andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #714 from koor-tech/feature/ksd-159 

Add Koor Operator
pull/847/head
Nefi Munoz 2023-08-01 09:15:34 -06:00 committed by GitHub
parent 06f8ac947a 2f5615cc62
commit b829d40a1c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
71 changed files with 9272 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/koor-tech/koor-operator-0.3.1.tgz Normal file
View File

Binary file not shown.

27
charts/koor-tech/koor-operator/.helmignore Normal file
View File

@ -0,0 +1,27 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
additional-values.yaml
README.gotmpl.md
*.gotmpl

6
charts/koor-tech/koor-operator/Chart.lock Normal file
View File

@ -0,0 +1,6 @@
dependencies:
- name: cert-manager
repository: https://charts.jetstack.io
version: v1.12.3
digest: sha256:3110ca458f8a903dc025408701614af03df859bf827824478ed68c785b0e6209
generated: "2023-07-30T15:15:21.312277536Z"

36
charts/koor-tech/koor-operator/Chart.yaml Normal file
View File

@ -0,0 +1,36 @@
annotations:
artifacthub.io/category: storage
artifacthub.io/crds: |
- kind: KoorCluster
version: v1
name: koorcluster
displayName: Koor Cluster
description: "Resource to control the creation of a Koor Storage Cluster."
artifacthub.io/license: Apache-2.0
artifacthub.io/operator: "true"
artifacthub.io/operatorCapabilities: basic install
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Koor Operator
catalog.cattle.io/kube-version: '>=1.19.0'
catalog.cattle.io/release-name: koor-operator
apiVersion: v2
appVersion: v0.3.1
dependencies:
- alias: certmanager
condition: certmanager.enabled
name: cert-manager
repository: file://./charts/cert-manager
version: v1.12.3
description: A Helm chart for deploying the Koor Operator to Kubernetes
icon: https://koor.tech/images/favicon.svg
keywords:
- storage
- operator
- rook
- ceph
kubeVersion: '>=1.19.0'
name: koor-operator
sources:
- https://github.com/koor-tech/koor-operator/
type: application
version: 0.3.1

201
charts/koor-tech/koor-operator/LICENSE Normal file
View File

@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2023 Koor Technologies, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

100
charts/koor-tech/koor-operator/README.md Normal file
View File

@ -0,0 +1,100 @@
---
title: Ceph Operator Helm Chart
---
<!---
Document is generated by `make helm-docs`. DO NOT EDIT.
Edit the corresponding *.gotmpl.md file instead
-->
Installs [Koor Operator](https://github.com/koor-tech/koor-operator) to create, configure, and manage Koor Storage Distribution on Kubernetes.
## Introduction
This chart bootstraps a [Koor Operator](https://github.com/koor-tech/koor-operator) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
## Prerequisites
* Kubernetes 1.19+
* Helm 3.x
See the [Helm support matrix](https://helm.sh/docs/topics/version_skew/) for more details.
## Installing
The Ceph Operator helm chart will install the basic components necessary to create a storage platform for your Kubernetes cluster.
1. Add the Koor Helm repo
2. Install the Helm chart
3. [Create a Koor Storage cluster](https://docs.koor.tech/v1.11/Getting-Started/quickstart/#create-a-ceph-cluster).
The `helm install` command deploys the Koor Operator on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. It is recommended that the Koor Operator be installed into the `koor-operator` namespace (you will install your clusters into separate namespaces).
```console
helm repo add koor-operator https://koor-tech.github.io/koor-operator
helm install --create-namespace --namespace koor-operator koor-operator koor-operator/koor-operator -f values.yaml
```
For example settings, see the next section or [values.yaml](/charts/koor-operator/values.yaml).
## Configuration
The following table lists the configurable parameters of the rook-operator chart and their default values.
| Parameter | Description | Default |
|-----------|-------------|---------|
| `certmanager.enabled` | Enable cert-maanger | `true` |
| `certmanager.installCRDs` | If cert-manager's CRDs should be installed through Helm. | `true` |
| `controllerManager.kubeRbacProxy` | RBAC proxy configuration | `{"args":["--secure-listen-address=0.0.0.0:8443","--upstream=http://127.0.0.1:8080/","--logtostderr=true","--v=0"],"containerSecurityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}},"image":{"repository":"gcr.io/kubebuilder/kube-rbac-proxy","tag":"v0.14.1"},"resources":{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"5m","memory":"64Mi"}}}` |
| `controllerManager.kubeRbacProxy.containerSecurityContext` | RBAC proxy container security context | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` |
| `controllerManager.kubeRbacProxy.image.repository` | Operator image repository | `"gcr.io/kubebuilder/kube-rbac-proxy"` |
| `controllerManager.kubeRbacProxy.image.tag` | Operator image tag | `"v0.14.1"` |
| `controllerManager.kubeRbacProxy.resources` | RBAC proxy container resources | `{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"5m","memory":"64Mi"}}` |
| `controllerManager.manager` | Operator configuration | `{"args":["--health-probe-bind-address=:8081","--metrics-bind-address=127.0.0.1:8080","--leader-elect"],"containerSecurityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}},"image":{"repository":"docker.io/koorinc/koor-operator","tag":"v0.3.1"},"resources":{"limits":{"cpu":"500m","memory":"512Mi"},"requests":{"cpu":"10m","memory":"128Mi"}}}` |
| `controllerManager.manager.containerSecurityContext` | Operator container security context | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` |
| `controllerManager.manager.image.repository` | Operator image repository | `"docker.io/koorinc/koor-operator"` |
| `controllerManager.manager.image.tag` | Operator image tag | `"v0.3.1"` |
| `controllerManager.manager.resources` | Operator container resources | `{"limits":{"cpu":"500m","memory":"512Mi"},"requests":{"cpu":"10m","memory":"128Mi"}}` |
| `controllerManager.replicas` | | `1` |
| `koorCluster` | Koor Cluster specification | `{"spec":{"dashboardEnabled":true,"monitoringEnabled":true,"toolboxEnabled":true,"upgradeOptions":{"endpoint":"versions.koor.tech","mode":"notify","schedule":"0 0 * * *"},"useAllDevices":true}}` |
| `koorCluster.spec.dashboardEnabled` | Enable the Ceph MGR dashboard. | `true` |
| `koorCluster.spec.monitoringEnabled` | If monitoring should be enabled, requires the prometheus-operator to be pre-installed. | `true` |
| `koorCluster.spec.toolboxEnabled` | If the Ceph toolbox, should be deployed as well. | `true` |
| `koorCluster.spec.upgradeOptions.endpoint` | The api endpoint used to find the ceph latest version | `"versions.koor.tech"` |
| `koorCluster.spec.upgradeOptions.mode` | Upgrade mode. Options: disabled, notify, upgrade. | `"notify"` |
| `koorCluster.spec.upgradeOptions.schedule` | The schedule to check for new versions. Uses CRON format as specified by https://github.com/robfig/cron/tree/v3. Defaults to everyday at midnight in the local timezone. To change the timezone, prefix the schedule with CRON_TZ=<Timezone>. For example: "CRON_TZ=UTC 0 0 * * *" is midnight UTC. | `"0 0 * * *"` |
| `koorCluster.spec.useAllDevices` | If all empty + unused devices of the cluster should be used. | `true` |
| `kubernetesClusterDomain` | | `"cluster.local"` |
| `metricsService` | Metrics Service | `{"ports":[{"name":"https","port":8443,"protocol":"TCP","targetPort":"https"}],"type":"ClusterIP"}` |
| `webhookService` | Webhook service | `{"ports":[{"port":443,"protocol":"TCP","targetPort":9443}],"type":"ClusterIP"}` |
## Uninstalling the Chart
To see the currently installed Rook chart:
```console
helm ls --namespace koor-operator
```
To uninstall/delete the `koor-operator` deployment:
```console
helm delete --namespace koor-operator koor-operator
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## License
Copyright 2023 Koor Technologies, Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

1
charts/koor-tech/koor-operator/app-readme.md Normal file
View File

@ -0,0 +1 @@
An operator that installs Koor Storage Distro

24
charts/koor-tech/koor-operator/charts/cert-manager/Chart.yaml Normal file
View File

@ -0,0 +1,24 @@
annotations:
artifacthub.io/prerelease: "false"
artifacthub.io/signKey: |
fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
apiVersion: v1
appVersion: v1.12.3
description: A Helm chart for cert-manager
home: https://github.com/cert-manager/cert-manager
icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png
keywords:
- cert-manager
- kube-lego
- letsencrypt
- tls
kubeVersion: '>= 1.22.0-0'
maintainers:
- email: cert-manager-maintainers@googlegroups.com
name: cert-manager-maintainers
url: https://cert-manager.io
name: cert-manager
sources:
- https://github.com/cert-manager/cert-manager
version: v1.12.3

271
charts/koor-tech/koor-operator/charts/cert-manager/README.md Normal file
View File

@ -0,0 +1,271 @@
# cert-manager
cert-manager is a Kubernetes addon to automate the management and issuance of
TLS certificates from various issuing sources.
It will ensure certificates are valid and up to date periodically, and attempt
to renew certificates at an appropriate time before expiry.
## Prerequisites
- Kubernetes 1.20+
## Installing the Chart
Full installation instructions, including details on how to configure extra
functionality in cert-manager can be found in the [installation docs](https://cert-manager.io/docs/installation/kubernetes/).
Before installing the chart, you must first install the cert-manager CustomResourceDefinition resources.
This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources.
```bash
$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.3/cert-manager.crds.yaml
```
To install the chart with the release name `my-release`:
```console
## Add the Jetstack Helm repository
$ helm repo add jetstack https://charts.jetstack.io
## Install the cert-manager helm chart
$ helm install my-release --namespace cert-manager --version v1.12.3 jetstack/cert-manager
```
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in [our documentation](https://cert-manager.io/docs/configuration/).
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the
[Securing Ingresses documentation](https://cert-manager.io/docs/usage/ingress/).
> **Tip**: List all releases using `helm list`
## Upgrading the Chart
Special considerations may be required when upgrading the Helm chart, and these
are documented in our full [upgrading guide](https://cert-manager.io/docs/installation/upgrading/).
