + namespace: {{ .Release.Namespace }} +data: + provider-url: {{ required "auth.oidcAuth.providerURL field is required!" .Values.auth.oidcAuth.providerURL | b64enc | quote }} + redirect-url: {{ required "auth.oidcAuth.redirectURL field is required!" .Values.auth.oidcAuth.redirectURL | b64enc | quote }} + client-id: {{ required "auth.oidcAuth.clientID field is required!" .Values.auth.oidcAuth.clientID | b64enc | quote }} + client-secret: {{ required "auth.oidcAuth.clientSecret field is required!" .Values.auth.oidcAuth.clientSecret | b64enc | quote }} + scopes: {{ required "auth.oidcAuth.scopes field is required!" .Values.auth.oidcAuth.scopes | b64enc | quote }} + prompt: {{ default "select_account" .Values.auth.oidcAuth.prompt | b64enc | quote }} + usernameClaim: {{ default "sub" .Values.auth.oidcAuth.usernameClaim | b64enc | quote }} + usernamePrefix: {{ default "" .Values.auth.oidcAuth.usernamePrefix | b64enc | quote }} + groupClaim: {{ default "" .Values.auth.oidcAuth.groupClaim | b64enc | quote }} + groupPrefix: {{ default "" .Values.auth.oidcAuth.groupPrefix | b64enc | quote }} +stringData: + groupAllowList: |- +{{- range $.Values.auth.groupAllowList }} + {{ . -}} +{{ end }} + logout-url: {{ default "" .Values.auth.oidcAuth.logoutURL | b64enc | quote }} +type: Opaque +{{- end }} +{{- if and .Values.auth.openshift.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-oidc-auth + namespace: {{ .Release.Namespace }} +data: + provider-url: {{ required "auth.openshift.dashboardURL field is required!" (printf "%s/dex" (trimSuffix "/" .Values.auth.openshift.dashboardURL)) | b64enc | quote }} + {{- if .Values.route.enabled }} + redirect-url: {{ required "auth.openshift.dashboardURL field is required!" (trimSuffix "/" (trimSuffix (default .Release.Name .Values.route.path) (trimSuffix "/" .Values.auth.openshift.dashboardURL))) | b64enc | quote }} + {{- else }} + redirect-url: {{ required "auth.openshift.dashboardURL field is required!" (trimSuffix "/" (trimSuffix (default .Release.Name .Values.ingress.urlPath) (trimSuffix "/" .Values.auth.openshift.dashboardURL))) | b64enc | quote }} + {{- end }} + client-id: {{ (printf "kasten") | b64enc | quote }} + client-secret: {{ (printf "kastensecret") | b64enc | quote }} + scopes: {{ (printf "groups profile email") | b64enc | quote }} + prompt: {{ (printf "select_account") | b64enc | quote }} + usernameClaim: {{ default "email" .Values.auth.openshift.usernameClaim | b64enc | quote }} + usernamePrefix: {{ default "" .Values.auth.openshift.usernamePrefix | b64enc | quote }} + groupClaim: {{ default "groups" .Values.auth.openshift.groupClaim | b64enc | quote }} + groupPrefix: {{ default "" .Values.auth.openshift.groupPrefix | b64enc | quote }} +stringData: + groupAllowList: |- +{{- range $.Values.auth.groupAllowList }} + {{ . -}} +{{ end }} +type: Opaque +{{- end }} +{{- if and .Values.auth.ldap.enabled (not .Values.auth.ldap.secretName) }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-oidc-auth + namespace: {{ .Release.Namespace }} +data: + provider-url: {{ required "auth.ldap.dashboardURL field is required!" (printf "%s/dex" (trimSuffix "/" .Values.auth.ldap.dashboardURL)) | b64enc | quote }} + {{- if .Values.route.enabled }} + redirect-url: {{ required "auth.ldap.dashboardURL field is required!" (trimSuffix "/" (trimSuffix (default .Release.Name .Values.route.path) (trimSuffix "/" .Values.auth.ldap.dashboardURL))) | b64enc | quote }} + {{- else }} + redirect-url: {{ required "auth.ldap.dashboardURL field is required!" (trimSuffix "/" (trimSuffix (default .Release.Name .Values.ingress.urlPath) (trimSuffix "/" .Values.auth.ldap.dashboardURL))) | b64enc | quote }} + {{- end }} + client-id: {{ (printf "kasten") | b64enc | quote }} + client-secret: {{ (printf "kastensecret") | b64enc | quote }} + scopes: {{ (printf "groups profile email") | b64enc | quote }} + prompt: {{ (printf "select_account") | b64enc | quote }} + usernameClaim: {{ default "email" .Values.auth.ldap.usernameClaim | b64enc | quote }} + usernamePrefix: {{ default "" .Values.auth.ldap.usernamePrefix | b64enc | quote }} + groupClaim: {{ default "groups" .Values.auth.ldap.groupClaim | b64enc | quote }} + groupPrefix: {{ default "" .Values.auth.ldap.groupPrefix | b64enc | quote }} +stringData: + groupAllowList: |- +{{- range $.Values.auth.groupAllowList }} + {{ . -}} +{{ end }} +type: Opaque +{{- end }} +{{- if and .Values.auth.ldap.enabled (not .Values.auth.ldap.bindPWSecretName) }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-dex + namespace: {{ .Release.Namespace }} +data: + bindPW: {{ required "auth.ldap.bindPW field is required!" .Values.auth.ldap.bindPW | b64enc | quote }} +type: Opaque +{{- end }} +{{- if eq (include "check.primaryKey" . ) "true" }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-encryption-primary-key + namespace: {{ .Release.Namespace }} +data: + {{- if .Values.encryption.primaryKey.awsCmkKeyId }} + awscmkkeyid: {{ default "" .Values.encryption.primaryKey.awsCmkKeyId | trim | b64enc | quote }} + {{- end }} + {{- if .Values.encryption.primaryKey.vaultTransitKeyName }} + vaulttransitkeyname: {{ default "" .Values.encryption.primaryKey.vaultTransitKeyName | trim | b64enc | quote }} + vaulttransitpath: {{ default "transit" .Values.encryption.primaryKey.vaultTransitPath | trim | b64enc | quote }} + {{- end }} +type: Opaque +{{- end }} diff --git a/charts/k10/k10/4.5.1100/templates/serviceaccount.yaml b/charts/k10/k10/4.5.1100/templates/serviceaccount.yaml new file mode 100644 index 000000000..a7704e4e6 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/serviceaccount.yaml @@ -0,0 +1,27 @@ +{{- if and .Values.serviceAccount.create ( not .Values.metering.awsMarketplace ) ( not .Values.metering.awsManagedLicense ) }} +kind: ServiceAccount +apiVersion: v1 +metadata: +{{- if .Values.secrets.awsIamRole }} + annotations: + eks.amazonaws.com/role-arn: {{ .Values.secrets.awsIamRole }} +{{- end }} + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ template "serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- if and (not ( eq (include "meteringServiceAccountName" .) (include "serviceAccountName" .))) ( not .Values.metering.awsManagedLicense ) .Values.metering.serviceAccount.create }} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: +{{- if .Values.metering.awsMarketPlaceIamRole }} + annotations: + eks.amazonaws.com/role-arn: {{ .Values.metering.awsMarketPlaceIamRole }} +{{- end }} + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ template "meteringServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/k10/k10/4.5.1100/templates/v0services.yaml b/charts/k10/k10/4.5.1100/templates/v0services.yaml new file mode 100644 index 000000000..de881bf77 --- /dev/null +++ b/charts/k10/k10/4.5.1100/templates/v0services.yaml @@ -0,0 +1,162 @@ +{{/* Template to generate service spec for v0 rest services */}} +{{- $container_port := .Values.service.internalPort -}} +{{- $service_port := .Values.service.externalPort -}} +{{- $aggregated_api_port := .Values.service.aggregatedApiPort -}} +{{- $postfix := default .Release.Name .Values.ingress.urlPath -}} +{{- $colocated_services := include "k10.colocatedServices" . | fromYaml -}} +{{- $exposed_services := include "k10.exposedServices" . | splitList " " -}} +{{- $os_postfix := default .Release.Name .Values.route.path -}} +{{- $main_context := . -}} +{{- range append (include "k10.restServices" . | splitList " ") "frontend" }} + {{ if not (hasKey $colocated_services . ) }} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ $.Release.Namespace }} + name: {{ . }}-svc + labels: +{{ include "helm.labels" $ | indent 4 }} + component: {{ . }} + run: {{ . }}-svc +{{ if or (has . $exposed_services) (eq . "frontend") }} + annotations: + getambassador.io/config: | + --- + apiVersion: ambassador/v1 + kind: Mapping + name: {{ . }}-mapping + {{- if $.Values.route.enabled }} + {{- if eq . "frontend" }} + prefix: /{{ $os_postfix | trimPrefix "/" | trimSuffix "/" }}/ + {{- else }} + prefix: /{{ $os_postfix | trimPrefix "/" | trimSuffix "/" }}/{{ . }}-svc/ + {{- end }} + {{- else }} + {{- if eq . "frontend" }} + prefix: /{{ $postfix | trimPrefix "/" | trimSuffix "/" }}/ + {{- else }} + prefix: /{{ $postfix | trimPrefix "/" | trimSuffix "/" }}/{{ . }}-svc/ + {{- end }} + {{- end }} + rewrite: / + service: {{ . }}-svc.{{ $.Release.Namespace }}:{{ $service_port }} + timeout_ms: 30000 +{{- $colocatedList := include "get.enabledColocatedSvcList" $main_context | fromYaml }} +{{- range $skip, $secondary := index $colocatedList . }} + {{- $colocConfig := index (include "k10.colocatedServices" . | fromYaml) $secondary }} + {{- if $colocConfig.isExposed }} + --- + apiVersion: ambassador/v1 + kind: Mapping + name: {{ $secondary }}-mapping + prefix: /{{ $postfix }}/{{ $secondary }}-svc/ + rewrite: / + service: {{ $colocConfig.primary }}-svc.{{ $.Release.Namespace }}:{{ $colocConfig.port }} + timeout_ms: 30000 + {{- end }} +{{- end }} +{{- end }} +spec: + ports: + - name: http + protocol: TCP + port: {{ $service_port }} + targetPort: {{ $container_port }} +{{- $colocatedList := include "get.enabledColocatedSvcList" $main_context | fromYaml }} +{{- range $skip, $secondary := index $colocatedList . }} + {{- $colocConfig := index (include "k10.colocatedServices" . | fromYaml) $secondary }} + - name: {{ $secondary }} + protocol: TCP + port: {{ $colocConfig.port }} + targetPort: {{ $colocConfig.port }} +{{- end }} +{{- if eq . "logging" }} + - name: logging + protocol: TCP + port: 24224 + targetPort: 24224 + - name: logging-metrics + protocol: TCP + port: 24225 + targetPort: 24225 +{{- end }} + selector: + run: {{ . }}-svc +--- + {{ end }}{{/* if not (hasKey $colocated_services $k10_service ) */}} +{{ end -}}{{/* range append (include "k10.restServices" . | splitList " ") "frontend" */}} +{{- range append (include "k10.services" . | splitList " ") "kanister" }} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ $.Release.Namespace }} + name: {{ . }}-svc + labels: +{{ include "helm.labels" $ | indent 4 }} + component: {{ . }} + run: {{ . }}-svc +spec: + ports: + {{- if eq . "aggregatedapis" }} + - name: http + port: 443 + protocol: TCP + targetPort: {{ $aggregated_api_port }} + {{- else }} + - name: http + protocol: TCP + port: {{ $service_port }} + targetPort: {{ $container_port }} + {{- end }} + {{- if and (eq . "config") ($.Values.injectKanisterSidecar.enabled) }} + - name: https + protocol: TCP + port: 443 + targetPort: {{ $.Values.injectKanisterSidecar.webhookServer.port }} + {{- end }} +{{- $colocatedList := include "get.enabledColocatedSvcList" $main_context | fromYaml }} +{{- range $skip, $secondary := index $colocatedList . }} + {{- $colocConfig := index (include "k10.colocatedServices" . | fromYaml) $secondary }} + - name: {{ $secondary }} + protocol: TCP + port: {{ $colocConfig.port }} + targetPort: {{ $colocConfig.port }} +{{- end }} + selector: + run: {{ . }}-svc +--- +{{ end -}} +{{- if or .Values.auth.dex.enabled (eq (include "check.dexAuth" .) "true") }} +apiVersion: v1 +kind: Service +metadata: + annotations: + getambassador.io/config: | + --- + apiVersion: ambassador/v1 + kind: Mapping + name: dex-mapping + {{- if $.Values.route.enabled }} + prefix: /{{ $os_postfix | trimPrefix "/" | trimSuffix "/" }}/dex/ + {{- else }} + prefix: /{{ $postfix | trimPrefix "/" | trimSuffix "/" }}/dex/ + {{- end }} + rewrite: "" + service: dex.{{ $.Release.Namespace }}:8000 + timeout_ms: 30000 + name: dex + namespace: {{ $.Release.Namespace }} + labels: +{{ include "helm.labels" $ | indent 4 }} + component: dex + run: auth-svc +spec: + ports: + - name: http + port: {{ $service_port }} + protocol: TCP + targetPort: 8080 + selector: + run: auth-svc + type: ClusterIP +{{ end -}} diff --git a/charts/k10/k10/4.5.1100/triallicense b/charts/k10/k10/4.5.1100/triallicense new file mode 100644 index 000000000..cfe6dd46b --- /dev/null +++ b/charts/k10/k10/4.5.1100/triallicense @@ -0,0 +1 @@ +Y3VzdG9tZXJOYW1lOiB0cmlhbHN0YXJ0ZXItbGljZW5zZQpkYXRlRW5kOiAnMjEwMC0wMS0wMVQwMDowMDowMC4wMDBaJwpkYXRlU3RhcnQ6ICcyMDIwLTAxLTAxVDAwOjAwOjAwLjAwMFonCmZlYXR1cmVzOgogIHRyaWFsOiBudWxsCmlkOiB0cmlhbC0wOWY4MzE5Zi0xODBmLTRhOTAtOTE3My1kOTJiNzZmMTgzNWUKcHJvZHVjdDogSzEwCnJlc3RyaWN0aW9uczoKICBub2RlczogNTAwCnNlcnZpY2VBY2NvdW50S2V5OiBudWxsCnZlcnNpb246IHYxLjAuMApzaWduYXR1cmU6IEYxbnVLUFV5STJtbDJGMmV1VHdGOXNZRTZMVU5rQ3ZiR2tTV1ZkT0ZqdERCb1B6SjUyVWFsVkFmRjVmQUxpcm5BcVhkcERnYi9YcnpxSEYrTE0xS2pEMVdXUFd0ZUdXNFc1anBPSFN0T296Y0c5M0pUUHF5M2l6TVk3RmczZVFLYTZzWDhBdnFwOXArWXVBMWNwTENlQ2dsR2dnOTVzSUFmYmRMMTBmV2d2RmR6QUt4dUZLN2psRzVtbG1CRVF5R0hrYWdoZFIrVGxzeUNTNEFkbXVBOEZodVUwZnRBdXN0b1M3R2JKd1BuTFI3STFZY1Q4OW8wU2xRZEJ2Yjg2QzdKbm1OdnY0aHhiSUo5TTJvWGJPSnQ4ZnBNcjhNWFR6YWRMTWJzSndhZ3VBVHlNUWF2cExHNXRPb0U2ZE1uMVlFVDZLdWZiYy9NdThVRDVYYXlDYTdkZz09Cg== diff --git a/charts/k10/k10/4.5.1100/values.schema.json b/charts/k10/k10/4.5.1100/values.schema.json new file mode 100644 index 000000000..0437e8d1b --- /dev/null +++ b/charts/k10/k10/4.5.1100/values.schema.json @@ -0,0 +1,1089 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema", + "type": "object", + "properties": { + "serviceAccount": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + } + }, + "image": { + "type": "object", + "properties": { + "registry": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "image": { + "type": "string" + }, + "tag": { + "type": "string" + }, + "pullPolicy": { + "type": "string" + } + } + }, + "scc": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "networkPolicy": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "global": { + "type": "object", + "properties": { + "airgapped": { + "type": "object", + "properties": { + "repository": { + "type": "string" + } + } + }, + "persistence": { + "type": "object", + "properties": { + "mountPath": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "storageClass": { + "type": "string" + }, + "accessMode": { + "type": "string" + }, + "size": { + "type": "string" + }, + "metering": { + "type": "object", + "properties": { + "size": { + "type": "string" + } + } + }, + "catalog": { + "type": "object", + "properties": { + "size": { + "type": "string" + } + } + }, + "jobs": { + "type": "object", + "properties": { + "size": { + "type": "string" + } + } + }, + "logging": { + "type": "object", + "properties": { + "size": { + "type": "string" + } + } + } + } + }, + "upstreamCertifiedImages": { + "type": "boolean" + }, + "rhMarketPlace": { + "type": "boolean" + }, + "images": { + "type": "object", + "properties": { + "aggregatedapis": { + "type": "string" + }, + "auth": { + "type": "string" + }, + "catalog": { + "type": "string" + }, + "config": { + "type": "string" + }, + "crypto": { + "type": "string" + }, + "dashboardbff": { + "type": "string" + }, + "executor": { + "type": "string" + }, + "frontend": { + "type": "string" + }, + "jobs": { + "type": "string" + }, + "kanister": { + "type": "string" + }, + "logging": { + "type": "string" + }, + "metering": { + "type": "string" + }, + "state": { + "type": "string" + }, + "ambassador": { + "type": "string" + }, + "prometheus": { + "type": "string" + }, + "configmap-reload": { + "type": "string" + }, + "dex": { + "type": "string" + }, + "kanister-tools": { + "type": "string" + }, + "upgrade": { + "type": "string" + }, + "cephtool": { + "type": "string" + }, + "datamover": { + "type": "string" + } + } + } + } + }, + "metering": { + "type": "object", + "properties": { + "reportingKey": { + "type": "string" + }, + "consumerId": { + "type": "string" + }, + "awsMarketPlaceIamRole": { + "type": "string" + }, + "awsRegion": { + "type": "string" + }, + "serviceAccount": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + } + }, + "licenseConfigSecretName": { + "type": "string" + }, + "mode": { + "type": "string" + }, + "reportCollectionPeriod": { + "type": "integer" + }, + "reportPushPeriod": { + "type": "integer" + }, + "promoID": { + "type": "string" + } + } + }, + "route": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "host": { + "type": "string" + }, + "path": { + "type": "string" + }, + "annotations": { + "type": "object" + }, + "labels": { + "type": "object" + }, + "tls": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "insecureEdgeTerminationPolicy": { + "type": "string" + }, + "termination": { + "type": "string" + } + } + } + } + }, + "toolsImage": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "pullPolicy": { + "type": "string" + } + } + }, + "ambassadorImage": { + "type": "object", + "properties": { + "registry": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "image": { + "type": "string" + } + } + }, + "dexImage": { + "type": "object", + "properties": { + "registry": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "image": { + "type": "string" + } + } + }, + "kanisterToolsImage": { + "type": "object", + "properties": { + "registry": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "image": { + "type": "string" + }, + "pullPolicy": { + "type": "string" + } + } + }, + "eula": { + "type": "object", + "properties": { + "accept": { + "type": "boolean" + } + } + }, + "license": { + "type": "string" + }, + "prometheus": { + "type": "object", + "properties": { + "k10image": { + "type": "object", + "properties": { + "registry": { + "type": "string" + }, + "repository": { + "type": "string" + } + } + }, + "initChownData": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "alertmanager": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "kubeStateMetrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "networkPolicy": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "nodeExporter": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "pushgateway": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "scrapeCAdvisor": { + "type": "boolean" + }, + "server": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "securityContext": { + "type": "object", + "properties": { + "runAsUser": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "fsGroup": { + "type": "integer" + } + } + }, + "retention": { + "type": "string" + }, + "strategy": { + "type": "object", + "properties": { + "rollingUpdate": { + "type": "object", + "properties": { + "maxSurge": { + "type": "string" + }, + "maxUnavailable": { + "type": "string" + } + } + }, + "type": { + "type": "string" + } + } + }, + "persistentVolume": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "storageClass": { + "type": "string" + } + } + }, + "configMapOverrideName": { + "type": "string" + }, + "fullnameOverride": { + "type": "string" + }, + "baseURL": { + "type": "string" + }, + "prefixURL": { + "type": "string" + } + } + }, + "serviceAccounts": { + "type": "object", + "properties": { + "alertmanager": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "kubeStateMetrics": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "nodeExporter": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "pushgateway": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "server": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + } + } + } + } + }, + "service": { + "type": "object", + "properties": { + "externalPort": { + "type": "integer" + }, + "internalPort": { + "type": "integer" + }, + "aggregatedApiPort": { + "type": "integer" + }, + "gatewayAdminPort": { + "type": "integer" + } + } + }, + "secrets": { + "type": "object", + "properties": { + "awsAccessKeyId": { + "type": "string" + }, + "awsSecretAccessKey": { + "type": "string" + }, + "awsIamRole": { + "type": "string" + }, + "googleApiKey": { + "type": "string" + }, + "dockerConfig": { + "type": "string" + }, + "dockerConfigPath": { + "type": "string" + }, + "azureTenantId": { + "type": "string" + }, + "azureClientId": { + "type": "string" + }, + "azureClientSecret": { + "type": "string" + }, + "azureResourceGroup": { + "type": "string" + }, + "azureSubscriptionID": { + "type": "string" + }, + "azureResourceMgrEndpoint": { + "type": "string" + }, + "azureADEndpoint": { + "type": "string" + }, + "azureADResourceID": { + "type": "string" + }, + "apiTlsCrt": { + "type": "string" + }, + "apiTlsKey": { + "type": "string" + }, + "ibmSoftLayerApiKey": { + "type": "string" + }, + "ibmSoftLayerApiUsername": { + "type": "string" + }, + "vsphereEndpoint": { + "type": "string" + }, + "vsphereUsername": { + "type": "string" + }, + "vspherePassword": { + "type": "string" + } + } + }, + "clusterName": { + "type": "string" + }, + "executorReplicas": { + "type": "integer" + }, + "logLevel": { + "type": "string" + }, + "apiservices": { + "type": "object", + "properties": { + "deployed": { + "type": "boolean" + } + } + }, + "injectKanisterSidecar": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "namespaceSelector": { + "type": "object", + "properties": { + "matchLabels": { + "type": "object" + } + } + }, + "objectSelector": { + "type": "object", + "properties": { + "matchLabels": { + "type": "object" + } + } + }, + "webhookServer": { + "type": "object", + "properties": { + "port": { + "type": "integer" + } + } + } + } + }, + "kanisterPodCustomLabels": { + "type": "string" + }, + "kanisterPodCustomAnnotations": { + "type": "string" + }, + "resources": { + "type": "object" + }, + "services": { + "type": "object", + "properties": { + "executor": { + "type": "object", + "properties": { + "hostNetwork": { + "type": "boolean" + } + } + }, + "dashboardbff": { + "type": "object", + "properties": { + "hostNetwork": { + "type": "boolean" + } + } + }, + "securityContext": { + "type": "object", + "properties": { + "runAsUser": { + "type": "integer" + }, + "fsGroup": { + "type": "integer" + } + } + } + } + }, + "apigateway": { + "type": "object", + "properties": { + "serviceResolver": { + "type": "string" + } + } + }, + "limiter": { + "type": "object", + "properties": { + "genericVolumeSnapshots": { + "type": "integer" + }, + "genericVolumeCopies": { + "type": "integer" + }, + "genericVolumeRestores": { + "type": "integer" + }, + "csiSnapshots": { + "type": "integer" + }, + "providerSnapshots": { + "type": "integer" + } + } + }, + "gateway": { + "type": "object", + "properties": { + "insecureDisableSSLVerify": { + "type": "boolean" + } + } + }, + "kanisterWithKopia": { + "type": "boolean" + }, + "ingress": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "tls": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "class": { + "type": "string" + }, + "host": { + "type": "string" + }, + "urlPath": { + "type": "string" + } + } + }, + "genericVolumeSnapshot": { + "type": "object", + "properties": { + "resources": { + "type": "object", + "properties": { + "requests": { + "type": "object", + "properties": { + "memory": { + "type": "string" + }, + "cpu": { + "type": "string" + } + } + }, + "limits": { + "type": "object", + "properties": { + "memory": { + "type": "string" + }, + "cpu": { + "type": "string" + } + } + } + } + } + } + } + }, + "jaeger": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "agentDNS": { + "type": "string" + } + } + }, + "cacertconfigmap": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + }, + "externalGateway": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "annotations": { + "type": "object" + }, + "fqdn": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "type": { + "type": "string" + } + } + }, + "awsSSLCertARN": { + "type": "string" + } + } + }, + "auth": { + "type": "object", + "properties": { + "groupAllowList": { + "type": "array", + "items": { + "type": "string" + } + }, + "basicAuth": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "secretName": { + "type": "string" + }, + "htpasswd": { + "type": "string" + } + } + }, + "tokenAuth": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "oidcAuth": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "providerURL": { + "type": "string" + }, + "redirectURL": { + "type": "string" + }, + "scopes": { + "type": "string" + }, + "prompt": { + "type": "string" + }, + "clientID": { + "type": "string" + }, + "clientSecret": { + "type": "string" + }, + "usernameClaim": { + "type": "string" + }, + "usernamePrefix": { + "type": "string" + }, + "groupClaim": { + "type": "string" + }, + "groupPrefix": { + "type": "string" + }, + "logoutURL": { + "type": "string" + }, + "secretName": { + "type": "string" + } + } + }, + "dex": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "providerURL": { + "type": "string" + }, + "redirectURL": { + "type": "string" + } + } + }, + "openshift": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "serviceAccount": { + "type": "string" + }, + "clientSecret": { + "type": "string" + }, + "dashboardURL": { + "type": "string" + }, + "openshiftURL": { + "type": "string" + }, + "insecureCA": { + "type": "boolean" + }, + "useServiceAccountCA": { + "type": "boolean" + }, + "secretName": { + "type": "string" + }, + "usernameClaim": { + "type": "string" + }, + "usernamePrefix": { + "type": "string" + }, + "groupnameClaim": { + "type": "string" + }, + "groupnamePrefix": { + "type": "string" + } + } + }, + "ldap": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "restartPod": { + "type": "boolean" + }, + "dashboardURL": { + "type": "string" + }, + "host": { + "type": "string" + }, + "insecureNoSSL": { + "type": "boolean" + }, + "insecureSkipVerifySSL": { + "type": "boolean" + }, + "startTLS": { + "type": "boolean" + }, + "bindDN": { + "type": "string" + }, + "bindPW": { + "type": "string" + }, + "bindPWSecretName": { + "type": "string" + }, + "userSearch": { + "type": "object", + "properties": { + "baseDN": { + "type": "string" + }, + "filter": { + "type": "string" + }, + "username": { + "type": "string" + }, + "idAttr": { + "type": "string" + }, + "emailAttr": { + "type": "string" + }, + "nameAttr": { + "type": "string" + }, + "preferredUsernameAttr": { + "type": "string" + } + } + }, + "groupSearch": { + "type": "object", + "properties": { + "baseDN": { + "type": "string" + }, + "filter": { + "type": "string" + }, + "userMatchers": { + "type": "array", + "items": { + "type": "string" + } + }, + "nameAttr": { + "type": "string" + } + } + }, + "secretName": { + "type": "string" + }, + "usernameClaim": { + "type": "string" + }, + "usernamePrefix": { + "type": "string" + }, + "groupnameClaim": { + "type": "string" + }, + "groupnamePrefix": { + "type": "string" + } + } + }, + "k10AdminUsers": { + "type": "array", + "items": { + "type": "string" + } + }, + "k10AdminGroups": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "cluster": { + "type": "object", + "properties": { + "domainName": { + "type": "string" + } + } + } +} diff --git a/charts/k10/k10/4.5.1100/values.yaml b/charts/k10/k10/4.5.1100/values.yaml new file mode 100644 index 000000000..e5cc7b500 --- /dev/null +++ b/charts/k10/k10/4.5.1100/values.yaml @@ -0,0 +1,456 @@ +# Default values for k10. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +image: + registry: gcr.io + repository: kasten-images + image: '' + tag: '' + pullPolicy: Always + +rbac: + create: true +serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. + # If not set and create is true, a name is derived using the release and chart names. + name: "" + +scc: + create: false + +networkPolicy: + create: true + +# Empty value of airgapped.repository specifies that the installation is +# going to be online and if we provide this value using --set flag that +# means that the installation is going to be offline +global: + airgapped: + repository: '' + persistence: + mountPath: "/mnt/k10state" + enabled: true + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + accessMode: ReadWriteOnce + size: 20Gi + metering: + size: 2Gi + catalog: + size: "" + jobs: + size: "" + logging: + size: "" + grafana: + # Default value is set to 5Gi. This is the same as the default value + # from previous releases <= 4.5.1 where the Grafana sub chart used to + # reference grafana.persistence.size instead of the global values. + # Since the size remains the same across upgrades, the Grafana PVC + # is not deleted and recreated which means no Grafana data is lost + # while upgrading from <= 4.5.1 + size: 5Gi + ## Do we want to use certified version to upstream container images + ## TODO: @viveksinghggits, we don't need this anymore + upstreamCertifiedImages: false + ## Set it to true while geenerating helm operator + rhMarketPlace: false + ## these values should not be provided us, these are to be used by + ## red hat marketplace + images: + admin: '' + aggregatedapis: '' + auth: '' + catalog: '' + config: '' + crypto: '' + dashboardbff: '' + events: '' + executor: '' + frontend: '' + jobs: '' + kanister: '' + logging: '' + metering: '' + state: '' + ambassador: '' + prometheus: '' + configmap-reload: '' + dex: '' + kanister-tools: '' + upgrade: '' + cephtool: '' + datamover: '' + bloblifecyclemanager: '' + vbrintegrationapi: '' + grafana: '' + imagePullSecret: '' + ingress: + create: false + urlPath: "" #url path for k10 gateway + route: + enabled: false + path: "" + + +## OpenShift route configuration. +route: + enabled: false + # Host name for the route + host: "" + # Default path for the route + path: "" + + annotations: {} + # kubernetes.io/tls-acme: "true" + # haproxy.router.openshift.io/disable_cookies: "true" + # haproxy.router.openshift.io/balance: roundrobin + + labels: {} + # key: value + + # TLS configuration + tls: + enabled: false + # What to do in case of an insecure traffic edge termination + insecureEdgeTerminationPolicy: "Redirect" + # Where this TLS configuration should terminate + termination: "edge" + +toolsImage: + enabled: true + pullPolicy: Always + +ambassadorImage: + registry: quay.io + repository: datawire + image: ambassador + +dexImage: + registry: quay.io + repository: dexidp + image: dex + +kanisterToolsImage: + registry: ghcr.io + repository: kanisterio + image: kanister-tools + pullPolicy: Always + +ingress: + create: false + tls: + enabled: false + class: "" #Ingress controller type + host: "" #ingress object host name + urlPath: "" #url path for k10 gateway + pathType: "" + +eula: + accept: false #true value if EULA accepted + +license: "" #base64 encoded string provided by Kasten + +cluster: + domainName: "cluster.local" #default value is cluster.local + +prometheus: + k10image: + # take this value from image.repository + registry: gcr.io + repository: kasten-images + # Disabling init container + # which uses root cmds + initChownData: + enabled: false + rbac: + create: false + alertmanager: + enabled: false + kubeStateMetrics: + enabled: false + networkPolicy: + enabled: true + nodeExporter: + enabled: false + pushgateway: + enabled: false + scrapeCAdvisor: false + server: + # UID and groupid are from prometheus helm chart + enabled: true + securityContext: + runAsUser: 65534 + runAsNonRoot: true + runAsGroup: 65534 + fsGroup: 65534 + retention: 30d + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 100% + type: RollingUpdate + persistentVolume: + enabled: true + storageClass: "" + configMapOverrideName: k10-prometheus-config + fullnameOverride: prometheus-server + baseURL: /k10/prometheus/ + prefixURL: /k10/prometheus + serviceAccounts: + alertmanager: + create: false + kubeStateMetrics: + create: false + nodeExporter: + create: false + pushgateway: + create: false + server: + create: true + +jaeger: + enabled: false + agentDNS: "" + +service: + externalPort: 8000 + internalPort: 8000 + aggregatedApiPort: 10250 + gatewayAdminPort: 8877 + +secrets: + awsAccessKeyId: '' + awsSecretAccessKey: '' + awsIamRole: '' + googleApiKey: '' + dockerConfig: '' + dockerConfigPath: '' + azureTenantId: '' + azureClientId: '' + azureClientSecret: '' + azureResourceGroup: '' + azureSubscriptionID: '' + azureResourceMgrEndpoint: '' + azureADEndpoint: '' + azureADResourceID: '' + azureCloudEnvID: '' + apiTlsCrt: '' + apiTlsKey: '' + ibmSoftLayerApiKey: '' + ibmSoftLayerApiUsername: '' + vsphereEndpoint: '' + vsphereUsername: '' + vspherePassword: '' + +metering: + reportingKey: "" #[base64-encoded key] + consumerId: "" #project: + awsRegion: '' + awsMarketPlaceIamRole: '' + awsMarketplace: false # AWS cloud metering license mode + awsManagedLicense: false # AWS managed license mode + licenseConfigSecretName: '' # AWS managed license config secret for non-eks clusters + serviceAccount: + create: false + name: "" + mode: '' # controls metric and license reporting (set to `airgap` for private-network installs) + redhatMarketplacePayg: false # Redhat cloud metering license mode + reportCollectionPeriod: 1800 # metric report collection period in seconds + reportPushPeriod: 3600 # metric report push period in seconds + promoID: '' # sets the K10 promotion ID + +clusterName: '' +executorReplicas: 3 +logLevel: info + +externalGateway: + create: false + # Any standard service annotations + annotations: {} + # Host and domain name for the K10 API server + fqdn: + name: "" + #Supported types route53-mapper, external-dns + type: "" + # ARN for the AWS ACM SSL certificate used in the K10 API server (load balancer) + awsSSLCertARN: '' + +auth: + groupAllowList: [] +# - "group1" +# - "group2" + basicAuth: + enabled: false + secretName: "" #htpasswd based existing secret + htpasswd: "" #htpasswd string, which will be used for basic auth + tokenAuth: + enabled: false + oidcAuth: + enabled: false + providerURL: "" #URL to your OIDC provider + redirectURL: "" #URL to the K10 gateway service + scopes: "" #Space separated OIDC scopes required for userinfo. Example: "profile email" + prompt: "" #The prompt type to be requested with the OIDC provider. Default is select_account. + clientID: "" #ClientID given by the OIDC provider for K10 + clientSecret: "" #ClientSecret given by the OIDC provider for K10 + usernameClaim: "" #Claim to be used as the username + usernamePrefix: "" #Prefix that has to be used with the username obtained from the username claim + groupClaim: "" #Name of a custom OpenID Connect claim for specifying user groups + groupPrefix: "" #All groups will be prefixed with this value to prevent conflicts. + logoutURL: "" #URL to your OIDC provider's logout endpoint + #OIDC config based existing secret. + #Must include providerURL, redirectURL, scopes, clientID/secret and logoutURL. + secretName: "" + dex: + enabled: false + providerURL: "" + redirectURL: "" + openshift: + enabled: false + serviceAccount: "" #service account used as the OAuth client + clientSecret: "" #The token from the service account + dashboardURL: "" #The URL for accessing K10's dashboard + openshiftURL: "" #The URL of the Openshift API server + insecureCA: false + useServiceAccountCA: false + secretName: "" # The Kubernetes Secret that contains OIDC settings + usernameClaim: "email" + usernamePrefix: "" + groupnameClaim: "groups" + groupnamePrefix: "" + ldap: + enabled: false + restartPod: false # Enable this value to force a restart of the authentication service pod + dashboardURL: "" #The URL for accessing K10's dashboard + host: "" + insecureNoSSL: false + insecureSkipVerifySSL: false + startTLS: false + bindDN: "" + bindPW: "" + bindPWSecretName: "" + userSearch: + baseDN: "" + filter: "" + username: "" + idAttr: "" + emailAttr: "" + nameAttr: "" + preferredUsernameAttr: "" + groupSearch: + baseDN: "" + filter: "" + userMatchers: [] +# - userAttr: +# groupAttr: + nameAttr: "" + secretName: "" # The Kubernetes Secret that contains OIDC settings + usernameClaim: "email" + usernamePrefix: "" + groupnameClaim: "groups" + groupnamePrefix: "" + k10AdminUsers: [] + k10AdminGroups: [] + +optionalColocatedServices: + vbrintegrationapi: + enabled: false + +cacertconfigmap: + name: "" #Name of the configmap + +apiservices: + deployed: true # If false APIService objects will not be deployed + +injectKanisterSidecar: + enabled: false + namespaceSelector: + matchLabels: {} + # Set objectSelector to filter workloads + objectSelector: + matchLabels: {} + webhookServer: + port: 8080 # should not conflict with config server port (8000) + +kanisterPodCustomLabels : "" + +kanisterPodCustomAnnotations : "" + +genericVolumeSnapshot: + resources: + requests: + memory: "" + cpu: "" + limits: + memory: "" + cpu: "" + +resources: {} + +services: + executor: + hostNetwork: false + dashboardbff: + hostNetwork: false + securityContext: + runAsUser: 1000 + fsGroup: 1000 + aggregatedapis: + hostNetwork: false + +apigateway: + serviceResolver: dns + +limiter: + genericVolumeSnapshots: 10 + genericVolumeCopies: 10 + genericVolumeRestores: 10 + csiSnapshots: 10 + providerSnapshots: 10 + +gateway: + insecureDisableSSLVerify: false + exposeAdminPort: true + +kanister: + backupTimeout: 45 + restoreTimeout: 600 + deleteTimeout: 45 + hookTimeout: 20 + checkRepoTimeout: 20 + statsTimeout: 20 + efsPostRestoreTimeout: 45 + podReadyWaitTimeout: 15 + +awsConfig: + assumeRoleDuration: "" + efsBackupVaultName: "" + +grafana: + enabled: true + prometheusName: prometheus-server + prometheusPrefixURL: /k10/prometheus + rbac: + namespaced: true + pspEnabled: false + +encryption: + primaryKey: # primaryKey is used for enabling encryption of K10 primary key + awsCmkKeyId: '' # Ensures AWS CMK is used for encrypting K10 primary key + vaultTransitKeyName: '' + vaultTransitPath: '' + +vmWare: + taskTimeoutMin: "" + +vault: + secretName: "" + address: "http://vault:8200" diff --git a/index.yaml b/index.yaml index 70a4bfa57..7a1b165f2 100755 --- a/index.yaml +++ b/index.yaml @@ -1068,6 +1068,37 @@ entries: - assets/falcon-sensor/falcon-sensor-0.9.300.tgz version: 0.9.300 federatorai: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Federator.ai + catalog.cattle.io/release-name: federatorai + apiVersion: v1 + appVersion: 5.0.0-p1 + created: "2022-03-21T17:05:44.18656346+08:00" + description: Federator.ai helps enterprises optimize cloud resources, maximize + application performance, and save significant cost without excessive over-provisioning + or under-provisioning of resources, meeting the service-level requirements of + their applications. + digest: 7f3c4e92c9b0ba5141107b00b4bba9f083eb777d7706c2aec3e0bb86cb79ee28 + home: https://www.prophetstor.com + icon: https://raw.githubusercontent.com/prophetstor-ai/public/master/images/logo.png + keywords: + - AI + - Resource Orchestration + - NoOps + - AIOps + - Intelligent Workload Management + - Cost Optimization + kubeVersion: 1.16 - 1.22 + maintainers: + - email: support@prophetstor.com + name: ProphetStor Data Services, Inc. + name: federatorai + sources: + - https://www.prophetstor.com + urls: + - assets/federatorai/federatorai-5.0.0.tgz + version: 5.0.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Federator.ai @@ -1394,6 +1425,113 @@ entries: - assets/fpga-operator/fpga-operator-2.5.201.tgz version: 2.5.201 gluu: + - annotations: + artifacthub.io/changes: | + - Update always + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/images: | + - name: auth-server + image: janssenproject/auth-server:1.0.0-beta.16 + - name: auth-server-key-rotation + image: janssenproject/certmanager:1.0.0-beta.16 + - name: client-api + image: janssenproject/client-api:1.0.0-beta.16 + - name: configuration-manager + image: janssenproject/configurator:1.0.0-beta.16 + - name: config-api + image: janssenproject/config-api:1.0.0-beta.16 + - name: fido2 + image: janssenproject/fido2:1.0.0-beta.16 + - name: opendj + image: gluufederation/opendj:5.0.0_dev + - name: persistence + image: janssenproject/persistence-loader:1.0.0-beta.16 + - name: scim + image: janssenproject/scim:1.0.0-beta.16 + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "true" + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management + catalog.cattle.io/release-name: gluu + apiVersion: v2 + appVersion: 5.0.0 + created: "2022-03-16T12:29:00.327278263Z" + dependencies: + - condition: global.config.enabled + name: config + repository: "" + version: 5.0.3 + - condition: global.config-api.enabled + name: config-api + repository: "" + version: 5.0.3 + - condition: global.opendj.enabled + name: opendj + repository: "" + version: 5.0.3 + - condition: global.auth-server.enabled + name: auth-server + repository: "" + version: 5.0.3 + - condition: global.admin-ui.enabled + name: admin-ui + repository: "" + version: 5.0.3 + - condition: global.fido2.enabled + name: fido2 + repository: "" + version: 5.0.3 + - condition: global.scim.enabled + name: scim + repository: "" + version: 5.0.3 + - condition: global.nginx-ingress.enabled + name: nginx-ingress + repository: "" + version: 5.0.3 + - condition: global.oxshibboleth.enabled + name: oxshibboleth + repository: "" + version: 5.0.3 + - condition: global.oxpassport.enabled + name: oxpassport + repository: "" + version: 5.0.3 + - condition: global.casa.enabled + name: casa + repository: "" + version: 5.0.3 + - condition: global.auth-server-key-rotation.enabled + name: auth-server-key-rotation + repository: "" + version: 5.0.3 + - condition: global.client-api.enabled + name: client-api + repository: "" + version: 5.0.3 + - condition: global.persistence.enabled + name: persistence + repository: "" + version: 5.0.3 + - condition: global.istio.ingress + name: cn-istio-ingress + repository: "" + version: 5.0.3 + description: Gluu Access and Identity Management + digest: 5179611a022721f7667fd8212d04a07e21165c2b8409de3197468a82d76afd4b + home: https://www.gluu.org + icon: https://gluu.org/docs/gluu-server/favicon.ico + kubeVersion: '>=v1.21.0-0' + maintainers: + - email: support@gluu.org + name: moabu + name: gluu + sources: + - https://gluu.org/docs/gluu-server + - https://github.com/GluuFederation/flex/flex-cn-setup + urls: + - assets/gluu/gluu-5.0.302.tgz + version: 5.0.302 - annotations: artifacthub.io/changes: | - Gluu 5.0 Openbanking Distribution. Auth-server and config-api. @@ -2254,6 +2392,25 @@ entries: - assets/k8s-triliovault-operator/k8s-triliovault-operator-v2.0.200.tgz version: v2.0.200 k10: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: K10 + catalog.cattle.io/release-name: k10 + apiVersion: v2 + appVersion: 4.5.11 + created: "2022-03-17T11:38:33.444913099Z" + description: Kasten’s K10 Data Management Platform + digest: 28fa4e635b3643559cec9bdf0eb5def580bbcc36efaf2c1f7cf30259043e4757 + home: https://kasten.io/ + icon: https://docs.kasten.io/_static/kasten-logo-vertical.png + kubeVersion: '>= 1.17.0-0' + maintainers: + - email: support@kasten.io + name: kastenIO + name: k10 + urls: + - assets/k10/k10-4.5.1100.tgz + version: 4.5.1100 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: K10