**Please check here before performing upgrades!**
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```console
$ helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
If you want to completely uninstall cert-manager from your cluster, you will also need to
delete the previously installed CustomResourceDefinition resources:
```console
$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.3/cert-manager.crds.yaml
```
## Configuration
The following table lists the configurable parameters of the cert-manager chart and their default values.
| Parameter | Description | Default |
| --------- | ----------- | ------- |
| `global.imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` |
| `global.commonLabels` | Labels to apply to all resources | `{}` |
| `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` |
| `global.priorityClassName`| Priority class name for cert-manager and webhook pods | `""` |
| `global.podSecurityPolicy.enabled` | If `true`, create and use PodSecurityPolicy (includes sub-charts) | `false` |
| `global.podSecurityPolicy.useAppArmor` | If `true`, use Apparmor seccomp profile in PSP | `true` |
| `global.leaderElection.namespace` | Override the namespace used to store the ConfigMap for leader election | `kube-system` |
| `global.leaderElection.leaseDuration` | The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate | |
| `global.leaderElection.renewDeadline` | The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration | |
| `global.leaderElection.retryPeriod` | The duration the clients should wait between attempting acquisition and renewal of a leadership | |
| `installCRDs` | If true, CRD resources will be installed as part of the Helm chart. If enabled, when uninstalling CRD resources will be deleted causing all installed custom resources to be DELETED | `false` |
| `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` |
| `image.tag` | Image tag | `v1.12.3` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `replicaCount` | Number of cert-manager replicas | `1` |
| `clusterResourceNamespace` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources | Same namespace as cert-manager pod |
| `featureGates` | Set of comma-separated key=value pairs that describe feature gates on the controller. Some feature gates may also have to be enabled on other components, and can be set supplying the `feature-gate` flag to `<component>.extraArgs` | `` |
| `extraArgs` | Optional flags for cert-manager | `[]` |
| `extraEnv` | Optional environment variables for cert-manager | `[]` |
| `serviceAccount.create` | If `true`, create a new service account | `true` |
| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | |
| `serviceAccount.annotations` | Annotations to add to the service account | |
| `serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` |
| `volumes` | Optional volumes for cert-manager | `[]` |
| `volumeMounts` | Optional volume mounts for cert-manager | `[]` |
| `resources` | CPU/memory resource requests/limits | `{}` |
| `securityContext` | Security context for the controller pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
| `containerSecurityContext` | Security context to be set on the controller component container | refer to [Default Security Contexts](#default-security-contexts) |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `affinity` | Node affinity for pod assignment | `{}` |
| `tolerations` | Node tolerations for pod assignment | `[]` |
| `topologySpreadConstraints` | Topology spread constraints for pod assignment | `[]` |
| `livenessProbe.enabled` | Enable or disable the liveness probe for the controller container in the controller Pod. See https://cert-manager.io/docs/installation/best-practice/ to learn about when you might want to enable this livenss probe. | `false` |
| `livenessProbe.initialDelaySeconds` | The liveness probe initial delay (in seconds) | `10` |
| `livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` |
| `livenessProbe.timeoutSeconds` | The liveness probe timeout (in seconds) | `10` |
| `livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` |
| `livenessProbe.successThreshold` | The liveness probe success threshold | `1` |
| `livenessProbe.failureThreshold` | The liveness probe failure threshold | `8` |
| `ingressShim.defaultIssuerName` | Optional default issuer to use for ingress resources | |
| `ingressShim.defaultIssuerKind` | Optional default issuer kind to use for ingress resources | |
| `ingressShim.defaultIssuerGroup` | Optional default issuer group to use for ingress resources | |
| `prometheus.enabled` | Enable Prometheus monitoring | `true` |
| `prometheus.servicemonitor.enabled` | Enable Prometheus Operator ServiceMonitor monitoring | `false` |
| `prometheus.servicemonitor.namespace` | Define namespace where to deploy the ServiceMonitor resource | (namespace where you are deploying) |
| `prometheus.servicemonitor.prometheusInstance` | Prometheus Instance definition | `default` |
| `prometheus.servicemonitor.targetPort` | Prometheus scrape port | `9402` |
| `prometheus.servicemonitor.path` | Prometheus scrape path | `/metrics` |
| `prometheus.servicemonitor.interval` | Prometheus scrape interval | `60s` |
| `prometheus.servicemonitor.labels` | Add custom labels to ServiceMonitor | |
| `prometheus.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` |
| `prometheus.servicemonitor.honorLabels` | Enable label honoring for metrics scraped by Prometheus (see [Prometheus scrape config docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) for details). By setting `honorLabels` to `true`, Prometheus will prefer label contents given by cert-manager on conflicts. Can be used to remove the "exported_namespace" label for example. | `false` |
| `podAnnotations` | Annotations to add to the cert-manager pod | `{}` |
| `deploymentAnnotations` | Annotations to add to the cert-manager deployment | `{}` |
| `podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` |
| `podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` |
| `podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | |
| `podDnsPolicy` | Optional cert-manager pod [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy) | |
| `podDnsConfig` | Optional cert-manager pod [DNS configurations](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-config) | |
| `podLabels` | Labels to add to the cert-manager pod | `{}` |
| `serviceLabels` | Labels to add to the cert-manager controller service | `{}` |
| `serviceAnnotations` | Annotations to add to the cert-manager service | `{}` |
| `http_proxy` | Value of the `HTTP_PROXY` environment variable in the cert-manager pod | |
| `https_proxy` | Value of the `HTTPS_PROXY` environment variable in the cert-manager pod | |
| `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | |
| `dns01RecursiveNameservers` | Comma separated string with host and port of the recursive nameservers cert-manager should query | `` |
| `dns01RecursiveNameserversOnly` | Forces cert-manager to only use the recursive nameservers for verification. | `false` |
| `enableCertificateOwnerRef` | When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted | `false` |
| `webhook.replicaCount` | Number of cert-manager webhook replicas | `1` |
| `webhook.timeoutSeconds` | Seconds the API server should wait the webhook to respond before treating the call as a failure. | `10` |
| `webhook.podAnnotations` | Annotations to add to the webhook pods | `{}` |
| `webhook.podLabels` | Labels to add to the cert-manager webhook pod | `{}` |
| `webhook.serviceLabels` | Labels to add to the cert-manager webhook service | `{}` |
| `webhook.deploymentAnnotations` | Annotations to add to the webhook deployment | `{}` |
| `webhook.podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` |
| `webhook.podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` |
| `webhook.podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | |
| `webhook.mutatingWebhookConfigurationAnnotations` | Annotations to add to the mutating webhook configuration | `{}` |
| `webhook.validatingWebhookConfigurationAnnotations` | Annotations to add to the validating webhook configuration | `{}` |
| `webhook.serviceAnnotations` | Annotations to add to the webhook service | `{}` |
| `webhook.config` | WebhookConfiguration YAML used to configure flags for the webhook. Generates a ConfigMap containing contents of the field. See `values.yaml` for example. | `{}` |
| `webhook.extraArgs` | Optional flags for cert-manager webhook component | `[]` |
| `webhook.serviceAccount.create` | If `true`, create a new service account for the webhook component | `true` |
| `webhook.serviceAccount.name` | Service account for the webhook component to be used. If not set and `webhook.serviceAccount.create` is `true`, a name is generated using the fullname template | |
| `webhook.serviceAccount.annotations` | Annotations to add to the service account for the webhook component | |
| `webhook.serviceAccount.automountServiceAccountToken` | Automount API credentials for the webhook Service Account | |
| `webhook.resources` | CPU/memory resource requests/limits for the webhook pods | `{}` |
| `webhook.nodeSelector` | Node labels for webhook pod assignment | `{}` |
| `webhook.networkPolicy.enabled` | Enable default network policies for webhooks egress and ingress traffic | `false` |
| `webhook.networkPolicy.ingress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` |
| `webhook.networkPolicy.egress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` |
| `webhook.affinity` | Node affinity for webhook pod assignment | `{}` |
| `webhook.tolerations` | Node tolerations for webhook pod assignment | `[]` |
| `webhook.topologySpreadConstraints` | Topology spread constraints for webhook pod assignment | `[]` |
| `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` |
| `webhook.image.tag` | Webhook image tag | `v1.12.3` |
| `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` |
| `webhook.securePort` | The port that the webhook should listen on for requests. | `10250` |
| `webhook.securityContext` | Security context for webhook pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
| `webhook.containerSecurityContext` | Security context to be set on the webhook component container | refer to [Default Security Contexts](#default-security-contexts) |
| `webhook.hostNetwork` | If `true`, run the Webhook on the host network. | `false` |
| `webhook.serviceType` | The type of the `Service`. | `ClusterIP` |
| `webhook.loadBalancerIP` | The specific load balancer IP to use (when `serviceType` is `LoadBalancer`). | |
| `webhook.url.host` | The host to use to reach the webhook, instead of using internal cluster DNS for the service. | |
| `webhook.livenessProbe.failureThreshold` | The liveness probe failure threshold | `3` |
| `webhook.livenessProbe.initialDelaySeconds` | The liveness probe initial delay (in seconds) | `60` |
| `webhook.livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` |
| `webhook.livenessProbe.successThreshold` | The liveness probe success threshold | `1` |
| `webhook.livenessProbe.timeoutSeconds` | The liveness probe timeout (in seconds) | `1` |
| `webhook.readinessProbe.failureThreshold` | The readiness probe failure threshold | `3` |
| `webhook.readinessProbe.initialDelaySeconds` | The readiness probe initial delay (in seconds) | `5` |
| `webhook.readinessProbe.periodSeconds` | The readiness probe period (in seconds) | `5` |
| `webhook.readinessProbe.successThreshold` | The readiness probe success threshold | `1` |
| `webhook.readinessProbe.timeoutSeconds` | The readiness probe timeout (in seconds) | `1` |
| `cainjector.enabled` | Toggles whether the cainjector component should be installed (required for the webhook component to work) | `true` |
| `cainjector.replicaCount` | Number of cert-manager cainjector replicas | `1` |
| `cainjector.podAnnotations` | Annotations to add to the cainjector pods | `{}` |
| `cainjector.podLabels` | Labels to add to the cert-manager cainjector pod | `{}` |
| `cainjector.deploymentAnnotations` | Annotations to add to the cainjector deployment | `{}` |
| `cainjector.podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` |
| `cainjector.podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` |
| `cainjector.podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | |
| `cainjector.extraArgs` | Optional flags for cert-manager cainjector component | `[]` |
| `cainjector.serviceAccount.create` | If `true`, create a new service account for the cainjector component | `true` |
| `cainjector.serviceAccount.name` | Service account for the cainjector component to be used. If not set and `cainjector.serviceAccount.create` is `true`, a name is generated using the fullname template | |
| `cainjector.serviceAccount.annotations` | Annotations to add to the service account for the cainjector component | |
| `cainjector.serviceAccount.automountServiceAccountToken` | Automount API credentials for the cainjector Service Account | `true` |
| `cainjector.resources` | CPU/memory resource requests/limits for the cainjector pods | `{}` |
| `cainjector.nodeSelector` | Node labels for cainjector pod assignment | `{}` |
| `cainjector.affinity` | Node affinity for cainjector pod assignment | `{}` |
| `cainjector.tolerations` | Node tolerations for cainjector pod assignment | `[]` |
| `cainjector.topologySpreadConstraints` | Topology spread constraints for cainjector pod assignment | `[]` |
| `cainjector.image.repository` | cainjector image repository | `quay.io/jetstack/cert-manager-cainjector` |
| `cainjector.image.tag` | cainjector image tag | `v1.12.3` |
| `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` |
| `cainjector.securityContext` | Security context for cainjector pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
| `cainjector.containerSecurityContext` | Security context to be set on cainjector component container | refer to [Default Security Contexts](#default-security-contexts) |
| `acmesolver.image.repository` | acmesolver image repository | `quay.io/jetstack/cert-manager-acmesolver` |
| `acmesolver.image.tag` | acmesolver image tag | `v1.12.3` |
| `acmesolver.image.pullPolicy` | acmesolver image pull policy | `IfNotPresent` |
| `startupapicheck.enabled` | Toggles whether the startupapicheck Job should be installed | `true` |
| `startupapicheck.securityContext` | Security context for startupapicheck pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
| `startupapicheck.containerSecurityContext` | Security context to be set on startupapicheck component container | refer to [Default Security Contexts](#default-security-contexts) |
| `startupapicheck.timeout` | Timeout for 'kubectl check api' command | `1m` |
| `startupapicheck.backoffLimit` | Job backoffLimit | `4` |
| `startupapicheck.jobAnnotations` | Optional additional annotations to add to the startupapicheck Job | `{}` |
| `startupapicheck.podAnnotations` | Optional additional annotations to add to the startupapicheck Pods | `{}` |
| `startupapicheck.extraArgs` | Optional additional arguments for startupapicheck | `[]` |
| `startupapicheck.resources` | CPU/memory resource requests/limits for the startupapicheck pod | `{}` |
| `startupapicheck.nodeSelector` | Node labels for startupapicheck pod assignment | `{}` |
| `startupapicheck.affinity` | Node affinity for startupapicheck pod assignment | `{}` |
| `startupapicheck.tolerations` | Node tolerations for startupapicheck pod assignment | `[]` |
| `startupapicheck.podLabels` | Optional additional labels to add to the startupapicheck Pods | `{}` |
| `startupapicheck.image.repository` | startupapicheck image repository | `quay.io/jetstack/cert-manager-ctl` |
| `startupapicheck.image.tag` | startupapicheck image tag | `v1.12.3` |
| `startupapicheck.image.pullPolicy` | startupapicheck image pull policy | `IfNotPresent` |
| `startupapicheck.serviceAccount.create` | If `true`, create a new service account for the startupapicheck component | `true` |
| `startupapicheck.serviceAccount.name` | Service account for the startupapicheck component to be used. If not set and `startupapicheck.serviceAccount.create` is `true`, a name is generated using the fullname template | |
| `startupapicheck.serviceAccount.annotations` | Annotations to add to the service account for the startupapicheck component | |
| `startupapicheck.serviceAccount.automountServiceAccountToken` | Automount API credentials for the startupapicheck Service Account | `true` |
| `maxConcurrentChallenges` | The maximum number of challenges that can be scheduled as 'processing' at once | `60` |
### Default Security Contexts
The default pod-level and container-level security contexts, below, adhere to the [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) Pod Security Standards policies.
Default pod-level securityContext:
```yaml
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
```
Default containerSecurityContext:
```yaml
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
```
### Assigning Values
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
```console
$ helm install my-release -f values.yaml .
```
> **Tip**: You can use the default [values.yaml](https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml)
## Contributing
This chart is maintained at [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager).

15
charts/koor-tech/koor-operator/charts/cert-manager/templates/NOTES.txt Normal file
View File

@ -0,0 +1,15 @@
cert-manager {{ .Chart.AppVersion }} has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in our documentation:
https://cert-manager.io/docs/configuration/
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
https://cert-manager.io/docs/usage/ingress/

174
charts/koor-tech/koor-operator/charts/cert-manager/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,174 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "cert-manager.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "cert-manager.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "cert-manager.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "cert-manager.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Webhook templates
*/}}
{{/*
Expand the name of the chart.
Manually fix the 'app' and 'name' labels to 'webhook' to maintain
compatibility with the v0.9 deployment selector.
*/}}
{{- define "webhook.name" -}}
{{- printf "webhook" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "webhook.fullname" -}}
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 55 | trimSuffix "-" -}}
{{- printf "%s-webhook" $trimmedName | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "webhook.caRef" -}}
{{- template "cert-manager.namespace" }}/{{ template "webhook.fullname" . }}-ca
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "webhook.serviceAccountName" -}}
{{- if .Values.webhook.serviceAccount.create -}}
{{ default (include "webhook.fullname" .) .Values.webhook.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.webhook.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
cainjector templates
*/}}
{{/*
Expand the name of the chart.
Manually fix the 'app' and 'name' labels to 'cainjector' to maintain
compatibility with the v0.9 deployment selector.
*/}}
{{- define "cainjector.name" -}}
{{- printf "cainjector" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "cainjector.fullname" -}}
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
{{- printf "%s-cainjector" $trimmedName | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "cainjector.serviceAccountName" -}}
{{- if .Values.cainjector.serviceAccount.create -}}
{{ default (include "cainjector.fullname" .) .Values.cainjector.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.cainjector.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
startupapicheck templates
*/}}
{{/*
Expand the name of the chart.
Manually fix the 'app' and 'name' labels to 'startupapicheck' to maintain
compatibility with the v0.9 deployment selector.
*/}}
{{- define "startupapicheck.name" -}}
{{- printf "startupapicheck" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "startupapicheck.fullname" -}}
{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
{{- printf "%s-startupapicheck" $trimmedName | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "startupapicheck.serviceAccountName" -}}
{{- if .Values.startupapicheck.serviceAccount.create -}}
{{ default (include "startupapicheck.fullname" .) .Values.startupapicheck.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.startupapicheck.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "chartName" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Labels that should be added on each resource
*/}}
{{- define "labels" -}}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- if eq (default "helm" .Values.creator) "helm" }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
helm.sh/chart: {{ include "chartName" . }}
{{- end -}}
{{- if .Values.global.commonLabels}}
{{ toYaml .Values.global.commonLabels }}
{{- end }}
{{- end -}}
{{/*
Namespace for all resources to be installed into
If not defined in values file then the helm release namespace is used
By default this is not set so the helm release namespace will be used
This gets around an problem within helm discussed here
https://github.com/helm/helm/issues/5358
*/}}
{{- define "cert-manager.namespace" -}}
{{ .Values.namespace | default .Release.Namespace }}
{{- end -}}

117
charts/koor-tech/koor-operator/charts/cert-manager/templates/cainjector-deployment.yaml Normal file
View File

@ -0,0 +1,117 @@
{{- if .Values.cainjector.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "cainjector.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
{{- with .Values.cainjector.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.cainjector.replicaCount }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- with .Values.cainjector.strategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
template:
metadata:
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 8 }}
{{- with .Values.cainjector.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.cainjector.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ template "cainjector.serviceAccountName" . }}
{{- if hasKey .Values.cainjector "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }}
{{- end }}
{{- with .Values.global.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
{{- with .Values.cainjector.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}-cainjector
{{- with .Values.cainjector.image }}
image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
{{- end }}
imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }}
args:
{{- if .Values.global.logLevel }}
- --v={{ .Values.global.logLevel }}
{{- end }}
{{- with .Values.global.leaderElection }}
- --leader-election-namespace={{ .namespace }}
{{- if .leaseDuration }}
- --leader-election-lease-duration={{ .leaseDuration }}
{{- end }}
{{- if .renewDeadline }}
- --leader-election-renew-deadline={{ .renewDeadline }}
{{- end }}
{{- if .retryPeriod }}
- --leader-election-retry-period={{ .retryPeriod }}
{{- end }}
{{- end }}
{{- with .Values.cainjector.extraArgs }}
{{- toYaml . | nindent 10 }}
{{- end }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.cainjector.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cainjector.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cainjector.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cainjector.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.cainjector.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.cainjector.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.cainjector.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.cainjector.volumes }}
volumes:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

26
charts/koor-tech/koor-operator/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- if .Values.cainjector.podDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "cainjector.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- with .Values.cainjector.podDisruptionBudget.minAvailable }}
minAvailable: {{ . }}
{{- end }}
{{- with .Values.cainjector.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ . }}
{{- end }}
{{- end }}

20
charts/koor-tech/koor-operator/charts/cert-manager/templates/cainjector-psp-clusterrole.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.cainjector.enabled }}
{{- if .Values.global.podSecurityPolicy.enabled }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "cainjector.fullname" . }}-psp
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "cainjector.fullname" . }}
{{- end }}
{{- end }}

22
charts/koor-tech/koor-operator/charts/cert-manager/templates/cainjector-psp-clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.cainjector.enabled }}
{{- if .Values.global.podSecurityPolicy.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cainjector.fullname" . }}-psp
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cainjector.fullname" . }}-psp
subjects:
- kind: ServiceAccount
name: {{ template "cainjector.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- end }}
{{- end }}

51
charts/koor-tech/koor-operator/charts/cert-manager/templates/cainjector-psp.yaml Normal file
View File

@ -0,0 +1,51 @@
{{- if .Values.cainjector.enabled }}
{{- if .Values.global.podSecurityPolicy.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "cainjector.fullname" . }}
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
{{- end }}
spec:
privileged: false
allowPrivilegeEscalation: false
allowedCapabilities: [] # default set of capabilities are implicitly allowed
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
{{- end }}
{{- end }}

103
charts/koor-tech/koor-operator/charts/cert-manager/templates/cainjector-rbac.yaml Normal file
View File

@ -0,0 +1,103 @@
{{- if .Values.cainjector.enabled }}
{{- if .Values.global.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cainjector.fullname" . }}
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "create", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cainjector.fullname" . }}
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cainjector.fullname" . }}
subjects:
- name: {{ template "cainjector.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
kind: ServiceAccount
---
# leader election rules
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "cainjector.fullname" . }}:leaderelection
namespace: {{ .Values.global.leaderElection.namespace }}
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
rules:
# Used for leader election by the controller
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
# see cmd/cainjector/start.go#L113
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
# see cmd/cainjector/start.go#L137
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
verbs: ["get", "update", "patch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create"]
---
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "cainjector.fullname" . }}:leaderelection
namespace: {{ .Values.global.leaderElection.namespace }}
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "cainjector.fullname" . }}:leaderelection
subjects:
- kind: ServiceAccount
name: {{ template "cainjector.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- end }}
{{- end }}

27
charts/koor-tech/koor-operator/charts/cert-manager/templates/cainjector-serviceaccount.yaml Normal file
View File

@ -0,0 +1,27 @@
{{- if .Values.cainjector.enabled }}
{{- if .Values.cainjector.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.cainjector.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ template "cainjector.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- with .Values.cainjector.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cainjector"
{{- include "labels" . | nindent 4 }}
{{- with .Values.cainjector.serviceAccount.labels }}
{{ toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}

4462
charts/koor-tech/koor-operator/charts/cert-manager/templates/crds.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

204
charts/koor-tech/koor-operator/charts/cert-manager/templates/deployment.yaml Normal file
View File

@ -0,0 +1,204 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "cert-manager.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ template "cert-manager.name" . }}
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
{{- with .Values.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- with .Values.strategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
template:
metadata:
labels:
app: {{ template "cert-manager.name" . }}
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if and .Values.prometheus.enabled (not .Values.prometheus.servicemonitor.enabled) }}
{{- if not .Values.podAnnotations }}
annotations:
{{- end }}
prometheus.io/path: "/metrics"
prometheus.io/scrape: 'true'
prometheus.io/port: '9402'
{{- end }}
spec:
serviceAccountName: {{ template "cert-manager.serviceAccountName" . }}
{{- if hasKey .Values "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
{{- end }}
{{- with .Values.global.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
{{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.volumes }}
volumes:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}-controller
{{- with .Values.image }}
image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
{{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
{{- if .Values.global.logLevel }}
- --v={{ .Values.global.logLevel }}
{{- end }}
{{- if .Values.clusterResourceNamespace }}
- --cluster-resource-namespace={{ .Values.clusterResourceNamespace }}
{{- else }}
- --cluster-resource-namespace=$(POD_NAMESPACE)
{{- end }}
{{- with .Values.global.leaderElection }}
- --leader-election-namespace={{ .namespace }}
{{- if .leaseDuration }}
- --leader-election-lease-duration={{ .leaseDuration }}
{{- end }}
{{- if .renewDeadline }}
- --leader-election-renew-deadline={{ .renewDeadline }}
{{- end }}
{{- if .retryPeriod }}
- --leader-election-retry-period={{ .retryPeriod }}
{{- end }}
{{- end }}
{{- with .Values.acmesolver.image }}
- --acme-http01-solver-image={{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}
{{- end }}
{{- with .Values.extraArgs }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.ingressShim }}
{{- if .defaultIssuerName }}
- --default-issuer-name={{ .defaultIssuerName }}
{{- end }}
{{- if .defaultIssuerKind }}
- --default-issuer-kind={{ .defaultIssuerKind }}
{{- end }}
{{- if .defaultIssuerGroup }}
- --default-issuer-group={{ .defaultIssuerGroup }}
{{- end }}
{{- end }}
{{- if .Values.featureGates }}
- --feature-gates={{ .Values.featureGates }}
{{- end }}
{{- if .Values.maxConcurrentChallenges }}
- --max-concurrent-challenges={{ .Values.maxConcurrentChallenges }}
{{- end }}
{{- if .Values.enableCertificateOwnerRef }}
- --enable-certificate-owner-ref=true
{{- end }}
{{- if .Values.dns01RecursiveNameserversOnly }}
- --dns01-recursive-nameservers-only=true
{{- end }}
{{- with .Values.dns01RecursiveNameservers }}
- --dns01-recursive-nameservers={{ . }}
{{- end }}
ports:
- containerPort: 9402
name: http-metrics
protocol: TCP
- containerPort: 9403
name: http-healthz
protocol: TCP
{{- with .Values.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 12 }}
{{- end }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.extraEnv }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.http_proxy }}
- name: HTTP_PROXY
value: {{ . }}
{{- end }}
{{- with .Values.https_proxy }}
- name: HTTPS_PROXY
value: {{ . }}
{{- end }}
{{- with .Values.no_proxy }}
- name: NO_PROXY
value: {{ . }}
{{- end }}
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.livenessProbe }}
{{- if .enabled }}
# LivenessProbe settings are based on those used for the Kubernetes
# controller-manager. See:
# https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
livenessProbe:
httpGet:
port: http-healthz
path: /livez
scheme: HTTP
initialDelaySeconds: {{ .initialDelaySeconds }}
periodSeconds: {{ .periodSeconds }}
timeoutSeconds: {{ .timeoutSeconds }}
successThreshold: {{ .successThreshold }}
failureThreshold: {{ .failureThreshold }}
{{- end }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.podDnsPolicy }}
dnsPolicy: {{ . }}
{{- end }}
{{- with .Values.podDnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}

23
charts/koor-tech/koor-operator/charts/cert-manager/templates/networkpolicy-egress.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if .Values.webhook.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "webhook.fullname" . }}-allow-egress
namespace: {{ include "cert-manager.namespace" . }}
spec:
egress:
{{- with .Values.webhook.networkPolicy.egress }}
{{- toYaml . | nindent 2 }}
{{- end }}
podSelector:
matchLabels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- with .Values.webhook.podLabels }}
{{- toYaml . | nindent 6 }}
{{- end }}
policyTypes:
- Egress
{{- end }}

25
charts/koor-tech/koor-operator/charts/cert-manager/templates/networkpolicy-webhooks.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- if .Values.webhook.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "webhook.fullname" . }}-allow-ingress
namespace: {{ include "cert-manager.namespace" . }}
spec:
ingress:
{{- with .Values.webhook.networkPolicy.ingress }}
{{- toYaml . | nindent 2 }}
{{- end }}
podSelector:
matchLabels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- with .Values.webhook.podLabels }}
{{- toYaml . | nindent 6 }}
{{- end }}
policyTypes:
- Ingress
{{- end }}

26
charts/koor-tech/koor-operator/charts/cert-manager/templates/poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- if .Values.podDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "cert-manager.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- with .Values.podDisruptionBudget.minAvailable }}
minAvailable: {{ . }}
{{- end }}
{{- with .Values.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ . }}
{{- end }}
{{- end }}

18
charts/koor-tech/koor-operator/charts/cert-manager/templates/psp-clusterrole.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- if .Values.global.podSecurityPolicy.enabled }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "cert-manager.fullname" . }}-psp
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "cert-manager.fullname" . }}
{{- end }}

20
charts/koor-tech/koor-operator/charts/cert-manager/templates/psp-clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.global.podSecurityPolicy.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cert-manager.fullname" . }}-psp
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cert-manager.fullname" . }}-psp
subjects:
- kind: ServiceAccount
name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- end }}

49
charts/koor-tech/koor-operator/charts/cert-manager/templates/psp.yaml Normal file
View File

@ -0,0 +1,49 @@
{{- if .Values.global.podSecurityPolicy.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "cert-manager.fullname" . }}
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
{{- end }}
spec:
privileged: false
allowPrivilegeEscalation: false
allowedCapabilities: [] # default set of capabilities are implicitly allowed
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
{{- end }}

544
charts/koor-tech/koor-operator/charts/cert-manager/templates/rbac.yaml Normal file
View File

@ -0,0 +1,544 @@
{{- if .Values.global.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "cert-manager.fullname" . }}:leaderelection
namespace: {{ .Values.global.leaderElection.namespace }}
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
resourceNames: ["cert-manager-controller"]
verbs: ["get", "update", "patch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create"]
---
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "cert-manager.fullname" . }}:leaderelection
namespace: {{ .Values.global.leaderElection.namespace }}
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "cert-manager.fullname" . }}:leaderelection
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
---
# Issuer controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-issuers
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "issuers/status"]
verbs: ["update", "patch"]
- apiGroups: ["cert-manager.io"]
resources: ["issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
# ClusterIssuer controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "clusterissuers/status"]
verbs: ["update", "patch"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
# Certificates controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-certificates
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
verbs: ["update", "patch"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["cert-manager.io"]
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders"]
verbs: ["create", "delete", "get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
# Orders controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-orders
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "orders/status"]
verbs: ["update", "patch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "challenges"]
verbs: ["get", "list", "watch"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["create", "delete"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
# Challenges controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-challenges
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
rules:
# Use to update challenge resource status
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "challenges/status"]
verbs: ["update", "patch"]
# Used to watch challenge resources
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["get", "list", "watch"]
# Used to watch challenges, issuer and clusterissuer resources
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
# Need to be able to retrieve ACME account private key to complete challenges
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
# Used to create events
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
# HTTP01 rules
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: [ "gateway.networking.k8s.io" ]
resources: [ "httproutes" ]
verbs: ["get", "list", "watch", "create", "delete", "update"]
# We require the ability to specify a custom hostname when we are creating
# new ingress resources.
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
- apiGroups: ["route.openshift.io"]
resources: ["routes/custom-host"]
verbs: ["create"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges/finalizers"]
verbs: ["update"]
# DNS01 rules (duplicated above)
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
---
# ingress-shim controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests"]
verbs: ["create", "update", "delete"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/finalizers"]
verbs: ["update"]
- apiGroups: ["gateway.networking.k8s.io"]
resources: ["gateways", "httproutes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["gateway.networking.k8s.io"]
resources: ["gateways/finalizers", "httproutes/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-issuers
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cert-manager.fullname" . }}-controller-issuers
subjects:
- name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
subjects:
- name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-certificates
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cert-manager.fullname" . }}-controller-certificates
subjects:
- name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-orders
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cert-manager.fullname" . }}-controller-orders
subjects:
- name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-challenges
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cert-manager.fullname" . }}-controller-challenges
subjects:
- name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
subjects:
- name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-view
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
{{- if .Values.global.rbac.aggregateClusterRoles }}
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- end }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "orders"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-edit
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
{{- if .Values.global.rbac.aggregateClusterRoles }}
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- end }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates/status"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "orders"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
---
# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cert-manager"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["signers"]
verbs: ["approve"]
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cert-manager"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
subjects:
- name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
kind: ServiceAccount
---
# Permission to:
# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cert-manager"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/status"]
verbs: ["update", "patch"]
- apiGroups: ["certificates.k8s.io"]
resources: ["signers"]
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
verbs: ["sign"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "cert-manager"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
subjects:
- name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
kind: ServiceAccount
{{- end }}

31
charts/koor-tech/koor-operator/charts/cert-manager/templates/service.yaml Normal file
View File

@ -0,0 +1,31 @@
{{- if .Values.prometheus.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "cert-manager.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- with .Values.serviceAnnotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
{{- with .Values.serviceLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
ports:
- protocol: TCP
port: 9402
name: tcp-prometheus-servicemonitor
targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
selector:
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- end }}

25
charts/koor-tech/koor-operator/charts/cert-manager/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 2 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ template "cert-manager.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
{{- with .Values.serviceAccount.labels }}
{{ toYaml . | nindent 4 }}
{{- end }}
{{- end }}

45
charts/koor-tech/koor-operator/charts/cert-manager/templates/servicemonitor.yaml Normal file
View File

@ -0,0 +1,45 @@
{{- if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "cert-manager.fullname" . }}
{{- if .Values.prometheus.servicemonitor.namespace }}
namespace: {{ .Values.prometheus.servicemonitor.namespace }}
{{- else }}
namespace: {{ include "cert-manager.namespace" . }}
{{- end }}
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- include "labels" . | nindent 4 }}
prometheus: {{ .Values.prometheus.servicemonitor.prometheusInstance }}
{{- with .Values.prometheus.servicemonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if .Values.prometheus.servicemonitor.annotations }}
annotations:
{{- with .Values.prometheus.servicemonitor.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
spec:
jobLabel: {{ template "cert-manager.fullname" . }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "controller"
{{- if .Values.prometheus.servicemonitor.namespace }}
namespaceSelector:
matchNames:
- {{ include "cert-manager.namespace" . }}
{{- end }}
endpoints:
- targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
path: {{ .Values.prometheus.servicemonitor.path }}
interval: {{ .Values.prometheus.servicemonitor.interval }}
scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }}
honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }}
{{- end }}

88
charts/koor-tech/koor-operator/charts/cert-manager/templates/startupapicheck-job.yaml Normal file
View File

@ -0,0 +1,88 @@
{{- if .Values.startupapicheck.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "startupapicheck.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "startupapicheck.name" . }}
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "startupapicheck"
{{- include "labels" . | nindent 4 }}
{{- with .Values.startupapicheck.jobAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
backoffLimit: {{ .Values.startupapicheck.backoffLimit }}
template:
metadata:
labels:
app: {{ include "startupapicheck.name" . }}
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "startupapicheck"
{{- include "labels" . | nindent 8 }}
{{- with .Values.startupapicheck.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.startupapicheck.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
restartPolicy: OnFailure
serviceAccountName: {{ template "startupapicheck.serviceAccountName" . }}
{{- if hasKey .Values.startupapicheck "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.startupapicheck.automountServiceAccountToken }}
{{- end }}
{{- with .Values.global.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
{{- with .Values.startupapicheck.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}-startupapicheck
{{- with .Values.startupapicheck.image }}
image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
{{- end }}
imagePullPolicy: {{ .Values.startupapicheck.image.pullPolicy }}
args:
- check
- api
- --wait={{ .Values.startupapicheck.timeout }}
{{- with .Values.startupapicheck.extraArgs }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.startupapicheck.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.startupapicheck.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.startupapicheck.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.startupapicheck.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.startupapicheck.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.startupapicheck.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.startupapicheck.volumes }}
volumes:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

24
charts/koor-tech/koor-operator/charts/cert-manager/templates/startupapicheck-psp-clusterrole.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- if .Values.startupapicheck.enabled }}
{{- if .Values.global.podSecurityPolicy.enabled }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "startupapicheck.fullname" . }}-psp
labels:
app: {{ include "startupapicheck.name" . }}
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "startupapicheck"
{{- include "labels" . | nindent 4 }}
{{- with .Values.startupapicheck.rbac.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "startupapicheck.fullname" . }}
{{- end }}
{{- end }}

26
charts/koor-tech/koor-operator/charts/cert-manager/templates/startupapicheck-psp-clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- if .Values.startupapicheck.enabled }}
{{- if .Values.global.podSecurityPolicy.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "startupapicheck.fullname" . }}-psp
labels:
app: {{ include "startupapicheck.name" . }}
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "startupapicheck"
{{- include "labels" . | nindent 4 }}
{{- with .Values.startupapicheck.rbac.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "startupapicheck.fullname" . }}-psp
subjects:
- kind: ServiceAccount
name: {{ template "startupapicheck.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- end }}
{{- end }}

51
charts/koor-tech/koor-operator/charts/cert-manager/templates/startupapicheck-psp.yaml Normal file
View File

@ -0,0 +1,51 @@
{{- if .Values.startupapicheck.enabled }}
{{- if .Values.global.podSecurityPolicy.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "startupapicheck.fullname" . }}
labels:
app: {{ include "startupapicheck.name" . }}
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "startupapicheck"
{{- include "labels" . | nindent 4 }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
{{- end }}
{{- with .Values.startupapicheck.rbac.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
privileged: false
allowPrivilegeEscalation: false
allowedCapabilities: [] # default set of capabilities are implicitly allowed
volumes:
- 'projected'
- 'secret'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
{{- end }}
{{- end }}

48
charts/koor-tech/koor-operator/charts/cert-manager/templates/startupapicheck-rbac.yaml Normal file
View File

@ -0,0 +1,48 @@
{{- if .Values.startupapicheck.enabled }}
{{- if .Values.global.rbac.create }}
# create certificate role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "startupapicheck.fullname" . }}:create-cert
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "startupapicheck.name" . }}
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "startupapicheck"
{{- include "labels" . | nindent 4 }}
{{- with .Values.startupapicheck.rbac.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "startupapicheck.fullname" . }}:create-cert
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "startupapicheck.name" . }}
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "startupapicheck"
{{- include "labels" . | nindent 4 }}
{{- with .Values.startupapicheck.rbac.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "startupapicheck.fullname" . }}:create-cert
subjects:
- kind: ServiceAccount
name: {{ template "startupapicheck.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- end }}
{{- end }}

27
charts/koor-tech/koor-operator/charts/cert-manager/templates/startupapicheck-serviceaccount.yaml Normal file
View File

@ -0,0 +1,27 @@
{{- if .Values.startupapicheck.enabled }}
{{- if .Values.startupapicheck.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.startupapicheck.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ template "startupapicheck.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- with .Values.startupapicheck.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
app: {{ include "startupapicheck.name" . }}
app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "startupapicheck"
{{- include "labels" . | nindent 4 }}
{{- with .Values.startupapicheck.serviceAccount.labels }}
{{ toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}

25
charts/koor-tech/koor-operator/charts/cert-manager/templates/webhook-config.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- if .Values.webhook.config -}}
{{- if not .Values.webhook.config.apiVersion -}}
{{- fail "webhook.config.apiVersion must be set" -}}
{{- end -}}
{{- if not .Values.webhook.config.kind -}}
{{- fail "webhook.config.kind must be set" -}}
{{- end -}}
{{- end -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "webhook.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
data:
{{- if .Values.webhook.config }}
config.yaml: |
{{ .Values.webhook.config | toYaml | nindent 4 }}
{{- end }}

185
charts/koor-tech/koor-operator/charts/cert-manager/templates/webhook-deployment.yaml Normal file
View File

@ -0,0 +1,185 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "webhook.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
{{- with .Values.webhook.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.webhook.replicaCount }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- with .Values.webhook.strategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
template:
metadata:
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 8 }}
{{- with .Values.webhook.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.webhook.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ template "webhook.serviceAccountName" . }}
{{- if hasKey .Values.webhook "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }}
{{- end }}
{{- with .Values.global.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
{{- with .Values.webhook.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.webhook.hostNetwork }}
hostNetwork: true
{{- end }}
containers:
- name: {{ .Chart.Name }}-webhook
{{- with .Values.webhook.image }}
image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
{{- end }}
imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
args:
{{- if .Values.global.logLevel }}
- --v={{ .Values.global.logLevel }}
{{- end }}
{{- if .Values.webhook.config }}
- --config=/var/cert-manager/config/config.yaml
{{- end }}
{{- $config := default .Values.webhook.config "" }}
{{ if not $config.securePort -}}
- --secure-port={{ .Values.webhook.securePort }}
{{- end }}
{{- if .Values.featureGates }}
- --feature-gates={{ .Values.featureGates }}
{{- end }}
{{- $tlsConfig := default $config.tlsConfig "" }}
{{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}}
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
- --dynamic-serving-ca-secret-name={{ template "webhook.fullname" . }}-ca
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE)
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE).svc
{{ if .Values.webhook.url.host }}
- --dynamic-serving-dns-names={{ .Values.webhook.url.host }}
{{- end }}
{{- end }}
{{- with .Values.webhook.extraArgs }}
{{- toYaml . | nindent 10 }}
{{- end }}
ports:
- name: https
protocol: TCP
{{- if $config.securePort }}
containerPort: {{ $config.securePort }}
{{- else if .Values.webhook.securePort }}
containerPort: {{ .Values.webhook.securePort }}
{{- else }}
containerPort: 6443
{{- end }}
- name: healthcheck
protocol: TCP
{{- if $config.healthzPort }}
containerPort: {{ $config.healthzPort }}
{{- else }}
containerPort: 6080
{{- end }}
livenessProbe:
httpGet:
path: /livez
{{- if $config.healthzPort }}
port: {{ $config.healthzPort }}
{{- else }}
port: 6080
{{- end }}
scheme: HTTP
initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.webhook.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.webhook.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.webhook.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.webhook.livenessProbe.failureThreshold }}
readinessProbe:
httpGet:
path: /healthz
{{- if $config.healthzPort }}
port: {{ $config.healthzPort }}
{{- else }}
port: 6080
{{- end }}
scheme: HTTP
initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.webhook.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.webhook.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.webhook.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.webhook.readinessProbe.failureThreshold }}
{{- with .Values.webhook.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.webhook.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if or .Values.webhook.config .Values.webhook.volumeMounts }}
volumeMounts:
{{- if .Values.webhook.config }}
- name: config
mountPath: /var/cert-manager/config
{{- end }}
{{- if .Values.webhook.volumeMounts }}
{{- toYaml .Values.webhook.volumeMounts | nindent 12 }}
{{- end }}
{{- end }}
{{- with .Values.webhook.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.webhook.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.webhook.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.webhook.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or .Values.webhook.config .Values.webhook.volumes }}
volumes:
{{- if .Values.webhook.config }}
- name: config
configMap:
name: {{ include "webhook.fullname" . }}
{{- end }}
{{- if .Values.webhook.volumes }}
{{- toYaml .Values.webhook.volumes | nindent 8 }}
{{- end }}
{{- end }}

46
charts/koor-tech/koor-operator/charts/cert-manager/templates/webhook-mutating-webhook.yaml Normal file
View File

@ -0,0 +1,46 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: {{ include "webhook.fullname" . }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
annotations:
cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote }}
{{- with .Values.webhook.mutatingWebhookConfigurationAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
- name: webhook.cert-manager.io
rules:
- apiGroups:
- "cert-manager.io"
- "acme.cert-manager.io"
apiVersions:
- "v1"
operations:
- CREATE
- UPDATE
resources:
- "*/*"
admissionReviewVersions: ["v1"]
# This webhook only accepts v1 cert-manager resources.
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
# this webhook (after the resources have been converted to v1).
matchPolicy: Equivalent
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
failurePolicy: Fail
# Only include 'sideEffects' field in Kubernetes 1.12+
sideEffects: None
clientConfig:
{{- if .Values.webhook.url.host }}
url: https://{{ .Values.webhook.url.host }}/mutate
{{- else }}
service:
name: {{ template "webhook.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
path: /mutate
{{- end }}

26
charts/koor-tech/koor-operator/charts/cert-manager/templates/webhook-poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- if .Values.webhook.podDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "webhook.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- with .Values.webhook.podDisruptionBudget.minAvailable }}
minAvailable: {{ . }}
{{- end }}
{{- with .Values.webhook.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ . }}
{{- end }}
{{- end }}

18
charts/koor-tech/koor-operator/charts/cert-manager/templates/webhook-psp-clusterrole.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- if .Values.global.podSecurityPolicy.enabled }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "webhook.fullname" . }}-psp
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "webhook.fullname" . }}
{{- end }}

20
charts/koor-tech/koor-operator/charts/cert-manager/templates/webhook-psp-clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.global.podSecurityPolicy.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "webhook.fullname" . }}-psp
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "webhook.fullname" . }}-psp
subjects:
- kind: ServiceAccount
name: {{ template "webhook.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- end }}

54
charts/koor-tech/koor-operator/charts/cert-manager/templates/webhook-psp.yaml Normal file
View File

@ -0,0 +1,54 @@
{{- if .Values.global.podSecurityPolicy.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "webhook.fullname" . }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
{{- if .Values.global.podSecurityPolicy.useAppArmor }}
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
{{- end }}
spec:
privileged: false
allowPrivilegeEscalation: false
allowedCapabilities: [] # default set of capabilities are implicitly allowed
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: {{ .Values.webhook.hostNetwork }}
{{- if .Values.webhook.hostNetwork }}
hostPorts:
- max: {{ .Values.webhook.securePort }}
min: {{ .Values.webhook.securePort }}
{{- end }}
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
{{- end }}

83
charts/koor-tech/koor-operator/charts/cert-manager/templates/webhook-rbac.yaml Normal file
View File

@ -0,0 +1,83 @@
{{- if .Values.global.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "webhook.fullname" . }}:dynamic-serving
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames:
- '{{ template "webhook.fullname" . }}-ca'
verbs: ["get", "list", "watch", "update"]
# It's not possible to grant CREATE permission on a single resourceName.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "webhook.fullname" . }}:dynamic-serving
namespace: {{ include "cert-manager.namespace" . }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "webhook.fullname" . }}:dynamic-serving
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ template "webhook.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
rules:
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "webhook.fullname" . }}:subjectaccessreviews
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ template "webhook.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- end }}

32
charts/koor-tech/koor-operator/charts/cert-manager/templates/webhook-service.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "webhook.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- with .Values.webhook.serviceAnnotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
{{- with .Values.webhook.serviceLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.webhook.serviceType }}
{{- with .Values.webhook.loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
ports:
- name: https
port: 443
protocol: TCP
targetPort: "https"
selector:
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"

25
charts/koor-tech/koor-operator/charts/cert-manager/templates/webhook-serviceaccount.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- if .Values.webhook.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ template "webhook.serviceAccountName" . }}
namespace: {{ include "cert-manager.namespace" . }}
{{- with .Values.webhook.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
{{- with .Values.webhook.serviceAccount.labels }}
{{ toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}

55
charts/koor-tech/koor-operator/charts/cert-manager/templates/webhook-validating-webhook.yaml Normal file
View File

@ -0,0 +1,55 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ include "webhook.fullname" . }}
labels:
app: {{ include "webhook.name" . }}
app.kubernetes.io/name: {{ include "webhook.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "webhook"
{{- include "labels" . | nindent 4 }}
annotations:
cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote}}
{{- with .Values.webhook.validatingWebhookConfigurationAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
- name: webhook.cert-manager.io
namespaceSelector:
matchExpressions:
- key: "cert-manager.io/disable-validation"
operator: "NotIn"
values:
- "true"
- key: "name"
operator: "NotIn"
values:
- {{ include "cert-manager.namespace" . }}
rules:
- apiGroups:
- "cert-manager.io"
- "acme.cert-manager.io"
apiVersions:
- "v1"
operations:
- CREATE
- UPDATE
resources:
- "*/*"
admissionReviewVersions: ["v1"]
# This webhook only accepts v1 cert-manager resources.
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
# this webhook (after the resources have been converted to v1).
matchPolicy: Equivalent
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
failurePolicy: Fail
sideEffects: None
clientConfig:
{{- if .Values.webhook.url.host }}
url: https://{{ .Values.webhook.url.host }}/validate
{{- else }}
service:
name: {{ template "webhook.fullname" . }}
namespace: {{ include "cert-manager.namespace" . }}
path: /validate
{{- end }}

692
charts/koor-tech/koor-operator/charts/cert-manager/values.yaml Normal file
View File

@ -0,0 +1,692 @@
# Default values for cert-manager.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
global:
# Reference to one or more secrets to be used when pulling images
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []
# - name: "image-pull-secret"
# Labels to apply to all resources
# Please note that this does not add labels to the resources created dynamically by the controllers.
# For these resources, you have to add the labels in the template in the cert-manager custom resource:
# eg. podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress
# ref: https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress
# eg. secretTemplate in CertificateSpec
# ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
commonLabels: {}
# team_name: dev
# Optional priority class to be used for the cert-manager pods
priorityClassName: ""
rbac:
create: true
# Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
aggregateClusterRoles: true
podSecurityPolicy:
enabled: false
useAppArmor: true
# Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose.
logLevel: 2
leaderElection:
# Override the namespace used for the leader election lease
namespace: "kube-system"
# The duration that non-leader candidates will wait after observing a
# leadership renewal until attempting to acquire leadership of a led but
# unrenewed leader slot. This is effectively the maximum duration that a
# leader can be stopped before it is replaced by another candidate.
# leaseDuration: 60s
# The interval between attempts by the acting master to renew a leadership
# slot before it stops leading. This must be less than or equal to the
# lease duration.
# renewDeadline: 40s
# The duration the clients should wait between attempting acquisition and
# renewal of a leadership.
# retryPeriod: 15s
installCRDs: false
replicaCount: 1
strategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 0
# maxUnavailable: 1
podDisruptionBudget:
enabled: false
minAvailable: 1
# maxUnavailable: 1
# minAvailable and maxUnavailable can either be set to an integer (e.g. 1)
# or a percentage value (e.g. 25%)
# Comma separated list of feature gates that should be enabled on the controller
# Note: do not use this field to pass feature gate values into webhook
# component as this behaviour relies on a bug that will be fixed in cert-manager 1.13
# https://github.com/cert-manager/cert-manager/pull/6093
# Use webhook.extraArgs to pass --feature-gates flag directly instead.
featureGates: ""
# The maximum number of challenges that can be scheduled as 'processing' at once
maxConcurrentChallenges: 60
image:
repository: quay.io/jetstack/cert-manager-controller
# You can manage a registry with
# registry: quay.io
# repository: jetstack/cert-manager-controller
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# tag: canary
# Setting a digest will override any tag
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
pullPolicy: IfNotPresent
# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer
# resources. By default, the same namespace as cert-manager is deployed within is
# used. This namespace will not be automatically created by the Helm chart.
clusterResourceNamespace: ""
# This namespace allows you to define where the services will be installed into
# if not set then they will use the namespace of the release
# This is helpful when installing cert manager as a chart dependency (sub chart)
namespace: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# name: ""
# Optional additional annotations to add to the controller's ServiceAccount
# annotations: {}
# Automount API credentials for a Service Account.
# Optional additional labels to add to the controller's ServiceAccount
# labels: {}
automountServiceAccountToken: true
# Automounting API credentials for a particular pod
# automountServiceAccountToken: true
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
enableCertificateOwnerRef: false
# Setting Nameservers for DNS01 Self Check
# See: https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check
# Comma separated string with host and port of the recursive nameservers cert-manager should query
dns01RecursiveNameservers: ""
# Forces cert-manager to only use the recursive nameservers for verification.
# Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers
dns01RecursiveNameserversOnly: false
# Additional command line flags to pass to cert-manager controller binary.
# To see all available flags run docker run quay.io/jetstack/cert-manager-controller:<version> --help
extraArgs: []
# Use this flag to enable or disable arbitrary controllers, for example, disable the CertificiateRequests approver
# - --controllers=*,-certificaterequests-approver
extraEnv: []
# - name: SOME_VAR
# value: 'some value'
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
# Pod Security Context
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# Container Security Context to be set on the controller component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
volumes: []
volumeMounts: []
# Optional additional annotations to add to the controller Deployment
# deploymentAnnotations: {}
# Optional additional annotations to add to the controller Pods
# podAnnotations: {}
podLabels: {}
# Optional annotations to add to the controller Service
# serviceAnnotations: {}
# Optional additional labels to add to the controller Service
# serviceLabels: {}
# Optional DNS settings, useful if you have a public and private DNS zone for
# the same domain on Route 53. What follows is an example of ensuring
# cert-manager can access an ingress or DNS TXT records at all times.
# NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for
# the cluster to work.
# podDnsPolicy: "None"
# podDnsConfig:
# nameservers:
# - "1.1.1.1"
# - "8.8.8.8"
nodeSelector:
kubernetes.io/os: linux
ingressShim: {}
# defaultIssuerName: ""
# defaultIssuerKind: ""
# defaultIssuerGroup: ""
prometheus:
enabled: true
servicemonitor:
enabled: false
prometheusInstance: default
targetPort: 9402
path: /metrics
interval: 60s
scrapeTimeout: 30s
labels: {}
annotations: {}
honorLabels: false
# Use these variables to configure the HTTP_PROXY environment variables
# http_proxy: "http://proxy:8080"
# https_proxy: "https://proxy:8080"
# no_proxy: 127.0.0.1,localhost
# A Kubernetes Affinty, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core
# for example:
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: foo.bar.com/role
# operator: In
# values:
# - master
affinity: {}
# A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core
# for example:
# tolerations:
# - key: foo.bar.com/role
# operator: Equal
# value: master
# effect: NoSchedule
tolerations: []
# A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core
# for example:
# topologySpreadConstraints:
# - maxSkew: 2
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: ScheduleAnyway
# labelSelector:
# matchLabels:
# app.kubernetes.io/instance: cert-manager
# app.kubernetes.io/component: controller
topologySpreadConstraints: []
# LivenessProbe settings for the controller container of the controller Pod.
#
# Disabled by default, because the controller has a leader election mechanism
# which should cause it to exit if it is unable to renew its leader election
# record.
# LivenessProbe durations and thresholds are based on those used for the Kubernetes
# controller-manager. See:
# https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
livenessProbe:
enabled: false
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
successThreshold: 1
failureThreshold: 8
webhook:
replicaCount: 1
timeoutSeconds: 10
# Used to configure options for the webhook pod.
# This allows setting options that'd usually be provided via flags.
# An APIVersion and Kind must be specified in your values.yaml file.
# Flags will override options that are set here.
config:
# apiVersion: webhook.config.cert-manager.io/v1alpha1
# kind: WebhookConfiguration
# The port that the webhook should listen on for requests.
# In GKE private clusters, by default kubernetes apiservers are allowed to
# talk to the cluster nodes only on 443 and 10250. so configuring
# securePort: 10250, will work out of the box without needing to add firewall
# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000.
# This should be uncommented and set as a default by the chart once we graduate
# the apiVersion of WebhookConfiguration past v1alpha1.
# securePort: 10250
strategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 0
# maxUnavailable: 1
# Pod Security Context to be set on the webhook component Pod
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
podDisruptionBudget:
enabled: false
minAvailable: 1
# maxUnavailable: 1
# minAvailable and maxUnavailable can either be set to an integer (e.g. 1)
# or a percentage value (e.g. 25%)
# Container Security Context to be set on the webhook component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# Optional additional annotations to add to the webhook Deployment
# deploymentAnnotations: {}
# Optional additional annotations to add to the webhook Pods
# podAnnotations: {}
# Optional additional annotations to add to the webhook Service
# serviceAnnotations: {}
# Optional additional annotations to add to the webhook MutatingWebhookConfiguration
# mutatingWebhookConfigurationAnnotations: {}
# Optional additional annotations to add to the webhook ValidatingWebhookConfiguration
# validatingWebhookConfigurationAnnotations: {}
# Additional command line flags to pass to cert-manager webhook binary.
# To see all available flags run docker run quay.io/jetstack/cert-manager-webhook:<version> --help
extraArgs: []
# Path to a file containing a WebhookConfiguration object used to configure the webhook
# - --config=<path-to-config-file>
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
## Liveness and readiness probe values
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
##
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
nodeSelector:
kubernetes.io/os: linux
affinity: {}
tolerations: []
topologySpreadConstraints: []
# Optional additional labels to add to the Webhook Pods
podLabels: {}
# Optional additional labels to add to the Webhook Service
serviceLabels: {}
image:
repository: quay.io/jetstack/cert-manager-webhook
# You can manage a registry with
# registry: quay.io
# repository: jetstack/cert-manager-webhook
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# tag: canary
# Setting a digest will override any tag
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
pullPolicy: IfNotPresent
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# name: ""
# Optional additional annotations to add to the controller's ServiceAccount
# annotations: {}
# Optional additional labels to add to the webhook's ServiceAccount
# labels: {}
# Automount API credentials for a Service Account.
automountServiceAccountToken: true
# Automounting API credentials for a particular pod
# automountServiceAccountToken: true
# The port that the webhook should listen on for requests.
# In GKE private clusters, by default kubernetes apiservers are allowed to
# talk to the cluster nodes only on 443 and 10250. so configuring
# securePort: 10250, will work out of the box without needing to add firewall
# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000
securePort: 10250
# Specifies if the webhook should be started in hostNetwork mode.
#
# Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
# CNI (such as calico), because control-plane managed by AWS cannot communicate
# with pods' IP CIDR and admission webhooks are not working
#
# Since the default port for the webhook conflicts with kubelet on the host
# network, `webhook.securePort` should be changed to an available port if
# running in hostNetwork mode.
hostNetwork: false
# Specifies how the service should be handled. Useful if you want to expose the
# webhook to outside of the cluster. In some cases, the control plane cannot
# reach internal services.
serviceType: ClusterIP
# loadBalancerIP:
# Overrides the mutating webhook and validating webhook so they reach the webhook
# service using the `url` field instead of a service.
url: {}
# host:
# Enables default network policies for webhooks.
networkPolicy:
enabled: false
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
egress:
- ports:
- port: 80
protocol: TCP
- port: 443
protocol: TCP
- port: 53
protocol: TCP
- port: 53
protocol: UDP
# On OpenShift and OKD, the Kubernetes API server listens on
# port 6443.
- port: 6443
protocol: TCP
to:
- ipBlock:
cidr: 0.0.0.0/0
volumes: []
volumeMounts: []
cainjector:
enabled: true
replicaCount: 1
strategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 0
# maxUnavailable: 1
# Pod Security Context to be set on the cainjector component Pod
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
podDisruptionBudget:
enabled: false
minAvailable: 1
# maxUnavailable: 1
# minAvailable and maxUnavailable can either be set to an integer (e.g. 1)
# or a percentage value (e.g. 25%)
# Container Security Context to be set on the cainjector component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# Optional additional annotations to add to the cainjector Deployment
# deploymentAnnotations: {}
# Optional additional annotations to add to the cainjector Pods
# podAnnotations: {}
# Additional command line flags to pass to cert-manager cainjector binary.
# To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector:<version> --help
extraArgs: []
# Enable profiling for cainjector
# - --enable-profiling=true
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
nodeSelector:
kubernetes.io/os: linux
affinity: {}
tolerations: []
topologySpreadConstraints: []
# Optional additional labels to add to the CA Injector Pods
podLabels: {}
image:
repository: quay.io/jetstack/cert-manager-cainjector
# You can manage a registry with
# registry: quay.io
# repository: jetstack/cert-manager-cainjector
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# tag: canary
# Setting a digest will override any tag
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
pullPolicy: IfNotPresent
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# name: ""
# Optional additional annotations to add to the controller's ServiceAccount
# annotations: {}
# Automount API credentials for a Service Account.
# Optional additional labels to add to the cainjector's ServiceAccount
# labels: {}
automountServiceAccountToken: true
# Automounting API credentials for a particular pod
# automountServiceAccountToken: true
volumes: []
volumeMounts: []
acmesolver:
image:
repository: quay.io/jetstack/cert-manager-acmesolver
# You can manage a registry with
# registry: quay.io
# repository: jetstack/cert-manager-acmesolver
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# tag: canary
# Setting a digest will override any tag
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
# This startupapicheck is a Helm post-install hook that waits for the webhook
# endpoints to become available.
# The check is implemented using a Kubernetes Job- if you are injecting mesh
# sidecar proxies into cert-manager pods, you probably want to ensure that they
# are not injected into this Job's pod. Otherwise the installation may time out
# due to the Job never being completed because the sidecar proxy does not exit.
# See https://github.com/cert-manager/cert-manager/pull/4414 for context.
startupapicheck:
enabled: true
# Pod Security Context to be set on the startupapicheck component Pod
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# Container Security Context to be set on the controller component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# Timeout for 'kubectl check api' command
timeout: 1m
# Job backoffLimit
backoffLimit: 4
# Optional additional annotations to add to the startupapicheck Job
jobAnnotations:
helm.sh/hook: post-install
helm.sh/hook-weight: "1"
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
# Optional additional annotations to add to the startupapicheck Pods
# podAnnotations: {}
# Additional command line flags to pass to startupapicheck binary.
# To see all available flags run docker run quay.io/jetstack/cert-manager-ctl:<version> --help
extraArgs: []
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
nodeSelector:
kubernetes.io/os: linux
affinity: {}
tolerations: []
# Optional additional labels to add to the startupapicheck Pods
podLabels: {}
image:
repository: quay.io/jetstack/cert-manager-ctl
# You can manage a registry with
# registry: quay.io
# repository: jetstack/cert-manager-ctl
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# tag: canary
# Setting a digest will override any tag
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
pullPolicy: IfNotPresent
rbac:
# annotations for the startup API Check job RBAC and PSP resources
annotations:
helm.sh/hook: post-install
helm.sh/hook-weight: "-5"
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
# Automounting API credentials for a particular pod
# automountServiceAccountToken: true
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# name: ""
# Optional additional annotations to add to the Job's ServiceAccount
annotations:
helm.sh/hook: post-install
helm.sh/hook-weight: "-5"
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
# Automount API credentials for a Service Account.
automountServiceAccountToken: true
# Optional additional labels to add to the startupapicheck's ServiceAccount
# labels: {}
volumes: []
volumeMounts: []

30
charts/koor-tech/koor-operator/questions.yaml Normal file
View File

@ -0,0 +1,30 @@
questions:
- variable: certmanager.enabled
required: true
type: boolean
label: Install cert-manager
group: "General Settings"
- variable: koorCluster.spec.useAllDevices
required: true
type: boolean
label: Use all devices
group: "Koor Cluster Settings"
- variable: koorCluster.spec.monitoringEnabled
required: true
type: boolean
label: Enable Monitoring
group: "Koor Cluster Settings"
- variable: koorCluster.spec.dashboardEnabled
required: true
type: boolean
label: Enable Dashboard
group: "Koor Cluster Settings"
- variable: koorCluster.spec.toolboxEnabled
required: true
type: boolean
label: Enable Toolbox
group: "Koor Cluster Settings"

62
charts/koor-tech/koor-operator/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "koor-operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "koor-operator.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "koor-operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "koor-operator.labels" -}}
helm.sh/chart: {{ include "koor-operator.chart" . }}
{{ include "koor-operator.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "koor-operator.selectorLabels" -}}
app.kubernetes.io/name: {{ include "koor-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "koor-operator.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "koor-operator.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

25
charts/koor-tech/koor-operator/templates/_koorcluster.tpl Normal file
View File

@ -0,0 +1,25 @@
{{/*
Create the koorCluster
*/}}
{{- define "koor-operator.koorCluster" -}}
apiVersion: storage.koor.tech/v1alpha1
kind: KoorCluster
metadata:
name: {{ include "koor-operator.fullname" . }}-koorcluster
{{- if .Values.koorCluster.namespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app.kubernetes.io/created-by: koor-operator
app.kubernetes.io/part-of: koor-operator
{{- include "koor-operator.labels" . | nindent 4 }}
spec:
{{ toYaml .Values.koorCluster.spec | indent 2 }}
{{- end }}
{{/*
Koor cluster job that installs the custom resource
*/}}
{{- define "koor-operator.jobName" -}}
{{- include "koor-operator.fullname" . }}-koorcluster-job
{{- end }}

111
charts/koor-tech/koor-operator/templates/deployment.yaml Normal file
View File

@ -0,0 +1,111 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "koor-operator.fullname" . }}-controller-manager
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: koor-operator
app.kubernetes.io/part-of: koor-operator
{{- include "koor-operator.labels" . | nindent 4 }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "koor-operator.fullname" . }}-controller-manager
labels:
app.kubernetes.io/component: manager
app.kubernetes.io/created-by: koor-operator
app.kubernetes.io/part-of: koor-operator
control-plane: controller-manager
{{- include "koor-operator.labels" . | nindent 4 }}
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-weight: "3"
spec:
replicas: {{ .Values.controllerManager.replicas }}
selector:
matchLabels:
control-plane: controller-manager
{{- include "koor-operator.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
control-plane: controller-manager
{{- include "koor-operator.selectorLabels" . | nindent 8 }}
annotations:
kubectl.kubernetes.io/default-container: manager
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
- ppc64le
- s390x
- key: kubernetes.io/os
operator: In
values:
- linux
containers:
- args: {{- toYaml .Values.controllerManager.kubeRbacProxy.args | nindent 8 }}
env:
- name: KUBERNETES_CLUSTER_DOMAIN
value: {{ quote .Values.kubernetesClusterDomain }}
image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag
| default .Chart.AppVersion }}
name: kube-rbac-proxy
ports:
- containerPort: 8443
name: https
protocol: TCP
resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent
10 }}
securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext
| nindent 10 }}
- args: {{- toYaml .Values.controllerManager.manager.args | nindent 8 }}
command:
- /manager
env:
- name: KUBERNETES_CLUSTER_DOMAIN
value: {{ quote .Values.kubernetesClusterDomain }}
image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag
| default .Chart.AppVersion }}
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 10
}}
securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext
| nindent 10 }}
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
securityContext:
runAsNonRoot: true
serviceAccountName: {{ include "koor-operator.fullname" . }}-controller-manager
terminationGracePeriodSeconds: 10
volumes:
- name: cert
secret:
defaultMode: 420
secretName: webhook-server-cert

77
charts/koor-tech/koor-operator/templates/job-rbac.yaml Normal file
View File

@ -0,0 +1,77 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "koor-operator.jobName" . }}
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: koor-operator
app.kubernetes.io/part-of: koor-operator
{{- include "koor-operator.labels" . | nindent 4 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "koor-operator.fullname" . }}-job-role
labels:
{{- include "koor-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.koor.tech
resources:
- koorclusters
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- delete
- apiGroups:
- apps
resources:
- deployments
verbs:
- delete
- apiGroups:
- cert-manager.io
resources:
- certificates
- issuers
verbs:
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "koor-operator.fullname" . }}-job-rolebinding
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: koor-operator
app.kubernetes.io/part-of: koor-operator
{{- include "koor-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: '{{ include "koor-operator.fullname" . }}-job-role'
subjects:
- kind: ServiceAccount
name: '{{ include "koor-operator.jobName" . }}'
namespace: '{{ .Release.Namespace }}'

205
charts/koor-tech/koor-operator/templates/koorcluster-crd.yaml Normal file
View File

@ -0,0 +1,205 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: koorclusters.storage.koor.tech
annotations:
cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "koor-operator.fullname"
. }}-serving-cert'
controller-gen.kubebuilder.io/version: v0.10.0
labels:
{{- include "koor-operator.labels" . | nindent 4 }}
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
name: '{{ include "koor-operator.fullname" . }}-webhook-service'
namespace: '{{ .Release.Namespace }}'
path: /convert
conversionReviewVersions:
- v1
group: storage.koor.tech
names:
kind: KoorCluster
listKind: KoorClusterList
plural: koorclusters
singular: koorcluster
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: KoorCluster is the Schema for the koorclusters API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: KoorClusterSpec defines the desired state of KoorCluster
properties:
dashboardEnabled:
default: true
description: Enable the ceph dashboard for viewing cluster status
type: boolean
monitoringEnabled:
default: true
description: Enable monitoring. Requires Prometheus to be pre-installed.
type: boolean
toolboxEnabled:
default: true
description: Installs a debugging toolbox deployment
type: boolean
upgradeOptions:
description: Specifies the notification options for new ceph versions
properties:
endpoint:
default: versions.koor.tech
description: The api endpoint used to find the ceph latest version
type: string
mode:
default: notify
description: Upgrade mode
enum:
- disabled
- notify
- upgrade
type: string
schedule:
default: 0 0 * * *
description: 'The schedule to check for new versions. Uses CRON
format as specified by https://github.com/robfig/cron/tree/v3.
Defaults to everyday at midnight in the local timezone. To change
the timezone, prefix the schedule with CRON_TZ=<Timezone>. For
example: "CRON_TZ=UTC 0 0 * * *" is midnight UTC.'
type: string
type: object
useAllDevices:
default: true
description: Use all devices on nodes
type: boolean
type: object
status:
description: KoorClusterStatus defines the observed state of KoorCluster
properties:
currentVersions:
description: The current versions of rook and ceph
properties:
ceph:
description: The version of Ceph
type: string
koorOperator:
description: The version of the koor Operator
type: string
ksd:
description: The version of KSD
type: string
kube:
description: The version of Kubernetes
type: string
type: object
latestVersions:
description: The latest versions of rook and ceph
properties:
ceph:
description: The detailed version of Ceph
properties:
helmChart:
type: string
helmRepository:
type: string
imageHash:
type: string
imageUri:
type: string
version:
type: string
type: object
koorOperator:
description: The detailed version of the koor Operator
properties:
helmChart:
type: string
helmRepository:
type: string
imageHash:
type: string
imageUri:
type: string
version:
type: string
type: object
ksd:
description: The detailed version of KSD
properties:
helmChart:
type: string
helmRepository:
type: string
imageHash:
type: string
imageUri:
type: string
version:
type: string
type: object
type: object
meetsMinimumResources:
description: Does the cluster meet the minimum recommended resources
type: boolean
totalResources:
description: The total resources available in the cluster nodes
properties:
cpu:
anyOf:
- type: integer
- type: string
description: CPU cores available
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memory:
anyOf:
- type: integer
- type: string
description: Memory available
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
nodesCount:
anyOf:
- type: integer
- type: string
description: The number of nodes in the cluster
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
storage:
anyOf:
- type: integer
- type: string
description: Ephemeral Storage available
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
required:
- meetsMinimumResources
- totalResources
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

29
charts/koor-tech/koor-operator/templates/koorcluster-job.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "koor-operator.jobName" . }}
labels:
app.kubernetes.io/created-by: koor-operator
app.kubernetes.io/part-of: koor-operator
{{- include "koor-operator.labels" . | nindent 4 }}
spec:
template:
metadata:
name: {{ include "koor-operator.jobName" . }}
labels:
{{- include "koor-operator.labels" . | nindent 8 }}
spec:
restartPolicy: OnFailure
serviceAccountName: {{ include "koor-operator.jobName" . }}
containers:
- name: {{ include "koor-operator.fullname" . }}-koorcluster-install-job
image: bitnami/kubectl:1.26
command:
- "bin/bash"
- "-c"
args:
- |-
sleep 1;
cat <<EOF | kubectl apply -f -
{{- include "koor-operator.koorCluster" . | nindent 12 }}
EOF

59
charts/koor-tech/koor-operator/templates/leader-election-rbac.yaml Normal file
View File

@ -0,0 +1,59 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "koor-operator.fullname" . }}-leader-election-role
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: koor-operator
app.kubernetes.io/part-of: koor-operator
{{- include "koor-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "koor-operator.fullname" . }}-leader-election-rolebinding
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: koor-operator
app.kubernetes.io/part-of: koor-operator
{{- include "koor-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: '{{ include "koor-operator.fullname" . }}-leader-election-role'
subjects:
- kind: ServiceAccount
name: '{{ include "koor-operator.fullname" . }}-controller-manager'
namespace: '{{ .Release.Namespace }}'

71
charts/koor-tech/koor-operator/templates/manager-rbac.yaml Normal file
View File

@ -0,0 +1,71 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "koor-operator.fullname" . }}-manager-role
labels:
{{- include "koor-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- get
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- apiGroups:
- storage.koor.tech
resources:
- koorclusters
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.koor.tech
resources:
- koorclusters/finalizers
verbs:
- update
- apiGroups:
- storage.koor.tech
resources:
- koorclusters/status
verbs:
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "koor-operator.fullname" . }}-manager-rolebinding
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: koor-operator
app.kubernetes.io/part-of: koor-operator
{{- include "koor-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: '{{ include "koor-operator.fullname" . }}-manager-role'
subjects:
- kind: ServiceAccount
name: '{{ include "koor-operator.fullname" . }}-controller-manager'
namespace: '{{ .Release.Namespace }}'

14
charts/koor-tech/koor-operator/templates/metrics-reader-rbac.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "koor-operator.fullname" . }}-metrics-reader
labels:
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: koor-operator
app.kubernetes.io/part-of: koor-operator
{{- include "koor-operator.labels" . | nindent 4 }}
rules:
- nonResourceURLs:
- /metrics
verbs:
- get

17
charts/koor-tech/koor-operator/templates/metrics-service.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "koor-operator.fullname" . }}-controller-manager-metrics-service
labels:
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: koor-operator
app.kubernetes.io/part-of: koor-operator
control-plane: controller-manager
{{- include "koor-operator.labels" . | nindent 4 }}
spec:
type: {{ .Values.metricsService.type }}
selector:
control-plane: controller-manager
{{- include "koor-operator.selectorLabels" . | nindent 4 }}
ports:
{{- .Values.metricsService.ports | toYaml | nindent 2 -}}

29
charts/koor-tech/koor-operator/templates/mutating-webhook-configuration.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: {{ include "koor-operator.fullname" . }}-mutating-webhook-configuration
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "koor-operator.fullname" . }}-serving-cert
labels:
{{- include "koor-operator.labels" . | nindent 4 }}
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: '{{ include "koor-operator.fullname" . }}-webhook-service'
namespace: '{{ .Release.Namespace }}'
path: /mutate-storage-koor-tech-v1alpha1-koorcluster
failurePolicy: Fail
name: mkoorcluster.kb.io
rules:
- apiGroups:
- storage.koor.tech
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- koorclusters
sideEffects: None

35
charts/koor-tech/koor-operator/templates/predelete-job.yaml Normal file
View File

@ -0,0 +1,35 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "koor-operator.fullname" . }}-predelete-job
labels:
app.kubernetes.io/created-by: koor-operator
app.kubernetes.io/part-of: koor-operator
{{- include "koor-operator.labels" . | nindent 4 }}
annotations:
helm.sh/hook: pre-delete
helm.sh/hook-delete-policy: hook-succeeded
spec:
template:
metadata:
name: {{ include "koor-operator.fullname" . }}-predelete-job
labels:
{{- include "koor-operator.labels" . | nindent 8 }}
spec:
restartPolicy: OnFailure
serviceAccountName: {{ include "koor-operator.jobName" . }}
containers:
- name: {{ include "koor-operator.fullname" . }}-pre-delete-job
image: bitnami/kubectl:1.26
command:
- "bin/bash"
- "-c"
args:
- |-
kubectl delete -n {{ .Release.Namespace }} job {{ include "koor-operator.jobName" . }} --ignore-not-found
cat <<EOF | kubectl delete -f - --ignore-not-found
{{- include "koor-operator.koorCluster" . | nindent 12}}
EOF
kubectl delete -n {{ .Release.Namespace }} deployment {{ include "koor-operator.fullname" . }}-controller-manager --ignore-not-found
kubectl delete -n {{ .Release.Namespace }} certificate {{ include "koor-operator.fullname" . }}-serving-cert --ignore-not-found
kubectl delete -n {{ .Release.Namespace }} issuer {{ include "koor-operator.fullname" . }}-selfsigned-issuer --ignore-not-found

40
charts/koor-tech/koor-operator/templates/proxy-rbac.yaml Normal file
View File

@ -0,0 +1,40 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "koor-operator.fullname" . }}-proxy-role
labels:
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: koor-operator
app.kubernetes.io/part-of: koor-operator
{{- include "koor-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "koor-operator.fullname" . }}-proxy-rolebinding
labels:
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: koor-operator
app.kubernetes.io/part-of: koor-operator
{{- include "koor-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: '{{ include "koor-operator.fullname" . }}-proxy-role'
subjects:
- kind: ServiceAccount
name: '{{ include "koor-operator.fullname" . }}-controller-manager'
namespace: '{{ .Release.Namespace }}'

11
charts/koor-tech/koor-operator/templates/selfsigned-issuer.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "koor-operator.fullname" . }}-selfsigned-issuer
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "1"
labels:
{{- include "koor-operator.labels" . | nindent 4 }}
spec:
selfSigned: {}

19
charts/koor-tech/koor-operator/templates/serving-cert.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "koor-operator.fullname" . }}-serving-cert
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "2"
labels:
{{- include "koor-operator.labels" . | nindent 4 }}
spec:
dnsNames:
- '{{ include "koor-operator.fullname" . }}-webhook-service.{{ .Release.Namespace
}}.svc'
- '{{ include "koor-operator.fullname" . }}-webhook-service.{{ .Release.Namespace
}}.svc.{{ .Values.kubernetesClusterDomain }}'
issuerRef:
kind: Issuer
name: '{{ include "koor-operator.fullname" . }}-selfsigned-issuer'
secretName: webhook-server-cert

29
charts/koor-tech/koor-operator/templates/validating-webhook-configuration.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ include "koor-operator.fullname" . }}-validating-webhook-configuration
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "koor-operator.fullname" . }}-serving-cert
labels:
{{- include "koor-operator.labels" . | nindent 4 }}
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: '{{ include "koor-operator.fullname" . }}-webhook-service'
namespace: '{{ .Release.Namespace }}'
path: /validate-storage-koor-tech-v1alpha1-koorcluster
failurePolicy: Fail
name: vkoorcluster.kb.io
rules:
- apiGroups:
- storage.koor.tech
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- koorclusters
sideEffects: None

16
charts/koor-tech/koor-operator/templates/webhook-service.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "koor-operator.fullname" . }}-webhook-service
labels:
app.kubernetes.io/component: webhook
app.kubernetes.io/created-by: koor-operator
app.kubernetes.io/part-of: koor-operator
{{- include "koor-operator.labels" . | nindent 4 }}
spec:
type: {{ .Values.webhookService.type }}
selector:
control-plane: controller-manager
{{- include "koor-operator.selectorLabels" . | nindent 4 }}
ports:
{{- .Values.webhookService.ports | toYaml | nindent 2 -}}

98
charts/koor-tech/koor-operator/values.yaml Normal file
View File

@ -0,0 +1,98 @@
# NOTE: commit your changes before running make or they will be lost.
certmanager:
# -- Enable cert-maanger
enabled: true
# -- If cert-manager's CRDs should be installed through Helm.
installCRDs: true
controllerManager:
# -- RBAC proxy configuration
kubeRbacProxy:
args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8080/
- --logtostderr=true
- --v=0
# -- RBAC proxy container security context
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
image:
# -- Operator image repository
repository: gcr.io/kubebuilder/kube-rbac-proxy
# -- Operator image tag
tag: v0.14.1
# -- RBAC proxy container resources
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
# -- Operator configuration
manager:
args:
- --health-probe-bind-address=:8081
- --metrics-bind-address=127.0.0.1:8080
- --leader-elect
# -- Operator container security context
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
image:
# -- Operator image repository
repository: docker.io/koorinc/koor-operator
# -- Operator image tag
tag: v0.3.1
# -- Operator container resources
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 10m
memory: 128Mi
replicas: 1
kubernetesClusterDomain: cluster.local
# -- Metrics Service
metricsService:
ports:
- name: https
port: 8443
protocol: TCP
targetPort: https
type: ClusterIP
# -- Webhook service
webhookService:
ports:
- port: 443
protocol: TCP
targetPort: 9443
type: ClusterIP
# This is appeneded to values.yaml from additional-values.yaml. This is a hack to avoid getting these values overwritten by helmify
# -- Koor Cluster specification
koorCluster:
spec:
# -- If all empty + unused devices of the cluster should be used.
useAllDevices: true
# -- If monitoring should be enabled, requires the prometheus-operator to be pre-installed.
monitoringEnabled: true
# -- Enable the Ceph MGR dashboard.
dashboardEnabled: true
# -- If the Ceph toolbox, should be deployed as well.
toolboxEnabled: true
upgradeOptions:
# -- Upgrade mode. Options: disabled, notify, upgrade.
mode: notify
# -- The api endpoint used to find the ceph latest version
endpoint: versions.koor.tech
# -- The schedule to check for new versions. Uses CRON format as specified by https://github.com/robfig/cron/tree/v3.
# Defaults to everyday at midnight in the local timezone.
# To change the timezone, prefix the schedule with CRON_TZ=<Timezone>.
# For example: "CRON_TZ=UTC 0 0 * * *" is midnight UTC.
schedule: 0 0 * * *

41
index.yaml
View File

@ -26831,6 +26831,47 @@ entries:
urls:
- assets/kong/kong-2.3.1.tgz
version: 2.3.1
koor-operator:
- annotations:
artifacthub.io/category: storage
artifacthub.io/crds: |
- kind: KoorCluster
version: v1
name: koorcluster
displayName: Koor Cluster
description: "Resource to control the creation of a Koor Storage Cluster."
artifacthub.io/license: Apache-2.0
artifacthub.io/operator: "true"
artifacthub.io/operatorCapabilities: basic install
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Koor Operator
catalog.cattle.io/kube-version: '>=1.19.0'
catalog.cattle.io/release-name: koor-operator
apiVersion: v2
appVersion: v0.3.1
created: "2023-07-31T23:39:53.977528668-04:00"
dependencies:
- alias: certmanager
condition: certmanager.enabled
name: cert-manager
repository: file://./charts/cert-manager
version: v1.12.3
description: A Helm chart for deploying the Koor Operator to Kubernetes
digest: c89156ab3af2b3204ab805329d7a572dde94bcf132b53af161ce50a05806d50e
icon: https://koor.tech/images/favicon.svg
keywords:
- storage
- operator
- rook
- ceph
kubeVersion: '>=1.19.0'
name: koor-operator
sources:
- https://github.com/koor-tech/koor-operator/
type: application
urls:
- assets/koor-tech/koor-operator-0.3.1.tgz
version: 0.3.1
kubemq-cluster:
- annotations:
catalog.cattle.io/certified: partner

1
packages/koor-tech/koor-operator/overlay/app-readme.md Normal file
View File

@ -0,0 +1 @@
An operator that installs Koor Storage Distro

30
packages/koor-tech/koor-operator/overlay/questions.yaml Normal file
View File

@ -0,0 +1,30 @@
questions:
- variable: certmanager.enabled
required: true
type: boolean
label: Install cert-manager
group: "General Settings"
- variable: koorCluster.spec.useAllDevices
required: true
type: boolean
label: Use all devices
group: "Koor Cluster Settings"
- variable: koorCluster.spec.monitoringEnabled
required: true
type: boolean
label: Enable Monitoring
group: "Koor Cluster Settings"
- variable: koorCluster.spec.dashboardEnabled
required: true
type: boolean
label: Enable Dashboard
group: "Koor Cluster Settings"
- variable: koorCluster.spec.toolboxEnabled
required: true
type: boolean
label: Enable Toolbox
group: "Koor Cluster Settings"

5
packages/koor-tech/koor-operator/upstream.yaml Normal file
View File

@ -0,0 +1,5 @@
HelmRepo: https://koor-tech.github.io/koor-operator
HelmChart: koor-operator
Vendor: koor-tech
DisplayName: Koor Operator
Fetch: latest